Securing Software in the Cloud
February 2009
Cloud computing has emerged as the next wave of IT innovation for the
enterprise. It is driven by utility-scale economics and global reach,
while being enabled by breakthroughs in bandwidth, virtualization and
service oriented architectures. Cloud computing is compelling for
enterprises seeking to cut costs, enhance integration across their
business, and enable collaboration both internally and externally.
Whether
it is used to provide business applications delivered as services
(Software-as-a-Service) like Salesforce.com, or on demand utility
computing (Platform-as-a-Service) like Amazon EC2, the cloud is
changing the way enterprises consume IT. The wildcard that remains to
be addressed for the cloud is security. Until enterprises have a way to
secure data in the cloud, this model will not reach its full potential.
Everything Is The Same.
Security
has been central to IT since the days of the mainframe and has evolved
and adapted as technology extended from the LAN to the WAN to the Web
and now to the cloud.
One constant throughout this evolution has
been the need for control over access, authentication, auditing and
administration. The names for these have evolved over time and today
are collectively known as Identity and Access Management (IAM).
For
cloud computing to truly establish itself as a viable extension of the
enterprise computing ecosystem, it must first provide security on par
with what exists inside the firewall. Without this foundation,
enterprises will not trust the cloud for business-class computing.
Finally, compliance is impossible without controls.
Everything Is Different.
Security
must adapt to the unique technical and organizational demands that the
cloud presents. While security for the cloud must incorporate the
established principles of protection developed for enterprise networks,
it must do more. Specifically, it must address the new challenges that
arise when infrastructure resides across the Internet where it is
collectively operated by the enterprise, its partners, and service
providers.
What’s Different Specifically?
Access management, the
core of security, is different for the cloud because the most common
tool for access control on the Internet – the firewall perimeter – has
been turned into Swiss cheese. Firewalls can’t manage access to cloud
applications because by definition these applications are accessed over
the Internet outside the corporate firewall.
With the advent of
the Web, enterprises put applications outside the perimeter for
customers and partners to access. This forced enterprises to scale
access management not only for its employees, but for potentially
millions of customers. A new generation of access management, designed
specifically for the Web, was required and developed by vendors like
Securant and Netegrity. First generation Web Access Management software
relied on agents tightly coupled with web servers operated by the
enterprise.
However, Cloud infrastructures are different since
it’s impossible to run a web server plug-in on a multi-tenant
architecture where multiple organizations share common infrastructure.
Access management for the cloud must be controlled without agents and
without tightly coupling infrastructure components together.
Authentication for the cloud is different. Verifying
a user is who they claim to be on the cloud works differently than for
an enterprise network. The enterprise can rely on multiple layers of
authentication. For instance using Windows logons to verify an
employee’s identity and restricting authentication to only those users
that have access to the corporate Windows network.
This model
doesn’t scale to the cloud because users aren’t necessarily connected
to a corporate LAN - and many users, like customers, aren’t part of the
enterprise Active Directory. This is further complicated with global
enterprises that are widely distributed with users accessing IT
resources over the public Internet not using VPNs.
Because
clouds are often used for collaboration between organizations using
different technology platforms, an inter-organizational authentication
solution has evolved. Called federation, this model uses the Security
Assertion Markup Language (SAML) standard. With SAML, each organization
manages its own users and through trust relationships share
authentication between sites.
SAML is an elegant solution for
scalable authentication. Authentication for the cloud will rely on SAML
and provide the dual benefit of reducing the number of passwords that
users must remember (and forget) as well as improve user experience
through Single Sign On (SSO).
Administration for the cloud requires a new approach to
support the complex structures and business relationships between cloud
networks and organizations. User account management, known as
provisioning, on the cloud is different than the Web because it
comprises a mix of both enterprise and cross-organizational
requirements. On the cloud, organizations must not only manage access
by employees, but also customers and partners. Identity data for these
external users often reside in remote repositories across the Internet,
something that today’s provisioning tools aren’t designed to handle.
As
with authentication, user management must also be federated between
clouds and the partner enterprises. As companies adopt SaaS
applications they find that user accounts are now located in 3rd party
databases creating new management silos. User management for the cloud
must evolve to a ‘meta-management’ layer that abstracts the underlying
location of the repository and treat users consistently across both
internal systems like Active Directory and cloud-based applications.
Auditing and compliance for the cloud must also evolve past today’s enterprise-centric model. Currently,
enterprise solutions that centralize and aggregate logs are used to
demonstrate to auditors that controls are in place and report on user
activity. This approach works since access paths to enterprise
applications are more tightly controlled through a combination of
perimeter based controls. With on-premise Web application access there
are relatively fewer moving parts that must be monitored for compliance.
In
the cloud, the infrastructure for managing compliance must extend
across the Internet and encompass the applications, users, and
activities on remote as well as enterprise systems. Users access cloud
applications across the Internet, rendering perimeter controls
ineffective for compliance.
It is imperative to manage cloud
access paths through a consistent control point and the most scalable
way to do this is using an Internet-scale proxy utility. By channeling
all user access through a security proxy the task of auditing becomes
centralized. Since proxies do not require software agents this
technology approach of loosely coupling security with cloud
applications is massively scalable.
Consistency is essential for
compliance, and cannot be achieved using ad-hoc and siloed approaches
to access control and reporting. Too many applications are built and
deployed with only an afterthought given to security and compliance.
This is a problem in the enterprise today and must be addressed as part
of an intelligent cloud strategy from the very beginning.
Confidentiality of data is the last major element of security. Data
must be protected both in motion and while at rest. When data is
transmitted across the network, encryption must be used to prevent
eavesdropping and SSL/TLS is the best way to do this. This protects
data from being hijacked or user credentials from being stolen by an
attacker. Data at rest must be encrypted on the storage device or
within the database. This includes confidential (and regulated) data
like credit card numbers and especially user credentials.
In the
enterprise, data is further protected because it resides inside a
firewalled perimeter that deters possible attackers. When moving to the
cloud, enterprises must recognize that their users’ credentials are
scattered across multiple systems not under their direct control. If
proper encryption is not in place, user passwords are vulnerable to
theft and can be used to gain access to other applications.
Creating
a meta-security infrastructure for the cloud requires a comprehensive
strategy encompassing the 5 core elements of security – access,
authentication, auditing, administration, and confidentiality. Because
the cloud uses significantly different technology and a decentralized
organizational structure compared to enterprise networks, simply
extending existing security systems will fail. Enterprises must
implement a cloud-native approach that unifies these elements and is
also able to integrate with the existing IT infrastructure. Otherwise
new silos are created resulting in more work, greater expense, and
weaker security.
A cloud delivered security strategy is the only
efficient approach for aligning and bridging the technology and
processes that span enterprise infrastructures and internet delivered
services and resources. Using this model enterprises get the rapid
scalability, global reach and utility economics that define cloud
computing.
Written By: Eric Olden, President and Founder of Symplified
February 2, 2009
Eric Olden is founder and CEO of Symplified,
a developer of access management technology for SaaS and the cloud. He
previously founded and was CTO of Securant Technologies, a pioneering
developer of Web Access Management technology. The Securant ClearTrust
product was acquired by RSA Security.