For the most part, current IT investments have been ignored as part of the cloud security equation, amounting to years of wasted budget. This is especially true with policies and directories that pertain to keeping the data secure, with only the right people accessing it-“command and control” systems. So, how can organizations leverage existing “command and control” investments while taking advantage of the benefits of the cloud? But, even before that, how should an organization use the cloud in general?
A lot of investment in on-premises software already exists. If you’ve already made that investment-if you have an on-premises application running or if you have certain partnerships already in place-you have no reason to abandon that investment. However, a number of scenarios may prompt you to go to the cloud, whether you have an on-premises software investment or not.
Consider a request for proposal (RFP) response process where respondents can locate RFPs they can participate in, make bids and track the process in general. It’s an application that lends itself to a community, but this community’s only common characteristic is that its members can participate in bidding for the RFP. And while requesters want as many qualified businesses as possible to see the RFP and bid on it, they only want credible people to see it. In this scenario, you may choose to sign up for a cloud application that allows you to publish RFPs to credible candidates.
“Command and control” comes in here. You don’t want just anybody to see an RFP because most people have no reason to even lay eyes on it. But you do want to expand the current system for distributing RFPs, for sending RFPs to people who know how to build what you want. You also want as many qualified bidders as possible, but without losing control over who can see which data. You would demand the same level of control that you would have if you installed it on-premises. You want to make sure that you can support directories, authentication and authorization, and you want one bigger partner to basically enable certain classes of organizations to see this RFP and bid on it.
This “limited-time” quality truly makes it a cloud concept. You put out the RFP. Qualified businesses respond to it and say, “Yeah, I know how to bid on this.” They give you pricing and the cloud application guarantees that everyone follows the rules (for example, no one can see each other’s bids but the one party that put out the RFP can see all the bids). And if implemented on a social network/Facebook-like infrastructure, everything’s out in the open and there’s no under-the-table discussions happening.
Determining On-Premises or in the Cloud
Determining on-premises or in the cloud
Now, imagine another class of applications that allow you to add new partners. The new partners are small but numerous, perhaps numbering in the thousands. Today, maybe you add these new partners traditionally because, for one, you simply can’t expect these partners to voluntarily sign up for the electronic data interchange (EDI) or enterprise applications at any time. And secondly, the current Web application platforms perform pretty flimsily, and you can’t really expose a true enterprise application on the Web without a sturdy security platform.
A new suite of connectors exists, however, that allow a partner to export identities and access rights into the cloud piece of the application. Theoretically, you would work with vendors who offer cloud applications to build these as extensions of on-premises applications, not as separate cloud applications. This is completely different from the first example we talked about.
What’s being called a hybrid cloud is exactly that: a way to extend an existing application so it exists both on-premises and in the cloud. Basically, a partner can go to the cloud and “buy” an instance belonging to this application to issue to a partner-or one hundred instances belonging to this application to issue to one hundred partners. In the cloud, you can see the larger partners and, within the scope of the application, the identity of the purchasing manager (the identity is actually established up in the cloud). It then ties back down into the same application that runs on-premises but without actually exposing the real directory structure (surely you don’t want your entire directory sitting in the cloud).
Investing in a new suite of connectors
New technologies can connect your directory structure into your cloud existence in a secure way so that you can verify access rights within your organization and you can see it’s in the cloud and it ties back down. While not complete products just yet, these interesting new technologies will use hybrid applications, which we’ll see a lot more of rather than companies jumping into the cloud immediately and throwing away legacy systems.
Renting the Cloud for Evaluation
“Renting the cloud” for evaluation
Let’s explore one more scenario. Let’s say you’ve started to partner with somebody but you haven’t actually fully partnered yet. The cloud allows you to have a staging area where you can work with that partner for some period of time, establish an initial business association and evaluate the relationship. That partner doesn’t want to buy a million dollars’ worth of on-premises equipment and applications to do this. Instead, you can offer them a two-month rental in your cloud piece of the application and ask them to take a look. They can then get their authorized personnel into the cloud. They can then monitor, trade, buy, sell-whatever the application happened to do.
If they like it, they might buy it for the enterprise, as they want consistent representation and they don’t want to forfeit their work. Or they might want to permanently buy a cloud piece. But they will want that cloud piece to tie into their enterprise directory and to export pieces of that enterprise directory to the cloud application so the application knows the authorized identities in their organization. (You may call this “command and control” but that’s a general-purpose term. It implies an ability to determine who may do what and when and whether you can prove it.)
Really, very few things will “go cloud” immediately because few new applications fall in the enterprise class of things. Small partners and limited-time events (where a small piece of the application naturally belongs in the cloud) have a place in the cloud because the cloud facilitates the onboarding of the partner. What the partner does afterwards doesn’t matter so much as the onboarding part. And this characterizes my point: some pieces of applications-not necessarily whole applications-appear fit for life in the cloud (for example, the RFP scenario).
But for now, the bigger, truly enterprise-caliber applications will likely stay put. Connections to the small partners are going to probably start moving to the cloud but, since they were never on-premises anyway, this is not news. They’ve used faxes and e-mail in the past and now, instead of using e-mail, they can actually have a sturdy application that understands access control, allows them to audit and empowers them to do truly great things.
Taher Elgamal is Chief Security Officer at Axway. Taher is an expert in computer, network and information security. Recognized in the industry as the inventor of Secure Sockets Layer (SSL), Taher led the SSL efforts at Netscape and throughout the industry. He also wrote the SSL patent and promoted SSL as the Internet Security standard within standard committees and the industry. Taher also invented several industry and government standards in the data security and digital signatures areas including the DSS government standard for digital signatures.
A 2009 recipient of the RSA Conference Lifetime Achievement Award, Taher has public company board experience with RSA Security, hi/fn, Phoenix Technology and Tumbleweed. He also serves on numerous corporate advisory boards. He can be reached at [email protected].