Computerworld - The Cloud Security Checklist

COVER STORY

What you demand of the cloud depends on your corporate standards and your compliance needs, the amount and type of workloads you’re moving to it, and how you are dividing administrative and security responsibility between your staff and your provider. Security requirements also vary depending on whether you’re using software as a service (SaaS), infrastructure as a service (IaaS) or platform as a service (PaaS) offerings. But you should at least consider each of the following questions in your cloud security plans.

1 WHO HAS AUTHENTICATION/ ACCESS CONTROL? The ability to prove that users are who they say they are and control the data they can see and the functions they can perform, based on their identities and roles, is the top priority of almost every cloud user interviewed for this story. Authentication can be the most challenging when you maintain user information and controls within the firewall using a repository such as Active Directory but host your servers and applications in the cloud.

The ideal is a “federated” identity management access system that pools authentication information from all of your organization’s systems — internal and external. This allows instant authentication of any user who presents the proper credentials, such as a password or a password and a token. It also provides for single sign-on, allowing users to access all of their applications and data, in-house and in the cloud, with a single username and password. While top SaaS providers have the infrastructure to provide single sign-on to large customers that are themselves equipped to serve as “identity providers,” many smaller service providers and their customers lack those capabilities, says Eve Maler, an analyst at Forrester Research.

However, because federated identity management can be expensive and cumbersome to implement, many organizations settle for a “synchronized” approach in which different copies of a user’s authentication information are maintained by different applications, says Maler. This can compromise security by spreading user credential data among multiple locations and companies. It can also create delays between the time that an employee’s access is withdrawn from internal systems and from a cloud-based application, creating a potential security gap.

Another authentication option is for the cloud provider to connect directly to the company’s store of user information, which Maler says “is probably safer than synchronizing” but practical only if you have a relatively simple collection of systems. That’s the route taken by healthcare provider HCR ManorCare. Thomas Vines, director of information security at HCR, says he has used a cloud-based application to host the company’s electronic medical record system for the past seven years and is “very comfortable” with it. Vines says he allows a cloud-based security service from Zscaler (which also checks websites for malware and controls which sites users may access) to access his Active Directory implementation to determine which users to authenticate and what level of access to grant them.

An IaaS implementation in which a customer buys the use of servers in the cloud is one case where a simple link from a service provider to an LDAP directory might be enough, says Tom Cecere, director of cloud product management at NetIQ. That’s because there are usually only a limited number of administrative roles, he says. For example, one role might cover users who can create new servers, a second might cover a wider set who can expand the ca-

8 COMPUTERWORLD SEPTEMBER 2011

pabilities of the servers, and a third role might cover the still larger group who can use the servers.

A number of vendors, including Symplified, Okta and Ping Identity, provide single sign-on through what Maler calls “a simplified way of federating,” redirecting users’ access requests to a cloud-based authentication process that supports every cloud-based service the customer uses.

The next challenge is to ensure that users can access only the applications, the data or the functions within applications for which they are authorized. Not all organizations require the same level of granularity in specifying access, says Maler, but it’s critical to hold out for the level of detail you need, rather than relying on only the “fairly coarse-grained” control offered by vendors that have an incentive to allow access by more users to maximize their revenue. One vendor providing more fine-grained access control is Aveksa, which sells its software to both cloud vendors and cloud customers.

2 IS THE LOCATION SECURE? The cloud allows data to be moved to the most cost-effective location without users’ knowledge. But o safeguard security, customers should know the location of their data. Gary Landau, vice president of IT infrastructure and information security at financial services provider Wilshire Associates, wants cloud vendors to provide replication to redundant sites, “but I also want to know where that [data] is going to be, because I don’t want my data being migrated” to a country that lacks strong legal protection for it.

Cloud customers whose concern is document security can use SaaS tools like WatchDox, which lets them control who can view cloud-based documents and track who accessed them. According to Kevin Gholston, vice president of business development at defense manufacturing consultancy CVG Strategy, WatchDox is easier to use and less cumbersome than digital rights management software.

AMAG Pharmaceuticals relies on cloud providers to host all 24 of its sensitive applications and just under 8TB of data, including information related to manufacturing processes and quality control, says Nathan McBride, AMAG’s executive director for I T. He uses CloudLock for Google Apps from CloudLock (formerly Aprigo) to restrict document access to authorized users and to transfer ownership of documents to another employee when a user leaves the company. This eliminates the manual process of finding each document and changing who can access it.

3 WHEN ARE AUDITS CONDUCTED? Proving your applications and data meet corporate, industry and government standards requires audits and reports. Vines does a quarterly audit of each of HCR’s critical application providers, covering every- thing from software updates to the validity of users’ accounts and the controls required for HIPAA and Sarbanes-Oxley compliance. He says years of experience and “hand-in-hand” cooperation between the audit and security groups means audits require only a quarter of one staffer’s time. “Once we get into the flow, it’s well documented and not so ad hoc,” he says, noting that scripts and processes his team developed proactively highlight problems.