Cloud computing has emerged as the next wave of IT innovation for the enterprise. It is driven by utility-scale economics and global reach, while being enabled by breakthroughs in bandwidth, virtualization and service oriented architectures. Cloud computing is compelling for enterprises seeking to cut costs, enhance integration across their business, and enable collaboration both internally and externally.

Whether it is used to provide business applications delivered as services (Software-as-a-Service) like Salesforce.com, or on demand utility computing (Platform-as-a-Service) like Amazon EC2, the cloud is changing the way enterprises consume IT. The wildcard that remains to be addressed for the cloud is security. Until enterprises have a way to secure data in the cloud, this model will not reach its full potential.

Everything Is The Same.
Security has been central to IT since the days of the mainframe and has evolved and adapted as technology extended from the LAN to the WAN to the Web and now to the cloud.

One constant throughout this evolution has been the need for control over access, authentication, auditing and administration. The names for these have evolved over time and today are collectively known as Identity and Access Management (IAM).

For cloud computing to truly establish itself as a viable extension of the enterprise computing ecosystem, it must first provide security on par with what exists inside the firewall. Without this foundation, enterprises will not trust the cloud for business-class computing. Finally, compliance is impossible without controls.

Everything Is Different.
Security must adapt to the unique technical and organizational demands that the cloud presents. While security for the cloud must incorporate the established principles of protection developed for enterprise networks, it must do more. Specifically, it must address the new challenges that arise when infrastructure resides across the Internet where it is collectively operated by the enterprise, its partners, and service providers.

What's Different Specifically?

Access management, the core of security, is different for the cloud because the most common tool for access control on the Internet - the firewall perimeter - has been turned into Swiss cheese. Firewalls can't manage access to cloud applications because by definition these applications are accessed over the Internet outside the corporate firewall.

With the advent of the Web, enterprises put applications outside the perimeter for customers and partners to access. This forced enterprises to scale access management not only for its employees, but for potentially millions of customers. A new generation of access management, designed specifically for the Web, was required and developed by vendors like Securant and Netegrity. First generation Web Access Management software relied on agents tightly coupled with web servers operated by the enterprise.

However, Cloud infrastructures are different since it's impossible to run a web server plug-in on a multi-tenant architecture where multiple organizations share common infrastructure. Access management for the cloud must be controlled without agents and without tightly coupling infrastructure components together.

Authentication for the cloud is different. Verifying a user is who they claim to be on the cloud works differently than for an enterprise network. The enterprise can rely on multiple layers of authentication. For instance using Windows logons to verify an employee's identity and restricting authentication to only those users that have access to the corporate Windows network.

This model doesn't scale to the cloud because users aren't necessarily connected to a corporate LAN - and many users, like customers, aren't part of the enterprise Active Directory. This is further complicated with global enterprises that are widely distributed with users accessing IT resources over the public Internet not using VPNs.

Because clouds are often used for collaboration between organizations using different technology platforms, an inter-organizational authentication solution has evolved. Called federation, this model uses the Security Assertion Markup Language (SAML) standard. With SAML, each organization manages its own users and through trust relationships share authentication between sites.

SAML is an elegant solution for scalable authentication. Authentication for the cloud will rely on SAML and provide the dual benefit of reducing the number of passwords that users must remember (and forget) as well as improve user experience through Single Sign On (SSO).

Administration for the cloud requires a new approach to support the complex structures and business relationships between cloud networks and organizations. User account management, known as provisioning, on the cloud is different than the Web because it comprises a mix of both enterprise and cross-organizational requirements. On the cloud, organizations must not only manage access by employees, but also customers and partners. Identity data for these external users often reside in remote repositories across the Internet, something that today's provisioning tools aren't designed to handle.

As with authentication, user management must also be federated between clouds and the partner enterprises. As companies adopt SaaS applications they find that user accounts are now located in 3rd party databases creating new management silos. User management for the cloud must evolve to a 'meta-management' layer that abstracts the underlying location of the repository and treat users consistently across both internal systems like Active Directory and cloud-based applications.

Auditing and compliance for the cloud must also evolve past today's enterprise-centric model. Currently, enterprise solutions that centralize and aggregate logs are used to demonstrate to auditors that controls are in place and report on user activity. This approach works since access paths to enterprise applications are more tightly controlled through a combination of perimeter based controls. With on-premise Web application access there are relatively fewer moving parts that must be monitored for compliance.

In the cloud, the infrastructure for managing compliance must extend across the Internet and encompass the applications, users, and activities on remote as well as enterprise systems. Users access cloud applications across the Internet, rendering perimeter controls ineffective for compliance.

It is imperative to manage cloud access paths through a consistent control point and the most scalable way to do this is using an Internet-scale proxy utility. By channeling all user access through a security proxy the task of auditing becomes centralized. Since proxies do not require software agents this technology approach of loosely coupling security with cloud applications is massively scalable.

Consistency is essential for compliance, and cannot be achieved using ad-hoc and siloed approaches to access control and reporting. Too many applications are built and deployed with only an afterthought given to security and compliance. This is a problem in the enterprise today and must be addressed as part of an intelligent cloud strategy from the very beginning.

Confidentiality of data is the last major element of security. Data must be protected both in motion and while at rest. When data is transmitted across the network, encryption must be used to prevent eavesdropping and SSL/TLS is the best way to do this. This protects data from being hijacked or user credentials from being stolen by an attacker. Data at rest must be encrypted on the storage device or within the database. This includes confidential (and regulated) data like credit card numbers and especially user credentials.

In the enterprise, data is further protected because it resides inside a firewalled perimeter that deters possible attackers. When moving to the cloud, enterprises must recognize that their users' credentials are scattered across multiple systems not under their direct control. If proper encryption is not in place, user passwords are vulnerable to theft and can be used to gain access to other applications.

Creating a meta-security infrastructure for the cloud requires a comprehensive strategy encompassing the 5 core elements of security - access, authentication, auditing, administration, and confidentiality. Because the cloud uses significantly different technology and a decentralized organizational structure compared to enterprise networks, simply extending existing security systems will fail. Enterprises must implement a cloud-native approach that unifies these elements and is also able to integrate with the existing IT infrastructure. Otherwise new silos are created resulting in more work, greater expense, and weaker security.

A cloud delivered security strategy is the only efficient approach for aligning and bridging the technology and processes that span enterprise infrastructures and internet delivered services and resources. Using this model enterprises get the rapid scalability, global reach and utility economics that define cloud computing.


Eric Olden is founder and CEO of Symplified, a developer of access management technology for SaaS and the cloud. He previously founded and was CTO of Securant Technologies, a pioneering developer of Web Access Management technology. The Securant ClearTrust product was acquired by RSA Security.