Deep parsing Cloud Security checks

December 1, 2011 Do you think your data is safe in the cloud? Here are six tough questions about your cloud vendor.

Whether it's a small business that relies on Google Docs for file sharing or a large enterprise that shifts its global ERP system to cloud computing, they should make their suppliers provide applications and services across the network to meet their general security and regulatory requirements. These requirements relate to who can access enterprise applications, data, and their supervisory systems, where the data is stored, and whether the data is private, rather than shared on the hardware. Vendors should also ensure that users understand the detailed records of their data visitors, so that users can meet the enterprise and its regulatory standards, and verify that data is properly encrypted, a more important factor outside the corporate firewall.

The enterprise's demand for the cloud depends on its enterprise standards and regulatory requirements, the total and type of workloads that are transferred to cloud computing, and how to divide management and security responsibilities between employees and suppliers. Security requirements also depend on whether the enterprise uses SaaS, IaaS, or PAAs products, but they should at least consider the following issues in their cloud security planning.

Who has control over certification or access?

The ability to prove the identity of the user, control the data they have visited, and perform functions depends on their identity and role, with the capability to be almost a priority for every cloud user. Authentication can be most challenging when an enterprise uses a repository in the firewall that controls its cloud servers and applications like active Directory to maintain user information and control.

According to industry analysts, the ideal solution would be to have a "joint" identity management access system to centralize authentication information within and outside of all departmental systems so that any user who presents the correct credentials, such as a password or Authenticode, can be verified in a timely manner. It also provides a single sign-on in the enterprise or system, allowing users to access all their applications and data by entering a single username and password. Although SaaS upstream vendors have the infrastructure to provide a single sign-on to a large number of customers who have their own configurations to act as "identity suppliers", many smaller service providers and their customers lack these supply capabilities.

However, because Federated identity management can be costly or difficult to implement, many companies tend to be "synchronized" in ways that enable different applications to maintain different copies of user authentication information. This can compromise security by propagating user credential data across multiple locations and across enterprises, in addition to delaying the exit time between the internal system and the cloud application, resulting in a potential security breach.

Another validation option is to support a cloud vendor's direct connection to the enterprise's user information repository, which may be more secure than synchronization, but will only work if these enterprises have a relatively simple system collection. This is also a way for healthcare provider HCR, whose information security director, Thomas Vines, said he had used a cloud-based application to manage the enterprise's electronic medical records system over the past seven years, and claimed that the approach was well suited to the system. Vines allows a cloud security service from Zscaler to access the implementation of its Active Directory to determine which users need authentication and what level of access is granted to them.

NetIQ, director of Cloud Product management Tom Cecere, points out that in an IAAS implementation, a customer can buy the right to use a cloud server simply by linking to the LDAP directory via a service provider. This is because there are usually only a limited number of administrative roles, for example, a role might include users who create new servers, and another might cover a wide range of settings that can expand server capabilities, or a larger enterprise group that still uses servers.

Many vendors, such as Symplified, Okta, and ping identity, provide single sign-on through a "simplified syndication" approach that will reposition users ' access requirements to support cloud validators for all cloud services.

Another challenge is to ensure that users have access only to their applications or to data and functionality in their authorized applications.

Not all businesses require the same level of spacing during normalized access, but the level of detail provided by the vendor is important, rather than relying solely on the rather "rough" management controls provided by vendors who derive maximum profits through incentive visits. Aveksa is a provider that provides finer access control and sells its software to cloud vendors and cloud customers.