Heightening Cloud Security in Your Enterprise

The responsibility of securing corporate information in the cloud falls upon the enterprise, and enterprises, as cloud consumers, can greatly improve cloud security. Currently, if there is a breach in security, the enterprise is responsible. eWeek Knowledge Center contributor Matthew Gardiner reveals six ways in which enterprises can improve cloud security essentially by thinking as a cloud provider. Once an enterprise has improved security within their cloud computing model, it can fully reap the benefits from the cloud.

Cloud security is a shared responsibility between cloud providers and enterprises, although the dividing line between the two is currently, well, cloudy. The dividing line between cloud providers and enterprises is dependent on the type of cloud model–ranging from Software-as-a-Service (SaaS) to Platform-as-a-Service (PaaS) to Infrastructure-as-a-Service (IaaS).

SaaS approaches what can be though of as a security black box, in which application security activities are largely invisible to the enterprise. IaaS, in which an enterprise is principally responsible for the security of the application, data and other levels of the infrastructure stack, sits at the other end of the spectrum.

The following six steps outline what enterprises can do to improve security in a cloud computing model and thus reap the full benefits from the cloud:

1. Learn from your current internal private clouds and the security systems and processes constructed around them

Medium to large enterprises have been setting up internal clouds for the past ten years, so while many of them didn’t refer to them as clouds, most enterprises have internal clouds already. These clouds were often referred to as shared services, like authentication services, database services, provisioning services or enterprise data centers.

2. Assess the importance and risk of your multiple IT-enabled business processes

Although the potential cost savings resulting from a transition into the cloud can be calculated rather easily, conducting a “risk vs. reward” calculation is difficult without having a basic understanding of the risk side of the equation. Because this is entirely dependent on the business context of the business process, the cloud providers cannot conduct this analysis for enterprises. The obvious first candidates for the cloud are low Service-Level Agreement (SLA) applications with relatively high cost. The potential regulatory impacts need to be considered as well, because some data and services aren’t allowed by regulators to move off-site or out of the state or country.

3. Analyze different cloud models and categories

There are general differences between different cloud models (public, private, hybrid) and cloud categories (SaaS, PaaS, IaaS) that directly relate to security control and responsibility, thus enterprises need to analyze both.

Enterprises must have both an opinion and policy for these cloud approaches within the context of their organizations and the risk profile of their own businesses.

4. Apply your Service-Oriented Architecture (SOA) design and security principles to the cloud

The cloud can be seen as an expansion of SOA, as most organizations have been using SOA principles in their application development organizations for several years. In this way, the cloud can be seen as service orientation taken to its next logical step. Combined with centralized security policy administration and decision making, the SOA security principles of highly distributed security enforcement apply  directly to the cloud. The principles can simply be transfered to the cloud rather than reinventing the system when switching your focus from SOA to the cloud.

5. Think like a cloud provider

Rather than thinking of your enterprise as a cloud consumer, think as a cloud provider. Your organization is part of a value chain in which you supply services to your customers and partners. If you are able to equate the risk/reward balance so that you profitably consume cloud services, you can apply that way of thinking to guide your entry as a cloud provider within your ecosystem. This will in turn help your organization better comprehend what is happening within the realm of cloud providers.

6. Get to know and start using Web security standards sooner than later

The Web security industry has been working on securing and managing cross-domain systems for quite some time, and useful security standards to secure cloud services have emerged as a result. These standards–which include Security Assertion Markup Language (SAML), Service Provisioning Markup Language (SPLM), Extensible Access Control Markup Language (XACML) and Web Services-Security WS-Security)–must be adopted for security systems to be effective in the increasingly cloud-connected world.

Ensuring that security professionals be viewed as rational advocates of the cloud is an important requirement for enterprises when it comes to improving the security of cloud services. When properly balanced and business-driven, technologists can serve as positive forces in the risk/reward dialogue and also help increase the probability of increasing cloud security for their enterprise. To learn more about Cloud Security please visit Nubifer.com.

  1. Good information. Thanks for these very good article. I kept on nodding with the every word you say.
    Randomly browsing the good blogs, I went to yours. Truly speaking,I’m sure I’d visit here more often.Great job, keep posting interesting articles here. All The Best.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: