Application and data security is essential for any organization, but the responsibility isn't evenly distributed....
Therefore, IT needs to come up with a cloud security strategy with specific compliance policies or principles for the rest of the organization to follow.
Public cloud removes some of the infrastructure and administrative overhead of the traditional data center, but the onus of meeting cloud governance requirements still falls squarely on IT's shoulders. In the ever-shifting cloud landscape, it's important to create a governance model that resembles an ongoing process -- not a product.
Matching cloud providers to your data location, privacy and governance needs, as well as best practices to create an organization-wide cloud governance strategy, are important considerations for any IT shop.
Cloud security challenges
Most enterprises don't have a good grasp of what's reality and what's fiction when it comes to cloud security. The variations in threat activity are not as important as where the infrastructure is located, according to Alert Logic's Fall 2012 State of Cloud Security Report. Attacks are opportunistic in nature, so anything that can be accessed from the outside -- enterprise or cloud -- has an equal chance of being attacked.
The report found that Web application-based attacks hit service provider environments and on-premises environments, 53% and 44% of organizations, respectively. However, on-premises environments suffer more incidents than service provider environments -- an average of 61.4 attacks and 27.8 attacks, respectively. On-premises environment users also suffered significantly more brute-force attacks compared to their counterparts in service provider environments.
The 2012 report still rings true -- the recent data breaches at Sony, Home Depot and Target were unrelated to the cloud. Most attacks occur on traditional systems due to aging security systems and exposed vulnerabilities.
As cloud computing continues to grow in popularity and implementations become more complex and heterogeneous, the importance of having an effective cloud security strategy and technologies has increased significantly.
Identity and access management (IAM), also known as identity management, is not new, but the emergence of cloud computing puts it at center stage. Many cloud providers, such as Amazon Web Services (AWS), provide IAM as a service right out of the cloud. Others require customers to select and deploy third-party IAM systems.
IAM's concept is simple: Provide a security approach and technology that allows the right individuals to access the right resources at the right times and for the right reasons. The concept follows the precept that everything and everyone gets an identity, including people, servers, devices, APIs, applications and data. Once that verification occurs, it's just a matter of defining which identities can access other identities and creating policies that define the limits of that relationship.
One example would be to define and store the identity of a set of cloud-based APIs that are used only by a single set of smartphones that are running an application. The APIs each have an identity, as do the smartphones, applications and the people using the phones. An IAM service would authenticate the identity of each entity each time there's an interaction with another resource.
A prime example of IAM is the AWS version, which is a full-blown identity management and security system that allows users to control access to AWS cloud services. This IAM allows you to create and manage AWS users and user groups by way of permissions, which allow and disallow access to data. The benefit of Amazon's IAM is its ability to manage who can access what and in what context.
Other players in the game
Of course, not everyone runs AWS. Fortunately, many new IAM players focus on cloud and usually promise to provide both identity management and single sign-on services. These players include Bitium, Centrify, Okta, OneLogin, Ping Identity and Symplified.
Each player approaches cloud security and IAM differently, so review each product with regard to your specific requirements. When selecting the right cloud security approach, be certain to consider the following:
- The integration of cloud-based identity management services, or other security services, with enterprise security systems. Security should be systemic to both cloud and non-cloud systems. Consider products that meet both sets of requirements.
- The design and architecture of your identity-based security service. Sometimes security services can come from your cloud provider. In many other cases, you have to select and deploy third-party security tools.
- Testing, including "white hat" security tests, is important. Test results are telling, in terms of the actual effectiveness of your security systems.
- The effect on performance. In some instances, security can slow your system to the point that it affects productivity.
- Industry and all required regulations for compliance.
About the author:
David "Dave" S. Linthicum is senior vice president of Cloud Technology Partners and an internationally recognized cloud industry expert and thought leader. He is the author or co-author of 13 books on computing, including the best-selling Enterprise Application Integration. Linthicum keynotes at many leading technology conferences on cloud computing, SOA, enterprise application integration and enterprise architecture.
His latest book is Cloud Computing and SOA Convergence in Your Enterprise: A Step-by-Step Guide. His industry experience includes tenures as chief technology officer and CEO of several successful software companies and upper-level management positions in Fortune 100 companies. In addition, he was an associate professor of computer science for eight years and continues to lecture at major technical colleges and universities, including the University of Virginia, Arizona State University and the University of Wisconsin.
Governance helps sway enterprise IT to hybrid cloud
Cloud migration doesn't mean the end of governance
Hackers attack perception of public clouds
Discover more about cloud testing strategies