Cloud Computing Strategies for the CIOYou've successfully migrated your organization's selected applications and data into the cloud, and everyone has said what a great job you've done. But you and I both know the task of maintaining the security of these apps and data has only just begun. In this tip, I'll review which technologies and processes must be initiated, monitored and secured after a cloud computing implementation or initiative is up and running.
IAM
Cloud computing turns us all into remote workers, which makes identity and access management (IAM)
one of the key challenges after a cloud computing move. It is important to have robust lifecycle
management regarding users and user access so that user accounts, credentials and access rights are
always relevant and up to date, including disabling an account when an employee leaves. Also look
to initiate an IAM strategy that can make full use of federated identity management, which enables
users to securely access data or systems across autonomous security domains.
More specifically, consider introducing single sign-on (SSO) for enterprise applications and leveraging this architecture to simplify cloud provider implementations. A move to the cloud will appear far more seamless to your users if they are already used to SSO, and it'll make managing trust across different types of cloud services less onerous. You will also have logged baseline data to help you monitor and gauge changes due to cloud activity.
Requires Free Membership to View
A SSO product should use one of the common standards for implementing federation, such as Security Assertion Markup Language (SAML) and Liberty Alliance ID-FF. These standards extend existing access and identity policies from the internal network beyond the firewall and out to the cloud, while still enforcing the appropriate authentication strength mandated by your information protection and data classification policies.
 |
||||
|
|
|||
|
||||
Bandwidth
The increased Internet usage that cloud computing brings also increases the increased risk of
network congestion bottlenecks. Web-based applications are extremely latency-sensitive, many
barely functioning if the network is too busy. Downtime or slow processing frustrates employees and
can lead to breaches in policy. Slow file or data transfers, for example, can lead workers to use
alternative methods that may be far less secure and break security policy rules.
One answer to this problem is to deploy a WAN optimization product, which is designed to ease enterprise application traffic on the network by improving application traffic management and eliminating redundant transmissions. Products such as the Citrix NetScaler from Citrix Systems Inc. offer a Web application firewall and combine traffic management through Layer 4-7 load balancing. Other WAN optimization vendors include Riverbed Technology Inc. and Blue Coat Systems Inc.
Firewalls
Connections between the internal network and the cloud should certainly be encrypted; sending any
sensitive or mission-critical data back and forth in the clear over the Internet is like offering
attackers an invitation to steal the data. As a network engineer, ensure network devices can handle
the processor-intensive, public-key encryption algorithms involved in SSL-encrypted communications.
SSL accelerator cards or proxies that handle all SSL operations may need to be added to the
infrastructure. However, encryption alone won't stop malware and other network attacks. It's
important, therefore, to upgrade the firewalls protecting your internal network so that they can
inspect SSL traffic. Encryption should ideally work in union with data loss prevention (DLP)
products, which will classify and monitor data while enforcing policies.
Audit
Another important task after a cloud computing implementation will be to conduct an audit of all
security policies to ensure they remain relevant. Also review, update and test disaster recovery
and business continuity plans and procedures. Processes, and more importantly, people's roles, will
have changed now that cloud computing infrastructure is a part of day-to-day systems management.
The internal IT team will certainly need to work closely with the cloud provider so each
understands the other's responsibilities within the context of the continuity plan, including which
aspects of any recovery will be handled by whom. Being prepared for service disruptions will reduce
the severity of any event.
Finally, don't take statements in your provider's SLA for granted. Check that it does perform backups and patch systems within the agreed timeframes. You should certainly request a copy of the findings of its own audits and ensure that any recommendations have been implemented. Engaging in constructive dialogue will make addressing both parties' security issues a lot easier, so make sure you are in regular contact, particularly during any application or system upgrades. This communication will help prevent changes from adversely affecting your compliance with relevant industry or government regulations.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a
consultancy that offers IT training and support in data security and analysis. He co-authored the
book IIS Security and has written numerous technical articles for leading IT publications.
Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a
SearchSecurity.com site expert, answers user questions on application
security and platform
security.
This was first published in January 2010
Join the conversationComment
Share
Comments
Results
Contribute to the conversation