In this article, I will discuss six ways enterprises can improve cloud security. Yes, you read that correctly. Enterprises-cloud consumers-must work to improve cloud security. Most of the discussion around security of the cloud has focused on what the cloud providers should do. The data and application services are on their premises. But enterprises need to remember that they bear a large-and in some situations, the largest-part of cloud security responsibility. Enterprises must never forget that they will face the majority of the blame if security breaches occur. They are, after all, the entities that have collected the data.
Cloud security is best thought of as a joint responsibility between cloud providers and enterprises, and the dividing line between the two currently is a bit…cloudy. The dividing line depends directly on the type of cloud model that is in play, ranging from software as a service (SAAS) to platform as a service (PAAS) to infrastructure as a service (IAAS).
On one end of the spectrum, SAAS approaches what could be considered a security black box, where application security activities are largely not visible to the enterprise. On the other end of the spectrum is IAAS, where an enterprise is principally responsible for the security of the application, data and possibly other levels of the infrastructure stack.
What should enterprises do to improve security in a cloud computing model and prepare to reap the most benefit from the cloud? The following are six steps to take:
Step No. 1: Learn from your existing, internal private clouds and the security systems and processes you built around those
Yes, you have internal clouds already. Over the last 10 years, medium to large enterprises have been setting up internal clouds, although they didn’t refer to them as clouds. They were often referred to as shared services, such as authentication services, provisioning services, database services or enterprise data centers (which were hosted on relatively standardized hardware and operating system builds).
Step No. 2: Assess the risk and importance of your many IT-enabled business processes
While the potential reward of cost savings realized by moving to the cloud might be relatively easy to calculate, one cannot do a “risk versus reward” calculation without first understanding the risk side of the equation. The cloud providers can’t do this analysis for enterprises, as this totally depends on the business context of the business process. Low service-level agreement (SLA) applications with relatively high cost are obvious first candidates for the cloud. As part of this risk-weighing effort, the potential regulatory impacts also need to be considered, as some data and services are simply not allowed by regulators to move off-site, out of state or out of country.
Study Different Cloud Models and Categories
Step No. 3: Study different cloud models and categories
Enterprises need to study the different cloud models (public, private, hybrid) as well as the different cloud categories (SAAS, PAAS, IAAS), as they have general differences that directly relate to security control and responsibility.
All enterprises need to have an opinion and policy for these cloud approaches in the context of their own organizations and the risk profile of their own businesses (discussed previously in step two).
A good source in support of this issue and other security implications of the cloud can be found in the recent ENISA publication, “Cloud Computing: Benefits, risks and recommendations for information security.” Legal organizations should also play an important role here, as issues such as warranty and liability will play an important part of this analysis.
Step No. 4: Apply your service-oriented architecture (SOA) design and security principles to the cloud
Most organizations have been using SOA principles in their application development organizations for a number of years. Isn’t the cloud a massive expansion of SOA? The cloud is just service orientation taken to its next logical step. The SOA security principles of highly distributed security enforcement, combined with centralized security policy administration and decision making, apply directly to the cloud. There is no need to reinvent this wheel when moving your focus from SOA to cloud. Just transfer the principles.
Think as a Cloud Provider
Step No. 5: Think as a cloud provider
While most enterprises will begin by thinking of themselves as cloud consumers, don’t forget that your organization is also part of a value chain: you supply services to your customers and partners. If you can get the risk/reward balance right for you to profitably consume cloud services, why not use the same thinking to guide your entry as cloud provider into your ecosystem? This will also help your organization to better understand what is happening within the cloud providers.
Step No. 6: Familiarize yourself with and start using Web security standards now
The Web security industry has been working on securing and managing cross-domain systems for a long time. Out of this work has come many useful security standards that are already in use (or should be) to secure cloud services. These standards must be adopted for security systems to be effective in the cloud-connected world. These standards include Security Assertion Markup Language (SAML), Service Provisioning Markup Language (SPML), Extensible Access Control Markup Language (XACML) and Web Services-Security (WS-Security). A positive word of encouragement for enterprises federating browser sessions today with SAML: You have already expanded your cloud security IQ.
One of the most important requirements for enterprises to improve the security of cloud services is to ensure that security professionals be seen as rational advocates for the cloud, not as naysayers or doubters. Properly balanced, business-driven technologists can become positive forces in the risk/reward dialogue and help raise the probability of getting cloud security right for their enterprise.
Matthew Gardiner is a Director in the Security and Compliance business unit at CA, Inc. Matthew is a recognized industry leader in the security and identity and access management markets. Matthew also serves as vice president and board member for the Kantara Initiative, an industry group focused on digital identities and how they can interoperate with today’s technology deployments. Matthew is a frequent speaker at conferences and industry events worldwide, such as those hosted by Internet Security Solutions Europe (ISSE), Information Systems Audit and Control Association (ISACA), analyst firms and Liberty Alliance. He has a BSEE from the University of Pennsylvania and an SM in Management from MIT’s Sloan School of Management. He can be reached at [email protected].