What you demand of the cloud depends on your corporate
standards and your compliance needs, the amount and type of
workloads you’re moving to it, and how you are dividing administrative and security responsibility between your staff and your provider.
Security requirements also vary depending on whether you’re using
software as a service (SaaS), infrastructure as a service (IaaS) or
platform as a service (PaaS) offerings. But you should at least consider each of the following questions in your cloud security plans.
1 WHO HAS AUTHENTICATION/ ACCESS CONTROL? The ability to prove that users are who they say they are and control the data they can see and the functions they can perform, based on their identities and roles, is the top priority of almost every cloud user interviewed
for this story. Authentication can be the most challenging when
you maintain user information and controls within the firewall
using a repository such as Active Directory but host your servers
and applications in the cloud.
The ideal is a “federated” identity management access system
that pools authentication information from all of your organization’s
systems — internal and external. This allows instant authentication
of any user who presents the proper credentials, such as a password
or a password and a token. It also provides for single sign-on, allowing users to access all of their applications and data, in-house and
in the cloud, with a single username and password. While top SaaS
providers have the infrastructure to provide single sign-on to large
customers that are themselves equipped to serve as “identity providers,” many smaller service providers and their customers lack those
capabilities, says Eve Maler, an analyst at Forrester Research.
However, because federated identity management can be
expensive and cumbersome to implement, many organizations
settle for a “synchronized” approach in which different copies of
a user’s authentication information are maintained by different applications, says Maler. This can compromise security by
spreading user credential data among multiple locations and
companies. It can also create delays between the time that an
employee’s access is withdrawn from internal systems and from a
cloud-based application, creating a potential security gap.
Another authentication option is for the cloud provider to connect
directly to the company’s store of user information, which Maler
says “is probably safer than synchronizing” but practical only if you
have a relatively simple collection of systems. That’s the route taken
by healthcare provider HCR ManorCare. Thomas Vines, director
of information security at HCR, says he has used a cloud-based
application to host the company’s electronic medical record system
for the past seven years and is “very comfortable” with it. Vines says
he allows a cloud-based security service from Zscaler (which also
checks websites for malware and controls which sites users may
access) to access his Active Directory implementation to determine
which users to authenticate and what level of access to grant them.
An IaaS implementation in which a customer buys the use of
servers in the cloud is one case where a simple link from a service
provider to an LDAP directory might be enough, says Tom Cecere,
director of cloud product management at NetIQ. That’s because
there are usually only a limited number of administrative roles, he
says. For example, one role might cover users who can create new
servers, a second might cover a wider set who can expand the ca-
8 COMPUTERWORLD SEPTEMBER 2011
pabilities of the servers, and a third role might cover the still larger
group who can use the servers.
A number of vendors, including Symplified, Okta and Ping
Identity, provide single sign-on through what Maler calls “a
simplified way of federating,” redirecting users’ access requests to
a cloud-based authentication process that supports every cloud-based service the customer uses.
The next challenge is to ensure that users can access only the applications, the data or the functions within applications for which
they are authorized. Not all organizations require the same level
of granularity in specifying access, says Maler, but it’s critical to
hold out for the level of detail you need, rather than relying on only
the “fairly coarse-grained” control offered by vendors that have an
incentive to allow access by more users to maximize their revenue.
One vendor providing more fine-grained access control is Aveksa,
which sells its software to both cloud vendors and cloud customers.
2 IS THE LOCATION SECURE? The cloud allows data to be moved to the most cost-effective location without users’ knowledge. But o safeguard security, customers should know the location of their data. Gary Landau, vice president of IT infrastructure and information security at financial services provider Wilshire Associates, wants cloud vendors
to provide replication to redundant sites, “but I also want to know
where that [data] is going to be, because I don’t want my data being
migrated” to a country that lacks strong legal protection for it.
Cloud customers whose concern is document security can use
SaaS tools like WatchDox, which lets them control who can view
cloud-based documents and track who accessed them. According to
Kevin Gholston, vice president of business development at defense
manufacturing consultancy CVG Strategy, WatchDox is easier to
use and less cumbersome than digital rights management software.
AMAG Pharmaceuticals relies on cloud providers to host all 24
of its sensitive applications and just under 8TB of data, including information related to manufacturing processes and quality
control, says Nathan McBride, AMAG’s executive director for I T.
He uses CloudLock for Google Apps from CloudLock (formerly
Aprigo) to restrict document access to authorized users and to
transfer ownership of documents to another employee when a user
leaves the company. This eliminates the manual process of finding
each document and changing who can access it.
3 WHEN ARE AUDITS CONDUCTED? Proving your applications and data meet corporate, industry and government standards requires audits and reports. Vines does a quarterly audit of each of HCR’s critical application providers, covering every- thing from software updates to the validity of users’
accounts and the controls required for HIPAA and Sarbanes-Oxley
compliance. He says years of experience and “hand-in-hand” cooperation between the audit and security groups means audits require
only a quarter of one staffer’s time. “Once we get into the flow, it’s
well documented and not so ad hoc,” he says, noting that scripts and
processes his team developed proactively highlight problems.
Each cloud vendor that AMAG’s McBride uses must meet strict
Continued on page 10