The Chief Information Officer (CIO) and the Chief Information Security Officer (CISOs) are under pressure to redesign their information security policies to suit the new business model: Virtual Cloud computing environments. In this environment, resources are shared and transferable.
These technical executives are setting new policies and investing in new technologies to take into account the resilience of public and private clouds, the provisioning of services, and the infrastructure for sharing data. New policies and systems for identity management are being designed as users develop third-party services for use outside the firewall, even within the firewall, to collaborate in a real-world shared environment. In addition, new boundaries for data security and privacy monitoring need to be identified, bearing in mind how migrating to a virtual cloud environment will affect compliance.
The public sphere of Raytheon Corporation in Waltham, Massachusetts, is not risking the use of clouds. To achieve cost savings, the defense equipment manufacturer is developing a shared, proprietary "cloud type service" that can be implemented if it and its partners can test, build, and collaborate on new programs and products that the U.S. Air Force, Army, and navy prefer.
"[In the Virtual cloud computing environment] security issues and controls are more complex," said Michael Daly, deputy CISOs and IT service director at Raytheon Company. Not just to manage simple change control, but to go through a lot of trust and prayer: ' Hey, is firewall control migrating with [data or services]? When these virtual machines are generated and deleted, are the security keys responsible for encryption maintained? ’”
When it comes to the security of shared environments, like many other IT executives, there are more Daly than answers at this point: How does a company know who needs access to information as the project starts and shuts down? Does the user have permission to access it? How do the parties involved in development on a private cloud agree to cancel a user configuration? This goes beyond the cloud model. The cloud, he says, is a by-product or a means of turning the business model into a business-sharing resource to develop products and services in a collaborative environment.
internal and external identity management
Enterprise users bypass IT department logins to access virtual cloud computing services. So the question becomes, who has the right to dial in and Dial Izumo services?
The IT team at New York Life Investment Management's New York Life Retirement Planning Service (RPS) department in Massachusetts has chosen to block access to third-party Virtual cloud computing services and educate users about the risk of transferring information from their own networks.
"I know that it's very easy [for users] to move to a cloud service, but it poses a lot of risk," said Neal Ramasamy, managing director and chief information Officer of New York Life RPS. I sat down with the requester to find out why they wanted to visit the third party cloud. Considering our company strategy, my goal is not to have four different [cloud providers], but to pick one. ”
When Raytheon's IT department flagged a third-party cloud service request, Daly and his team explained why uploading the document to Google Apps was not a good idea. They then present other security options to business users, such as the Documentum system of the EMC Company approved by the company.
"We have to comply with ITAR [international traffic in the arms trade Regulations] and other regulations, so we can see the location of people uploading documents and information and other things to Google, and we need to show people the right way," Daly said. ”
Raytheon is moving to the private cloud, creating a federal identity management system. This means that the Raytheon Company will validate its own employees, but the companies that join the development project will be responsible for their own authentication.
It sounds simple, but that's not the case. "We have to reach a legal agreement between us and let our [cloud] development partners say, ' Well, if we're going to check identities, you're going to check identities the same way, because not always," Daly said. ”
Containment risk is the idea behind the private cloud, but even in a private cloud community, businesses need to deal with user isolation, permissions partitioning, login, and cancellation configuration. Daly said: "You really need to know your final boundaries to minimise risk." We don't need everyone on the planet to have the opportunity to participate in our planned cloud services, so physical security and more traditional IT security firewall rules are very important. ”
However, such precautions are not without compliance. Chris Wolf, vice president of research at Gartner, said: "The factory talks follow the user [federal identity] following me (follow-me) data, using encryption to spread the data to different places, but CIOs need to think about following my rules in the cloud." Sometimes sensitive data cannot cross boundaries. ”
Richard E. Mackey, vice president of Systemexperts Company in Sudbury, Massachusetts, said it should ask "what does an outsourced application use before it starts to consider deploying security practices around cloud services?" "and" who is going to use it? "When people call it cloud computing, many variables determine that your security is completely different, depending on which mode you're deploying: The private Cloud, the software as a service (Software as service), the infrastructure, the services (infrastructure as a Service) is also the platform that serves (Platform as a services).
Benefit from cloud provider security practices
Choosing a cloud provider is similar to marrying a client because the customer uses the system and security policies defined by the provider.
How the Enterprise monitors user access to virtual cloud computing services depends on the interface provided by the cloud provider. "How do [cloud providers] ensure that users are real users before a request comes back and hits your network," Mackey said. Alternatively, some services allow you to log on using your Google or Facebook account. This does not go directly to the [Active Directory] unless you design it. ”
New York Life RPS's Ramasamy could consider finding cloud providers for non-critical services like e-mail and Web services, he said, but he wondered whether cloud providers would build a private cloud for the company, and no one else in the private cloud would be able to get into the environment. If the environment is shared, how are resources shared, and who is likely to be close to adjacent resource sets? What security audits did the provider pass, and which part of the International security delegation is authorized?
Raytheon's Daly says the willingness to be flexible during contract negotiations will be a decisive factor in his company's choice of cloud suppliers. He said: "I don't want to have to tell [the business unit] that they can't outsource something because if we do that we will lose protection, so I want to make sure that if we need to, we can [with the provider] change our password complexity or change our password to 356 digits. When you turn to cloud security, flexibility will be a huge element of contract management. ”
Another point to note: If an enterprise wants its data security to be hosted by others, it needs a way to measure the security performance of the environment. Daly said: "If the supplier does not let you do so, you may not want to reach an agreement with them." ”
(Responsible editor: The good of the Legacy)