Sei sulla pagina 1di 21

d i g i ta l s p ot l ı g h t summer 2014

Cloud Security
M o d e r n i z i n g E n t e r p r i s e IT

 Introduction  2
 The leap of faith to the cloud  4
 I dentity management
meets the cloud  9

 Hanging on to cloud identity  13


 Practical cloud encryption
solutions  17
digital
spotlıght
CLOUD SECURITY

Staying safe INSIDE

in the cloud Introduction  2


By Eric Knorr

T
The leap of faith to the cloud  4
he cloud is fast becoming an underlying assumption Cloud providers typically have better security defenses
of computing, mainly because everyone wants the ability than your own data center – yet risks remain. The Cloud
to provision and scale applications with minimal fuss. Security Alliance flags the nine most likely threats.
B y E R I C kn o r r
Often, public cloud services present the best options.
The problem for IT is that business managers frequently fire up Identity management
accounts with public cloud services and fail to think through the se- meets the cloud  9
curity implications. That can lead to increased risk of data loss, indus- Organizations always wrestle with authentication and
trial spying, compromised customer data, and more. In this Digital access control, but rapid adoption of cloud apps and
services is complicating the problem.
Spotlight on cloud security, we dive into the key security issues for B y F A H M I D A y. R A S H I D
organizations that — by accident or design — have moved a substan-
tial portion of their computing workloads to the cloud. Hanging on to cloud identity  13
We begin by walking through the nine most pressing cloud se- Organizations are embracing cloud-based apps –
and incurring new risks in the bargain.
curity liabilities. Next, we explain identity management, and delve Identity management lowers the liability.
into the ways organizations are using it to extend authentication and B y P a u l F. R o be r t s
authorization to the cloud. Finally, we tackle data encryption and the
options cloud providers should offer to ensure your data stays safe. Practical cloud encryption
Today, nearly all businesses have one foot in the cloud whether solutions  17
Encryption has become a huge issue, thanks to the NSA.
they realize it or not. We hope this Digital Spotlight helps enable For cloud customers, this has already led to a wider array of
you to assess your own exposure and reap the benefit of public encryption solutions.
cloud services without creating worry or unnecessary risk. B y RO G E R A . G R I M E S

—Eric Knorr, Editor in Chief

Digital Spotlight  |  CLOUD SECURITY  |  SUMMER 2014 infoworld.com 2


There are better
ways to secure
the cloud.
Forget the hype that everyone is moving to the cloud.
Maintaining business availability should be your #1 priority.
Trust Sungard Availability Services to keep your business
running wherever you want to manage it. Public, private,
or hybrid — we can guide you to the best decision for
your business.

sungardas.com/securecloud

3
digital
spotlıght
CLOUD SECURITY

f faith
leap o d
e
Th o the clo u
t Cloud providers have better security defenses
than your average enterprise data center – as they
should, since any flaw could affect many, many
customers. The Cloud Security Alliance identifies
the nine most likely threats.  B Y E r i c K n o r r

N
ot long ago, the notion of en-
trusting vital company data to a public
cloud service would have struck most
IT managers as mildly insane at best.
My data? Out there on some shared
platform in a data center I’ve never
seen? You’ve got to be kidding me.

Digital Spotlight | CLOUD SECURITY  |  SUMMER 2014 infoworld.com 4


digital
spotlıght
CLOUD SECURITY

That attitude has shifted. The


availability and security of cloud pro-
Subscribing to cloud services risks is reckless at best. Fortunately,
there’s a nonprofit organization solely
viders have continuously improved, without considering the dedicated to addressing the problem.
to the point where you frequently
hear that your own data center is potential security risks is The Cloud Security Alliance’s
much more likely to experience
downtime or a successful malicious
reckless at best. “notorious nine”
Formed in 2008, the Cloud Security
attack than the hardened, redundant Alliance is dedicated to promoting
fortresses of big-name cloud service best security practices for the cloud.
providers. cloud customer data — but even default, deployed in such a way that Membership includes a who’s who
True, cloud providers’ reputations that episode may ultimately work in outside, unauthorized parties will of tech companies, from traditional
were dealt a damaging blow in 2013 cloud providers’ favor. In response to have a very hard time cracking it. software vendors Microsoft and Or-
when reports surfaced that the NSA the NSA debacle, some providers are The truth is that today, evalua- acle to native cloud providers Ama-
demanded and received access to already offering strong encryption by tions of cloud risk tend to occur in zon and Google. In 2013, the Cloud
hindsight. With or without the bless- Security Alliance published what
ing of IT, many line-of-business and it called its Notorious Nine cloud
departmental managers have sub- computing threats based on a survey
scribed to cloud services — in part of industry experts. Here are those
to gain much-needed capabilities threats in order of severity, with my
that IT departments can’t or won’t own interpretation of the implica-
deliver, and in part because some key tions of each.

1.
cloud services are simply better than
solutions obtainable on premises.
It’s becoming a cloud world, to Data breaches
the point where corporate CIOs are No surprise that data
attempting to emulate the hyperef- breaches are the No. 1
ficient clouds of major providers in fear, since anxiety over exposing data
their own data centers. Nonetheless, has always been the chief inhibitor
subscribing to cloud services without to cloud computing adoption. On
considering the potential security one level, the antidote is simple: a

Digital Spotlight  |  CLOUD SECURITY  |  SUMMER 2014 infoworld.com 5


digital
spotlıght
CLOUD SECURITY

full array of strong encryption op- ing it — and when they call on IT to through phishing or social engi-
tions. Roger Grimes’ article “Practi- recover data from a cloud service, neering can result in compromised
cal encryption solutions” walks you it may be too late. financial data, stolen intellectual
through the options. Moreover, although top cloud property, and other dire conse-
But locking down data with en- service providers have an excellent quences for any business. But stolen
cryption is only part of the story. record when it comes to accidental cloud service logons incur a special
Encryption keys can fall into the data corruption or loss, users some- set of risks.
wrong hands. You need proper au- times select third-tier providers with- For one thing, security profes-
thentication and access control to out making a realistic assessment sionals routinely use a specific set of
ensure only those authorized can ac- of their viability. An SLA may be in tools to determine whether an orga-
cess data. Plus, you need proper data place, but a subscription refund does nization has been compromised —
governance to manage the lifecycle of not amount to adequate compensa- and few would be willing or able to
data — and under which conditions tion for data lost by a dysfunctional use those tools to check cloud ser-
data can be stored in a shared cloud provider. In addition, if either the vices. If a SaaS application is com-
environment or in any other location. user or the provider practices lax ac- promised, for example, an intruder
Another issue is data deletion. cess control, data could be deleted by might be able to monitor activity
Over the years, occasional reports vandals, disaffected former employ- and peruse data over a long stretch
have surfaced that customer data ees, or other malicious individuals. of time without being detected.
that was supposed to have been de- In a 2013 study by the security Other risks can be incurred if a
leted remained with the cloud pro- vendor Symantec, 43 percent of the malicious hacker steals logon cre-
vider. Encryption obviously reduces 3,200 organizations surveyed lost dentials to a business user’s IaaS
risk should that slipup occur. data in the cloud and had to recover account. In the past, infrastructure

2.
from backups. Data in the cloud clouds have been used to launch
needs to be protected as you would new VMs for botnets, DDoS at-
Data loss protect it on any system. tacks, and other malicious activity.

3.
Because cloud ser- That’s one reason cloud monitoring
vices are often ad- is essential.
opted without IT’s permission, users Account or service
may lose company data simply by traffic hijacking
misplacing it or accidentally delet- Logons stolen

Digital Spotlight  |  CLOUD SECURITY  |  SUMMER 2014 infoworld.com 6


digital
spotlıght
CLOUD SECURITY

4.
have now deployed rela-
Insecure inter- tively effective, automated
faces and APIs defenses against DDoS
Cloud interfaces and attacks. Smaller providers
APIs enable integration with SSO may or may not have the
(single sign-on) solutions, as well as wherewithal to mount such
data or process integration with other a defense.

6.
cloud services or on-premises soft-
ware. But those interfaces and APIs
are also potential targets for attack. Malicious
To secure APIs, providers give users insiders
tokens or API keys that are validated In a 2013
in order for a client to connect. survey by Forrester re-
If an API is secured poorly, an search, 25 percent of re-

7.
attacker could launch a DoS attack spondents said that abuse
and render a cloud service unusable. by a malicious insider was the most Second, due to the decentralized
APIs may provide access to all sorts common cause of data breaches. pattern of cloud adoption typical of Abuse of cloud
of cloud functions, including ac- The truth, however, is that no one many organizations, IT’s purview services
count provisioning; if compromised, knows. Malicious insider attacks – over identity management and ac- Cloud computing pro-
APIs may even enable an attacker to by disgruntled employees or those cess control may not extend to all viders such as Amazon Web Services
extract critical data. who jump ship to competitors and cloud services. Such lax control may offer something the world has never

5.
take data with them – frequently go give employees free reign over data seen before: the ability to spin up
undetected or, for political reasons, they would normally be unauthor- massive computing power on de-
Denial of service unreported. ized to access. In the worst case, mand for any conceivable workload,
Public cloud ser- Insider threats specific to the cloud logons may be retained by employ- pay for only the cloud resources re-
vices are, well, public. are twofold. First, there’s the added ees after they leave an organization, quired, then simply close the cloud
Hacktivists have targeted cloud ser- risk that a rogue insider working for opening opportunities for mischief service account.
vices for political reasons, rendering a cloud service provider might be or data theft. That’s ideal for, say, actuarial cal-
them temporarily unusable. Fortu- tempted to view, sell, or tamper with culations. But it’s also an opportunity
nately, most of the large providers customer data and avoid detection. for cyber criminals to engage in an-

Digital Spotlight  |  CLOUD SECURITY  |  SUMMER 2014 infoworld.com 7


digital
spotlıght
CLOUD SECURITY

other compute-intensive task: crack- ing Security Reference Architecture, a multitenant architecture.” A pro-
ing encryption. In addition, cloud and the American Institute of CPA’s vider must put controls in place that
computing services may provide a SSAE 16, or the ISO/IES’s 27001 ensure such potential vulnerabilities
home for botnets, DDoS attacks, family of information security stan- are not exploited — and foil hackers
and other criminal operations that dards. No customer can look over who create accounts expressly to at-
require scale. the shoulder of a provider to ensure tack other customers.

8.
24/7 compliance, but customers are Of particular concern have been
sometimes given audit privileges potential security vulnerabilities
Insufficient and allowed to physically inspect at the hypervisor level, since these
due diligence facilities. could theoretically enable an attack-
The cloud depends Obviously, SLAs that include er to compromise multiple virtual
on trust between the provider and reparations for security breaches are machines across multiple accounts.
the customer. The big brand names desirable. On the other hand, no In 2012, researchers discovered the
in the cloud have earned customer agreement is likely to sufficiently Crisis Trojan, the Windows version
confidence thanks to a declining compensate for major theft or expo- of which was found to be capable
number of outages and few cata- sure of critical data. of infecting VMware virtual ma-

9.
strophic data breaches to date — al- chines. Later that year, a University
though the NSA debacle has given of North Carolina research paper
many (especially European) cus- Shared technolo- described how a virtual machine
tomers pause. With smaller, newer, gy vulnerabilities could use side-channel timing in-
lesser-known providers, the lack One of the biggest inhibitors to The cloud, by its formation to extract private crypto-
of a public track record demands cloud computing has been custom- nature, is based on the idea of mul- graphic keys in use by other VMs on
more faith, which many enterprise ers’ inability to continuously monitor tiple customers sharing the same the same server.
customers are unwilling to invest. a cloud provider’s security infrastruc- infrastructure — a concept known So far, however, no known breach-
Another consideration is the viability ture and practices. True, there are as “multitenancy.” As the Notorious es have been attributed to hypervi-
of the provider’s business: A recent standards and guidelines, such as Nine report puts it, “the underly- sor-based attacks, encouraging some
Gartner study predicted that one the Cloud Security Alliance’s Se- ing components that make up this to assert that fears of this sort of ex-
in four of the top 100 IaaS provid- curity, Trust & Assurance Registry, infrastructure (e.g., CPU caches, ploit are overblown.
ers will be “gone” by 2015, mainly the National Institute of Standards GPUs, etc.) … were not designed to
through acquisition. and Technology’s Cloud Comput- offer strong isolation properties for Eric Knorr is Editor in Chief at InfoWorld.

Digital Spotlight  |  CLOUD SECURITY  |  SUMMER 2014 infoworld.com 8


digital
spotlıght
CLOUD SECURITY

Identity management
meets the cloud
Organizations always wrestle with authentication
and access control, but rapid adoption of cloud
apps and services is complicating the problem.
This quick guide offers a straightforward antidote.
B y F A H M I D A y. R A S H I D

O
rganizations have an identity
problem. Numerous data breaches result
from organizations not knowing who
people are or what they’re allowed to do.
IAM (identity and access management) is
the solution — and in the cloud era, when
employees may access multiple cloud services outside the
enterprise perimeter, IAM is needed more than ever.

Digital Spotlight  |  CLOUD SECURITY  |  SUMMER 2014 infoworld.com 9


digital
spotlıght
CLOUD SECURITY

IAM requires concerted plan-


ning to implement effectively.
Plus, each IAM solution takes a dif-
ferent approach, making it compli-
It’s easy to get trapped in evaluating technology
cated to assess which one makes the and hashing out deployment details, but such
most sense for a given organization.
Major vendors such as Dell (as a
efforts should be undertaken later in the process.
result of its Quest acquisition), Mi-
crosoft, Oracle, and IBM, include
on-premise IAM in their portfolios.
Then there are the nimble startups ning will ensure the final rollout
SUMMER applications migrating to hosted access to corporate data. If there’s
with cloud-based platforms, such reflects what the organization re- servers, and users trying to access no governance over applications
as Okta, Ping Identity, and One ally needs. enterprise resources from outside owned and maintained by busi-
Login. Just recently Salesforce.com the network, IT needs to share the ness managers, IT may not be
stepped into the fray with its own How to think about IAM responsibility for user and identity aware of the risk until it’s too late.
offering, Salesforce Identity. The gist of IAM boils down to two management with stakeholders.
It’s easy to get trapped in evalu- basic questions: “Who is this per- Typically, IT gives users an inter- IAM vs. SSO
ating technology and hashing out son?” and “Is this person allowed to nal corporate ID to log in to their Authentication is the most visible
deployment details, but such ef- do this?” Users need to be authen- computers and access enterprise part of IAM, because end-users
forts should be undertaken later ticated first, then authorized with applications. These days a business have to identify themselves with
in the process. Before considering the appropriate access levels to ful- unit may also subscribe to a SaaS a password or some other mecha-
platforms and providers, IT needs fill their responsibilities. When all (software as a service) offering to nism, and IT has to figure out
to figure out access rules, use case applications and resources were in create a certain number of user whether or not that person is really
scenarios, and business require- a data center, IT was able to assert accounts. If a member of that team who he or she claims to be. Autho-
ments. After identifying the re- some control. Nowadays, identity leaves the company, IT has proce- rization is the trickier part, because
quired controls, IT needs to build has spread beyond those confines to dures in place to disable accounts the organization has to decide
access policies, make changes to multiple end points, cloud applica- belonging to that employee — but whether the user’s request is reason-
the applications, and test the inte- tions, and cloud services. a business manager may forget to able and if it should be granted.
gration. This doesn’t have to be a With business units signing up disable a former employee’s SaaS A common misperception
lengthy process, but proper plan- for cloud services on their own, core accounts, providing continued among IT executives is that SSO

Digital Spotlight  |  CLOUD SECURITY  |  SUMMER 2014 infoworld.com 10


digital
spotlıght
CLOUD SECURITY

(single sign-on) and IAM are the the user roles and access deleted or have overly broad access,
same, when in fact SSO is just rules within the organiza- or even uncover missing roles and
one component of the larger IAM tion. This can be done in accounts that should already exist.
whole. Implementing SSO makes the form of a matrix, mapping A final audit will make it easier to
life easier for users because they users with accounts, applications, create the centralized user reposi-
no longer have to keep track of all roles, and privileges. This will tory during deployment.
their passwords, and IT can add help the organization understand One thing to keep in mind is to
gatekeeping mechanisms such as who has access to which applica- stay small. Instead of trying to do a
device fingerprinting, multifac- tion, how the application is be- full deployment with every single
tor authentication, and IP address ing used, and what types of roles user and application, a better ap-
tracking, depending on the prod- should be in place. proach is to focus on a few applica-
uct. But arguably, authorization “Users” in this matrix refers not tions and a subset of users. Once
is important when an employee’s just to employees, but also to any that phase is complete, more users
job function or employment status accounts used by other applica- can be added. Applications should
changes. tions or systems. For example, also be added in a controlled man-
Some IAM vendors offer little the content management system ner so it’s clear what configuration
more than SSO, which may mean should not be using the adminis- changes or customizations need to
automated provisioning and de- trator credential to get to the da- be made.
provisioning of accounts is not tabase, but a more restricted one, Whether an organization has
included. If an organization is rela- and that needs to be included in only on-premise applications, only
tively small and doesn’t need mul- the matrix. If an application sup- cloud infrastructure, or most likely
tiple levels of access control, SSO ports third-party log-ins, such as a mix of both, having the access
alone may be sufficient. Needless Facebook or OpenID credentials, matrix is critical for a successful
to say, detailed discussions of re- those need to be included as well. IAM rollout.
quirements related to this issue are The matrix serves two purposes:
paramount. To understand what types of use Diving into use cases
cases the final IAM deployment With all the access rules defined,
Defining scope has to support, and also to act as an the next step is to understand the
The most critical step in the IAM audit. This exercise can help iden- use cases and the business require-
planning process is to identify all tify accounts that should have been ments. For example, whether

Digital Spotlight  |  CLOUD SECURITY  |  SUMMER 2014 infoworld.com 11


digital
spotlıght
CLOUD SECURITY

identity should be controlled inter-


nally or can be outsourced to an
external provider depends on an Organizations need to look deeply into what iden-
organization’s specific use cases.
In many cases, it’s the business
tity means for them. Several recent high-profile
manager who understands appli- data breaches have resulted from a failure of IAM.
cations and their benefits — and
determines who can use the ap-
plication. In such scenarios, the
manager should retain at least role information. Depending on makes the technology evaluation be tested as part of integration, and
some of that control. the use case, organizations may de- straightforward, since it quickly IT will need to look at scalability
As organizations become more cide to stick with Active Directory becomes clear which features and load balancing as well. Testing
hybrid, some will want IAM to and bolt on the appropriate IAM and capabilities will be essential. will also verify that use cases, espe-
encompass both on-premise and platform, while others may de- But even after selecting the plat- cially the ones that trigger certain
cloud applications. Others may cide that starting over with a fresh form, IT must allocate time for restrictions, have been designed
decide everything doesn’t need to source would be more effective. custom development. Policies correctly.
tie back to a single identity. It may Some providers offer hooks into and workflows have to be cre- Organizations need to look
make perfect business sense to Active Directory so IT doesn’t ated based on previously defined deeply into what identity means
have one identity credential tied need to recreate user entries for use cases to indicate what kind of for them. Several recent high-pro-
to on-premise applications and cloud IAM solutions, which typi- actions would trigger an alert or file data breaches have resulted
physical hardware, while main- cally use SAML or similar frame- block access. from a failure of IAM. Spend the
taining a separate set for external works to hook applications to- Many IAM vendors promise time and effort to determine user
cloud applications. gether. Users are given accounts to a seamless integration where no access control rules and use cases,
Most organizations already log in to the IAM Web portal, and code must be changed, but this is and the actual technical imple-
use Active Directory, LDAP, or a from there they can open all the almost never the case. Integration mentation will become much
similar centralized repository to other cloud applications they have always requires some configura- easier to manage.
manage user accounts. Systems access to. tion changes and tweaks — for
like Active Directory provide a example, to ensure an application Fahmida Y. Rashid is a veteran business
good starting point, because they The right controls for the job works with SAML or OAuth con- and technology journalist living in the
already contain plenty of user and Identifying use cases beforehand nectors. These connectors have to greater New York City area.

Digital Spotlight  |  CLOUD SECURITY  |  SUMMER 2014 infoworld.com 12


digital
spotlıght
CLOUD security

Hanging on to cloud identity


Organizations are
embracing cloud-based

In
applications and realizing
the not so distant past, enter-
big productivity gains – prise IT shops operated as enlight-
and incurring new security ened dictatorships. With hands
risks in the bargain. firmly on the keys to the technol-
Identity management ogy kingdom — application serv-
ers, identity stores, and so on – the
solutions lower the liability. IT group was the final arbiter of any new technology.
B y P a u l F . R o be r t s No longer. Today, separate lines of business and
even individual employees procure cloud applications
with little more than a credit card. Moreover, they
often do so without the knowledge or approval of IT.
That kind of agility is great for productivity. But if the
IT-as-dictator model is untenable, so is the chaos of ad-
hoc cloud technology adoption that, in recent years, has
created new security risks and management headaches.
What’s to be done? Forward-looking organizations are
finding ways to walk the tightrope between control and
chaos. Specifically, new cloud-based identity manage-
ment tools give organizations a way to temper the chaos
of cloud adoption, dragging SaaS (software as a service)
application use within the enterprise into the sunlight.

Digital Spotlight  |  CLOUD SECURITY  |  SUMMER 2014 infoworld.com 13


digital
spotlıght
CLOUD security

Web applications: cure cloud services to fill needs that


Barbarians at the gates the IT organization can’t fulfill effec-
At Shire PLC, a leading biopharma- Today, separate lines of tively or quickly enough; that means
ceuticals firm that developed drugs
like Adderall and Vyvanse, employ-
business and even individ- that CISOs too often become aware
of security issues after it’s too late.”
ees have been adept at identifying ual employees procure cloud Okta, a San Francisco-based
and using a slew of Web-based tools,
says Bob Litterer, a senior informa- applications with little more firm that offers cloud-based identity
management tools, regularly finds a
tion security executive at Shire. than a credit card. They often laundry list of common Web-based
“I came here three years ago, and applications already deployed at
we were already well on our way. do so without the knowledge companies it engages with. Some-
There were quite a few cloud-based
services our business was leverag-
or approval of IT. times they find two dozen or more,
constituting what some call a “shad-
ing,” Litterer says. But rather than ow IT” infrastructure.
seeing those services as a threat, he “Think about survey applications,”
embraced them. “Our employees and cloud-based applications they Shire’s situation is not unusual, says Frederic Kerrest, Okta’s chief
were using them to help our compa- needed to do their job — a manage- says Eve Maler, an analyst at For- operating officer. “In the old days
ny achieve its vision, which is to help ment nightmare. rester Research. you would hand out pieces of pa-
patients lead better lives,” he says. A publicly traded pharmaceutical Maler and her colleagues have per. Then you had tools like Survey
“I really saw it as an opportunity.” company, Shire must comply with a found that organizations rushing Monkey. Today, there are three, four
There were problems, however. host of federal, state, international, headlong into the cloud soon run up or five similar products that do that.”
Adoption of Web-based tools had and industry regulations govern- against a familiar list of complications. Any or all of those could be in use
been organic, rather than orderly. “It ing everything from health data At the top of the list is what Forrest- in a given environment, and they’re
was really business-by-business and to the release of data regarding its er refers to as “an inability to set and often repositories for critical business
product-by-product,” says Litterer. financial performance, clinical trial enforce controls” in hybrid IT envi- data concerning an organization, its
Because adoption happened with- results, and so on. According to Lit- ronments comprised of both cloud personnel, its projects, and so on.
out guidance from the IT group, terer, that raised the stakes for the and on-premises systems.
Shire employees might have five or company as it sought to bring cloud In their drive to “win, serve, and Taming the cloud’s identity
10 different user names and pass- and Web application use in line retain customers,” Forrester noted in a complexity
words to access the various internal with company policy. recent report, “business managers pro- The task of bringing sprawling cloud-

Digital Spotlight  |  CLOUD SECURITY  |  SUMMER 2014 infoworld.com 14


digital
spotlıght
CLOUD security

based services and SaaS applications pany’s existing identity infrastructure. fact, says Litterer. occurring,” he observes.
under control starts with identity and Shire was in the latter group, ac- Shire found that sup- “Is it Okta or did the
authentication, experts agree. cording to Litterer. The company port for the SAML 2.0 cloud guys not provision
“Once you start on the roller coast- has about 6,000 employees working standard, which is used the user correctly? Did
er of making deals with SaaS vendors from offices in the United States and to exchange authen- someone change a name
and enabling SaaS applications, IT Europe, as well as a roving staff of tication information but not change it in Ac-
groups want to be able to provision medical sales representatives. Behind between Web domains, tive Directory? If so, that’s
and control things like user permis- the scenes, the company still relies was uneven. “Some get it not an Okta problem.”
sions and password resets for those on Active Directory as its sole identity and some are new to it,” “Don’t underestimate
external applications,” Maler says. management platform and doesn’t Litterer says. That can the support process
Cloud identity providers such as plan on investing in a larger enter- add to the time and effort flow,” Litterer warns.
OneLogin, Ping Identity, Sympli- prise identity management platform. to get those applications “You have homework to
fied, and Okta do just that: synchro- Litterer says that deploying Okta working with a cloud- do, which is figuring out
nize with Microsoft’s Active Direc- to manage the cloud applications his identity platform that where things might fail,
tory or other LDAP repositories, employees used was easy. An Okta uses SAML for single sign-on and how they might fail and who is re-
allow companies to manage local Active Directory agent with access user management. sponsible for handling the issue.”
and Web-based access permissions to the local domain controller con- Finally, Litterer says that Shire’s
together, and enable single sign-on nected the Active Directory instance Okta deployment has gone off almost Mobility and migration
to SaaS applications. with Shire’s Okta instance in the without a hitch. He notes only one to the cloud
Kerrest, Okta’s COO, says that cus- cloud. Once Active Directory user or two hiccups in almost two years Cloud-based identity providers are
tomers use his company’s technology accounts are imported, Okta uses since the company went live with the proving themselves valuable in corral-
in different ways. Some see it as a matching algorithms to link Active cloud-based identity management ling enterprise SaaS usage. Will they
way to tame rampant SaaS adoption, Directory user accounts to existing technology. Unfortunately, when challenge or displace traditional, on-
using Okta’s Web portal as a gateway Okta user accounts as well as any ac- problems do crop up, the distributed premises identity and access manage-
to IT-sanctioned SaaS applications. counts in other SaaS applications. nature of cloud identity platforms can ment systems like those by RSA, IBM,
Others take an “all comers” approach, But the ease of that transition re- make it difficult to troubleshoot. Oracle and CA? That’s less clear.
allowing employees to use whatever vealed faults in the company’s Active “If you have an issue with authenti- Many Shire employees have
SaaS applications they deem relevant Directory configuration, including cation that arises in an application in- switched — or are in the process of
to their work — but use Okta to tie orphaned accounts and user groups tegrated with Okta, it can be difficult switching — from traditional laptops
those applications back to the com- that had to be sorted out after the to figure out where the problem is to iPads. That transition is accelerat-

Digital Spotlight  |  CLOUD SECURITY  |  SUMMER 2014 infoworld.com 15


digital
spotlıght
CLOUD security

ing the migration from tradition- complex infrastructure to also pull mote workers more flexibility in the
al client/server applications for in cloud-based resources and SaaS kinds of software tools they use and
functions like human resources applications than it is to go the other the manner in which they use them.
to cloud-based alternatives, even “We’re way, he said. That was the goal be- The result may be akin to the
for internal users. However, the hind EMC’s purchase of Aveksa, a old Maoist adage of letting a thou-
company has yet to expand Okta looking company Taneja founded last July. sand flowers bloom, says Forrester’s
to manage internal applications,
including the company’s Microsoft
very hard at “We’re looking very hard at ex-
panding our reach aggressively into
Maler. Cloud-based tools will end
up enabling innovation at the line-of-
SharePoint deployments. “We just expanding the cloud in all different dimen- business or even the department level.
haven’t had a clear business case to sions,” he says. “But its a lot easier By reducing the friction for smaller
do that,” Litterer says.
our reach to go out to the cloud when we have groups within an organization to
“When you look at companies with aggressively a strong hand on complexity inside experiment (and succeed) with tech-
ten thousand or twenty thousand em- the firewall.” nology deployments, companies may
ployees, things haven’t changed a lot,” into the actually find they achieve better secu-
says Deepak Taneja, CTO of Identity cloud in all The long march rity through less discipline, not more.
at RSA. Most mature enterprises have The monolithic, brittle identity As low-hanging fruit such as en-
hundreds of applications operating different management infrastructure that terprise single sign-on, and central
inside the firewall. They might also
have scores of SaaS applications, but
dimensions.” has become common in the past 20
years won’t disappear overnight, but
user and identity management get
checked off the list, companies can
the core challenges are the same: user — DEEPAK TANEJA, it will eventually be replaced. finally move on to real transforma-
CIO of Identity, RSA
authentication, authorization, single “I don’t know why anyone would tion: removing identity barriers that
sign-on for applications, provisioning want to set up and maintain their own separate businesses from their part-
and deprovisioning, and policy en- [identity] infrastructure and maintain ners and suppliers from their custom-
forcement, Taneja says. internally if you don’t have to,” says ers, fostering ever deeper and more
There’s no doubt that changing Litterer of Shire Pharmaceuticals. powerful collaboration.
technology use patterns – mobility Cloud-based identity tools that
chief among them – mean changes make it easy to manage cloud-based Paul F Roberts is Editor-in-Chief of The
to the way authentication is done. resources today will, in the near fu- Security Ledger, an independent security
But it’s easier to extend technology ture, expand to cover both cloud and news website, and is a former Senior Edi-
capable of managing that kind of on-premises applications, giving re- tor for InfoWorld.

Digital Spotlight  |  CLOUD SECURITY  |  SUMMER 2014 infoworld.com 16


digital
spotlıght
CLOUD security

lo u d
ca l c i o n
a ct i
y p t n s
r
P nc utior
e sol oping
sno
inst e

If
a a
g to th er s,
e e
ns anks ustom y of
def h ud c r arra encryption hadn’t
s a d, t
ti on a ’s min or clo wide . already existed, cloud com-
cryp one
y SA . F in a from puting would have had to
En ever the N sulted oose invent it. Clouds are the
is on sses of eady re ns to ch computing equivalent of
exce has alr solutio E S public utilities, where mul-
this yption . G R I M tiple customers share the same resources and
r
enc G E R A
frequently upload or gather valuable data in the
RO process. Such an environment demands data
By encryption, so that customers needn’t fear
exposing data to others, either by accident
or via the designs of malicious hackers or
overzealous government agencies.

Digital Spotlight  |  CLOUD SECURITY  |  SUMMER 2014 infoworld.com 17


digital
spotlıght
CLOUD security

We’re accustomed to encryption suing outcry by saying that they had then it may spend a certain amount not, will try to access the cloud data.
“in transit,” such as an SSL/TLS to follow the law. of time in an unencrypted state — If it’s encrypted and inaccessible to
connection between a user’s browser Not surprisingly, this did not sat- for example, data may be decrypted the cloud vendor, it’s probably worth-
and an e-commerce site. The cloud isfy customers. The lack of guaran- when retrieved or when being in- less to the third party as well.
complicates matters, because some teed data privacy was a deal breaker. dexed.
quantity of a cloud customer’s data Cloud vendors saw this for what it Ultimately, all private data should Proven crypto only, please
is almost always stored in the cloud,
demanding encryption “at rest” as
well. Clouds are Internet-accessible,
was — a very large existential threat
— and quickly began beefing up ex-
isting encryption services and offer-
be encrypted end to end, preferably
from the moment it is created until
the moment it is destroyed. If that’s
E ncryption solutions should use
industry-accepted, publicly
known, and reviewed ciphers. Cloud
multitenanted, accessed via shared ing new ones. Consequently, cloud not possible, get as close as you can. vendors claiming to have invented
authentication schemes, and widely customers now must contend with a Of course, all data must eventu- their own “unbreakable” ciphers
distributed (often to locations un- very quickly evolving set of encryp- ally be decrypted in order for it to should be avoided like the plague.
known and uncontrollable by the cus- tion options. be used. The question is when and Good encryption is hard and must
tomer). These attributes combine to where that decryption takes place. undergo lengthy public peer review in
make it harder to secure data for both What to look for in The closer it is to the customer’s order to be considered for protecting
the cloud vendor and the customer. cloud data encryption computers the better. It’s important data. Cipher key sizes must be suffi-
In 2013, cloud providers were giv- Encryption can never be completely to ask the cloud vendor who on staff cient to protect the data for the desired
en an added push to increase cloud unbreakable. However, it can be a can possibly see the data in an unen- length of time. Today, this typically
security. The general public was highly effective deterrent depending crypted state. Their answer should means private key sizes 256 bits or
shocked to learn that many cloud on its attributes. The following fea- be “no one” or at least “limited to a more, and public crypto key sizes of
vendors were forced, in some cases tures should be in place, document- very few.” And of course, you don’t 2048 bits (for traditional public ciphers
tens of thousands of times a year, to ed, and easily discoverable: want other cloud tenants to see your like RSA and Diffie-Hellman) and
provide customer data to request- data — and that means no shared 384 bits for public ciphers like ECC
ing legal parties, and were often End-to-end protection encryption keys between tenants. (elliptic curve cryptography).
prevented from telling customers.
Further, it was divulged that the C onfidential data must be en-
crypted at rest and in transit.
The best encryption solutions do
not let the cloud vendor ever see the Key management is crucial
NSA had the expertise and technol-
ogy to intercept the data, even when
the customer was told it was secure.
Many vendors promise this, but don’t
quite spell out what it means. Some
vendors encrypt data only when it’s
data in an unprotected state. This not
only protects both the vendor and cus-
tomer, but also significantly decreases
M any encryption solutions suc-
ceed or fail on how well they
manage the digital keys. Who creates
Cloud vendors responded to the en- stored on their hard drives, and even the chance that other parties, legal or the keys and where are they stored?

Digital Spotlight  |  CLOUD SECURITY  |  SUMMER 2014 infoworld.com 18


digital
spotlıght
CLOUD security

It’s a big cloud out there, and if recent


The best solutions allow
the customers to create and events have taught us anything, it’s that
keep private keys. How are other people want to look at your data.
they stored? Are they pro-
tected by a hardware storage It’s your job to make that as hard as possible.
module, smartcard, or some
other multifactor authentica-
tion method? How often are keys up- and multiple mobile device types, or three basic types: customer encryp- (Pkzip, etc.) offer this feature. Be
dated, and who can initiate? Who has just one? If multiple device coverage tion, encryption provided by the sure to enable the strong encryption
a copy of the keys? You should always is allowed, how do encryption keys cloud vendor, and third-party en- and use passwords that are 15 char-
have at least one backup of all private get created and communicated to the cryption. acters or longer and use complexity
encryption keys that are used to protect devices? If a person encrypts data on (i.e. multiple character sets). Then
data at rest. What are the key revoca- one device can they readily decrypt Encrypted by the customer upload the encrypted data archive
tion procedures? Who can request
revocation and what actions require
revocation? Who performs it? How
on another device? Do devices need
shared keys? These are the sorts of
questions that need to be answered.
T he strongest encryption solutions
with the most customer control
are those completely controlled by
into the cloud.
Most customers prefer a process
much more automated. This can be
long does it take? Anytime you have an the customer. In these scenarios, the accomplished by building the en-
encryption solution you need to an- Transparency customer encrypts the data before it is cryption routine into the customer
swer these key management questions
before enabling. W hatever cloud encryption solu-
tion you choose, you should
have a full understanding of how the
ever shipped into the cloud. Because
the cloud vendor and their other ten-
ants don’t have the decryption keys,
program before interfacing with the
cloud service, or by utilizing built-in
encryption routines that are part of
Coverage encryption works. It’s no longer ac- it’s never a possibility that the vendor the programs you are already using.

I t’s important to understand what


an encryption solution covers.
Not only what data is encrypted and
ceptable for a cloud vendor to tell you
they have the encryption handled
and not to worry about the details.
will see the data or be forced to dis-
close it to third parties.
A very basic customer encryption
For example, most database pro-
grams offer per-database, per-table,
or field-level encryption. Enable that
when, but what devices are included. You want the details in writing. solution could be accomplished by encryption so that data is encrypted
What devices can create and read archiving data into single, larger locally before being shipped off into
content that’s encrypted? Does it cov- Types of cloud encryp- files, and then encrypting and pass- the cloud.
er multiple computer operating sys- tion solutions word-protecting the data during the The drawbacks of customer-side
tems, multiple computer platforms, Cloud encryption solutions come in archival. Many archival programs data encryption mostly boil down

Digital Spotlight  |  CLOUD SECURITY  |  SUMMER 2014 infoworld.com 19


digital
spotlıght
CLOUD security

www.infoworld.com IDG Enterprise


InfoWorld 492 Old Connecticut Path, P.O. Box 9208
501 Second St. Framingham, MA 01701-9208
San Francisco, CA 94107 508.879.0700 (Fax) 508.875.4394
415.978.3200

to key management. When you create or detail. That’s simply the nature of the cloud. EDITORIAL
Editor in Chief
CEO
Matthew Yorke
508-766-5656
use your own encryption, it’s up to you to Eric Knorr
Executive Editor
Executive Assistant to the CEO
Nelva Riley
keep track of all encryption keys and/or pass- Encryption by a third party Galen Gruman 508-820-8105

I
Executive Editor, Test Center
words. For some this responsibility is highly n response to recent privacy violations, Doug Dineley
Managing Editor
Sales
Senior Vice President, Digital Sales

desirable. For others, key management is an many third parties now offer encryption Uyen Phan
Senior Editor
Brian Glynn
508.935.4586

unwelcome chore which, if accepted grudg- services to customers and cloud providers Jason Snyder
Editor at Large
Senior Vice President Digital / Publisher
Sean Weglage
508-820-8246
ingly, will be performed poorly. Remember: alike. Their solutions may be installed at each Paul Krill
Senior Writer CIRCULATION

If you opt for customer-side encryption you supported client end-point device, on an in- Serdar Yegulalp
East Coast Site Editor
Circulation Manager 
Diana Turco

are accepting all the responsibility and ac- termediate proxy gateway, or as an additional Caroline Craig 508.820.8167

Newsletter Editor Custom solutions group

countability. feature on the cloud provider’s platform. A Lisa Schmeiser


Associate Editor
Senior Vice President
Charles Lee
third-party solution can be easier to evaluate Pete Babb
Senior Online Production Editor
508.935.4796

Encryption by the cloud provider — at least, when you can get your hands on
D i g i ta l S o l u t i o n s G r o u p
Lisa Blackwelder
Senior Vice President / General Manager

M ost cloud customers leave all the en- the encryption software and examine it your-
SALES Gregg Pinsky
508.271.8013
Senior Vice President Digital / Publisher

cryption to the cloud provider. Luckily, self — but you still have to take it on faith that
Sean Weglage
Editorial
508-820-8246
Senior Vice President / Chief Content Officer
cloud providers are both getting better at de- the provider has properly implemented the
Vice President, Digital Sales
John Gallant
Farrah Forbes
508.766.5426
508-202-4468
fault encryption and offering more of it. None- solution in the cloud. Account Coordinator
Christina Donahue
Events
Senior Vice President
theless, have a close look at the above “What to No matter which encryption solution type 508-620-7760
East, Southeast, IL and MI
Ellen Daly
508.935.4273
look for” section and make sure your provider you use, you need to ensure all your require- Chip Zaboroski
508-820-8279 F i n a n c e & O p e r at i o n s

can meet your requirements. ments are met and that the capabilities are East, New England, New York
Chris Rogers
Senior Vice President / COO
Matthew C. Smith
603.583.5044 508.935.4038
Some customers combine customer-ini- fully documented. It’s a big cloud out there, West / Central Human Resources
Becky Bogart
tiated encryption with encryption offered and if recent events have taught us anything, 949.713.5153 Senior Vice President
Patty Chisholm
N. CA / OR / WA
by a provider, essentially yielding double it’s that other people want to look at your data. Kristi Nelson
415.978.3313
508.935.4734

IDG LIST RENTAL SERVICES


encryption. While double encryption is not It’s your job to make that as hard as possible. Director of List Management
Steve Tozeski
normally needed — especially in a high- Images by Shutterstock
Toll free  800.IDG.LIST (U.S. only)
Direct  508.370.0822

functioning, fully documented cloud encryp- Roger A. Grimes is a longtime contributing edi- © IDG Communications Inc. 2014
Marketing

tion system — ome choose to be safe instead tor to InfoWorld who posts to his Security Adviser
Vice President
Sue Yanovitch
508.935.4448
of sorry. You may trust your cloud provider, blog every Tuesday. A Principal Security Architect for
but it’s impossible to verify provider claims Microsoft, he holds over 40 certifications and has
about encryption capabilities down to the last written eight books on computer security.

Digital Spotlight  |  CLOUD SECURITY  |  SUMMER 2014 infoworld.com 20


Resources SPONSORED BY:

Adapting Security to the 4 Cloud Computing Examples The Transformative Benefits Cloud-Based Computing 7 Elements of a Successful
Cloud in Business of Cloud Infographic: DIY vs. Outsource Cloud Strategy
Organizations are now looking Cloud computing has now The benefits of cloud are Does it make sense to build Cloud can seem as intangible
beyond traditional approaches to IT passed beyond “buzz” to become transformative because, by (or continue to build out) an IT and mercurial as its namesake.
and considering cloud computing a confirmed business option. replacing in-house infrastructure infrastructure for cloud on-site? But with a solid strategy and the
more than ever before. However, how Companies are able to leverage with a scalable and efficient Or does it make better sense to right guidance, businesses can
can the adoption of cloud technology strategic solutions in the cloud to service, they allow an IT partner with a cloud provider that confidently chart a direct course
potentially change an organization’s address crucial business issues. organization to move out of offers a fully managed solution? through migration, reaping the
security requirements and how can Here, four key issues will be a functional role based on This infographic will take you many benefits the cloud offers.
organizations adapt to address these explored: the need to optimize procurement and maintenance and through a side-by-side comparison Read this paper to learn how to
new challenges? This whitepaper costs, maximize resources, toward a leadership role founded of the key considerations. develop an effective cloud strategy.
seeks to guide IT decision increase agility, and ensure on core business initiatives.
makers towards a virtualized, recovery.
self-provisioned, and automated G DOWNLOAD HERE G DOWNLOAD HERE
environment while fully protecting G DOWNLOAD HERE
their data and applications with G DOWNLOAD HERE
secure cloud architecture.
G DOWNLOAD HERE

Digital Spotlight  |  CLOUD SECURITY |  SUMMER 2014 infoworld.com 21

Potrebbero piacerti anche