Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
THOUGHTS FROM THE CLOUD A selection of Cloud-Security Articles from the CloudAccess Blog Vol3
AUTHOR’S NOTE
“Thoughts from the Cloud” is a weekly blog written by Kevin Nikkhoo, CEO of
CloudAccess. It looks to discuss, dissect and debate the many pressing issues
surrounding cloud computing with a special focus on cloud-based security
and security-as-a-service. You can read all the blog entries at:
http://cloudaccesssecurity.wordpress.com/
In this Volume you will find:
Identity Mgmt in the Cloud: A Matter of Function, Control, Cost
The Challenge of Herding Cats: Your SaaS Portfolio & Security
In Cloud We Trust
The Genie, The Bottle and BYOD
Casting Light and Shadow IT and ID
IDENTITY MANAGEMENT IN THE CLOUD: A MATTER OF
FUNCTION, CONTROL AND COST
I was flipping around the 320 channels on TV
yesterday and came across an old episode of
Seinfeld. It’s the one where Jerry is asked to fill in
as a doorman for a high rise. While standing
sentry, he lets various people through and finally
leaves his post only to find the lobby couch was
stolen. It got me thinking about how many
companies simply leave the proverbial front door
open and practically let anyone access data on
their network without secure authentication.
Presented by:
CloudAccess:
CloudAccess provides comprehensive
security-as-a-service from the
cloud. Our suite of robust and scalable
solutions eliminates the challenges of
deploying enterprise-class security
solutions including costs, risks,
resources, time-to-market, and
administration. By providing such
integral services as SIEM, Identity
Management, Log Management, Single
Sign On, Web SSO, Access
Management, Cloud Access offers cost-
effective, high-performance
solutions controlled and managed from
the cloud that meet compliance
requirements, diverse business needs
and ensure the necessary protection of
IT assets.
www.CloudAccess.com
877-550-2568
CloudAccess, Inc 12121 Wilshire Blvd
Suite 1111 Los Angeles, CA 90025
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
User identities are at the core of your business. Organizations need to
manage access to corporate resources and systems to an ever changing
flux of employees, consultants, partners, vendors, suppliers, and
customers. And each has their own agenda in terms of the information
they wish to access. Without an identity management framework, all any
of these people need to do is knock on the door and the doorman will let
them in. And once they are in the front door, someone might steal a lobby
couch.
Most IT professionals are well aware of the benefits of Identity Access
Management; the ability to provision and de-provision users, manage
passwords, control authentication, automate workflow approval, facilitate
federated interoperability, single-sign-on submit online forms and
hopefully provide some degree of user-self-service. These are powerful
tools to help dissuade network abuse and protect IT assets.
This issue is not to debate whether an organization benefits from a well-
positioned IDM/IAM initiative, but rather what is the best way to deploy
and manage. In that respect there are three points of comparison of
whether the cloud or a more traditional deployment is best suited for an
enterprise: functionality, control, and cost.
First is functionality-it is obvious that any initiative successfully achieve the
basic promises of IDM-to authorize and authenticate users to access and
use various applications, and network resources whether they are sitting
on a company’s server or virtually within some cloud-application. On the
surface between cloud and on-premise, this is a push; both have very
strong features. In most cases, they have identical robust feature sets. The
key differences are modular scalability and speed of deployment and
automated processes. The cloud is infinitely more flexible in the ability to
ramp up and down depending on the number of users, their roles and
applications. Because of the inherent processes built into several cloud
offerings, companies gain a considerable resource bounce. Just the
automations alone (such as real time employee status change, rule-based
role apportioning, and password management self-service) remove time-
draining burdens while allowing both the IT staff and the users themselves
to be more efficient and effective.
DOES SINGLE SIGN ON
IMPROVE OPERATIONS?
In a recent brand-agnostic survey by
the independent research firm
Ponemon Institute regarding the
benefits and efficiencies of single
sign, the question was asked whether
SSO improved operations and in
what ways:
88% of surveyed CTOs believe SSO
improves the efficiency of
operations
82% note that access to key business
applications is improved
73% believe it improves the
effectiveness of administrative
activities (including help desk)
71% record that it improves
adoption of new applications and
technologies
More than 14.5 minutes per day are
saved by EACH user because of SSO
The bottom line is that SSO it
increases employee productivity,
reduces helpdesk calls, and
strengthens security.
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
Next, consider control. The architecture of the modern IT landscape is
changing quickly and dramatically. In many cases traditional IT methods are
no longer effective. And when you consider control, it is not about ceding
the power to shape your IT environment, but the added ability to
centralize things both inside and beyond your office walls. There are just
too many variables from cloud-based apps to the unknown security
protocols of your vendor/suppliers to evolving business needs. What
security-as-a-service offers is administration under your rules and your
supervision. It removes your staff from the day-to-day lower level priorities
that prevent the completion of higher value tasks while promoting
enterprise-wide consistency and risk mitigation including maintaining
audits and compliance.
Think about your current system. How long does it take to create the
proper access channels if Sally gets a promotion to sales manager. The
position requires a whole new set of permissions and access to reports,
applications and the like. What if the person Sally is replacing was
terminated? How long before he is deprovisioned and alerts set up for
when the username is used? How long does it take to set up your latest
supplier with access to your SaaS ERP so they can accurately predict
inventories and fulfill your orders? In the cloud it is instantaneous. It
automatically incorporates your workflow approval. And, let’s not even get
started on how many times the phone rings because the account manager
overseas forgot a password. If released from these tasks (through strict
process authentication), how much more could you accomplish in a day?
And finally, cost. Like its cousin SaaS, there are immediate cost efficiencies
and ROIs within the cloud. Traditional in-house enterprise security
infrastructure is expensive. Typically the services required to implement
in-house Identity Management systems are a ratio of 2:1 or 3:1 (and
sometimes higher) of professional services costs to software licenses. And
adding to the cost burden is extended implementation cycles. Additionally,
corresponding high-availability and high-capacity hardware is usually
required. All of these components drive up the cost and deployment times
of the overall initiative making the entire package unaffordable for many
organizations. That is why only the largest of the enterprises have enjoyed
the benefits of enterprise security solutions. The cloud removes the barrier
and adds a zero-deployment factor to the bottom line.
CLOSING GAP WITH
VULNERABILITY RESEARCH
Key findings from a recent Forrester
study:
Independent and original vulnerability research is important to security organizations. Security teams need actionable intelligence. They need precise and timely information to help them make the decisions necessary to protect their company’s networks and applications.
Companies want to leverage relationships with vulnerability researchers to make decisions. Given the complexities of today’s threats, security organizations cannot afford to have the level of expertise in house necessary to fully defend their network from the vast array of current and future dangers. They must cultivate relationships with third parties to get the levels of cyber intelligence needed to meet future challenges
Quality vulnerability information helps improve security. Without proper information decisions are made in the dark. When security teams are configuring devices such as intrusion prevention systems or firewalls, they need specific details or the configurations are merely guesswork. Protecting corporate resources needs tangible data .
.
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
There are arguments for and against each factor, but when you weigh
them holistically, security-as-a-service makes a great deal of sense.
No one doubts the expense in terms of corporate capital and personnel
dedication it takes to create a proactive identity management system.
However in this day and age…you need a doorman who will verify
credentials, only allow access to particular floors and keep watch over your
belongings. But if that doorman has to watch over a dozen buildings, each
with its own entry protocols, wouldn’t it be nice to have an automated
alternative that does twice the job at a fraction of the cost?
THE CHALLENGE OF HERDING CATS: YOUR SAAS PORTFOLIO
AND SECURITY
It’s obvious the rise of SaaS (software-as-a-
service) has changed the game. The benefits of
subscribing to a cloud-based application service
are already well-known and documented: cost-
efficiencies, speed, hands-off maintenance, etc…
It’s no longer an emerging practice and, for most
IT managers, has become an inextricable
component of any go-forward IT network strategy. What this means is now
there are dozens of new sign-ons per user from a variety of endpoints
(including mobile and tablet). And if we are talking enterprise-wide
deployments, this is can be as challenging as herding cats.
And since it is highly likely, a SaaS portfolio will continue to grow, so will
the challenges and the need to centralize authorization and control of all
these new applications. Many organizations have considered single-sign
on, but during recent needs for economic belt-tightening, see it more as a
potential future expense.
I have seen estimates of upwards of $300,000 dollars (Montclair Advisors)
to deploy and manage (just Year 1 alone) SSO on-premise, which is why I
understand the reticence to actively move forward on this initiative.
(Estimates amortized over 5 years put the figure at more than $2 million)
However the cloud alternative can provide nearly a 75% savings. This
MOVING SIEM TO THE CLOUD
Cloud Security Alliance's Jens
Laundrup, who chaired the alliance's
working group that wrote the SIEM
guidance, characterizes cloud-based
SIEM as version 2.0:
"With SIEM 1.0, we found that we
were collecting way more data than
we knew what to do with; we buried
ourselves with data. The more we
collected, the less smart we were
about it. There is a need in the world
of security information and event
management to have a fundamental
shift in thinking, from collecting more
data to finding out what the right
data is, and learning how to analyze
it and make prediction on the data.”
This can be best served from the
cloud.
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
makes deployment affordable for most modest-sized organizations looking
to maximize the efficiencies of cloud-based applications. These figures
include the software, set-up, infrastructure modifications, hardware
purchase, service, maintenance, but also the ongoing administration of the
solution.
There are those that realize the significant savings, instant scalability and
accelerated time to value is enticing, but simply don’t trust security from
the cloud. Most articles I come across regarding cloud-based applications
revolve around the security debate. But these articles question the security
of the applications themselves, not security-as-a-service. The issue persists
just how secure is the cloud? Well, very secure if you have battened down
the hatches on your own security initiatives, If you deploy a strong SSO
program that not only creates a single authorized entry to these
applications that also uses federated interoperability so you can expand
protection beyond employee users to subsidiaries, trusted partners and
other collaborative business partners.
Let’s look at the benefits of cloud-based security SSO another way. So you
have all these apps (salesforce.com, GoogleDocs, ADP, Sharepoint,
Webex/GoToMeeting, etc…) that your 500, 1000, 10,000 employees and
other authorized users need to access regularly. How many sign-ons are
that? How many potential open doors from however many endpoints are
that? How many passwords? Before you faint from the overwhelming
gravity of the issue, what if you could funnel and channel into a single sign
on? And, what if you didn’t have to spend a significant portion of your day
administering logins or forgotten passwords? How much easier has your
day become? Or more to the point, how many internal resources have just
been freed up to attend to high value tasks?
The SaaS genie is out of the bottle and the reliance on cloud-based
applications outside your direct control is only going to increase. The
efficiencies are showing to outweigh some security concerns. However, by
applying the same cloud-based thinking to a cloud-based problem, you are
able to manage the best of both worlds. But obvious cloud bias aside, the
best way to maintain control is to deploy a policy that spells out what are
permissible applications for any endpoint that touches your network, and
distributes access to applications that pass your smell test through the
single-sign on channeling process.
THE THREAT WITHIN
Source: IDC White paper
The report states that privilege
misuse is the most common attack
method for all types of attackers. The
report shows that the overall shifting
from concerns about threats from
internal sources to external actors is
partially related to the realization
that many internal looking attacks,
in reality, have an external origin.
The goal of an external attacker is to
gain privileged access.
The chief causes are
Unresolved separation of duties
that inadvertently enables
accounts with "superuser"
access rights
Failure to adequately secure
data in custom applications
Inability to properly document
manual processes and reconcile
these processes to the IT
systems used
Inability to adequately secure
access to operating systems and
databases that support
corporate financial applications
and transactions
Failure to monitor the activities
of privileged users
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
Last week, I wrote about Identity Management managed from the cloud.
Single-sign on is a component of that overall strategy considering that your
sign-on credentialing can be customized to individual roles and
responsibilities. For instance when a sales person sign on, they get the
authorized access to CRM, sales reports, etc… What they don’t get is access
to payroll or HR or R&D applications unless their responsibilities require it.
If someone can’t get access to data that they really should not touch, your
risk of data loss/theft or breach is diminished.
And just like last week, the central tenets of deciding whether SSO security-
as-a-service is a positive addition to your arsenal must be based on a
combination of three things: functionality, cost, and control. Does your
solution handle the applications you depend on? Can it leverage and
incorporate those you have previously invested in and live on your servers?
Have you weighed the Total Cost of Ownership and calculated the ROI?
And lastly, does centralization improve risk mitigation, IT resource
deployment and maintain compliance requirements.
The cloud-based security solution I am familiar with says yes. It provides you
with a large and powerful lasso to help start reigning in those pesky cats!
IN CLOUD WE TRUST
It wasn’t too long ago the very thought of
security in the cloud was a challenging barrier
to adoption. How can you secure a thing so
vaporous and intangible? It scared off a lot of
companies (especially SMBs and midsized) that
would have felt the immediate financial savings and productivity gains
from the various applications and solutions that were deployed from this
nebulous place called the cloud. That barrier is cracking.
Earlier this week Microsoft released a study of SMBs that found the move
to cloud is facilitating the adoption and use of more advanced security
technologies. According to the study, 35% of US companies found security
measures to be highly improved after migrating to the cloud. Better yet,
32% noted that move to the cloud has decreased security issues to the
point where an SMB can focus on more important things.
WHAT SHOULD YOUR
WORKLFLOW ENGINE
ACHIEVE?
Provide provisioning activities, whether for self-service actions such as requests for access, or for admin actions such as updating entitlements, on/off boarding, bulk sunrise or sunset enrollments, handling approvals with escalations, or performing maintenance
To simplify defining workflows and business processes, the embedded activity module can be used for modeling, testing, and deployment
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
This begs the questions. How? What has changed to dispel the concerns
and myths that prevented some companies from migrating? Well, obvious
is the fact that early adopters are seen reaping the benefits without the
catastrophic repercussions espoused by doubters. The survey even notes
42% of those companies surveyed were able to expand into completely
new markets as a result of their cloud migration. But the key reason is the
resources cloud-based application companies have shifted to ensure their
offerings have improved security features. However, it doesn’t supplant
the need for a company to ensure the security on their side is up to the
task. Think of it like installing a bug zapper and hoping it catches all the flies
before they fly into an open window.
But the news is all well and good for SMBs say the naysayers. It seems the
cloud was tailor made for companies that could not afford to build and
maintain massive application infrastructures like a Fortune 1000 company.
It provided expanded functionality at a reasonable cost. The impact of
failure is far less reaching and the tradeoff between risk and reward is
much bigger (low risk, high reward). Or so they say.
I belong to several LinkedIn cloud computing groups. In one a discussion
called “Is the Cloud Trustworthy,” most of the professionals agree that it is
with some caveat reservations (storage, encryption, multi-tenancy issues).
What this says in a microcosm that cloud computing is definitely making
strides, but there still is work to do in terms of education. One analyst said
it right: “Some enterprise companies believe their data is better protected
behind their own firewall because they don't truly understand how a cloud
is structured.”
In that respect, there is a lot of discussion and chatter about security for
the cloud. But what about security managed from the cloud.
Here is the rub. Security is only as good as the processes, monitoring, and
administration–whether it comes from the cloud or not. Look at some of
the biggest breaches in the news lately-Global Payments, State of Utah,
Sophos…all home grown systems. Would the cloud-managed security have
made a difference? Probably not, because in each case it wasn’t the tool or
solution that failed, it was the process or the administration or the lack of
monitoring. If you can concede that cloud-based security solutions
(regardless of whether they sit on public, private, or hybrid cloud
7 VULNERABILITIES A BUSINESS
MUST KNOW ABOUT…
1. Inaccurate access permissions
2. Reliance on password vaulting
3. Unprotect local Windows administrator accounts
4. Thinking that IDM and Directories alone will secure access to systems
5. Control of SSH keys
6. Point solutions for access controls are a problem
7. Relying on authentication to control access to applications and databases
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
configurations) are as good and as thorough as any brand name or home
grown system, then the decision to migrate security functions to the cloud
rests with functionality, cost and control. Oft-voiced issues like multi-
tenancy, encryption and storage are addressed in a well- developed cloud-
managed solution. If a provider can demonstrate mastery of those
challenges
You can have the fanciest, most elaborate rock-solid system in the world,
but without the rules to give it context, without processes to provide the
action plan, without the vigilance of 24/7 monitoring and without the
expert analysis to ensure continuity, connectivity and compliance , all you
have is a big expensive paperweight. What makes security truly effective is
the service.
Part of the allure of security-as-a-service is the not just the lack of hardware
or software investments and instant scalability, but the built-in automated
processes like SIEM monitoring and alert rules to mitigate intrusions, SSO to
channel inbound and outbound application access, identity provisioning/de-
provisioning based on roles, password management self-service and a host
of others. Most important is the luxury to shift administration capabilities
(not control) to seasoned analysts that serve as an extension to your own
staff. The idea that enterprise-grade security can’t work for and from the
cloud is just dated thinking.
There’s a funny animated video I came across in which the cloud salesman
repeatedly responds to the continued questions about security, “Our cloud
is secure, that is all you need to know.” Well, with the reality of cloud-
based security, the answer is not as glib. Through the innovations and
maturation of several security-as-a-service alternatives, the capabilities to
match many of the best-of-breed deployments exist. And it doesn’t require
a wholesale move to the cloud. The best solutions allow leverage of
existing systems, or the addition of modular cloud-managed components
to enhance existing initiatives.
But marketing speak aside, not all cloud vendors are alike and you still have
to do your homework to make sure any cloud expansion (especially
concerning security) is a fit for your needs, your budget and your vision for
the future of your network.
THREAT VERSUS RISK…
In its simplest of terms, risk the probability or frequency of doing harm while threat is the actual or attempted infliction of that harm. Splitting hairs? It’s all about keeping your IT assets protected, right?
Although related, they are two different beasts altogether. Risk includes variables. It overviews vulnerabilities, weighs challenges and opportunities to come up with an outcome. And there is risk in every action you take; some of it is so low that it poses no challenge to your architectures.
And if you add “vulnerability” into the mix it creates a third dimension when assessing risk--vulnerability is a state of being--a weakness or gap in your security. A threat can exploit (intentionally or unintentionally) a vulnerability that is determined by a risk assessment.. Then of course you add likelihood. How realistic is this event to actually happen?
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
THE GENIE, THE BOTTLE AND BYOD
It’s safe to say the genie is out of the bottle. The rise of
employees (and other credentialed users) using their
own smartphones, tablets and other personal devices is
rising and there’s little to nothing IT can do about it…or
is there?
I’ve written about BYOD and password management, but I
want to approach the subject from a slightly different
perspective. Administrating access management and identity management
from the cloud is a cost-effective and nearly-instantaneous way to quickly
create, manage and enforce a BYOD initiative. But in the end, it comes down
to policy. There must be rules of engagement that allow your authorized users
access to various applications, emails or proprietary data without
compromising compliance, privacy issues or sensitive intellectual properties.
Very recently IBM implemented a wide-ranging BYOD initiative for more than
80,000 of their employees worldwide. They recognized a BYOD program
"really is about supporting employees in the way they want to work,"
However, there’s a fine line to ensure that there are enough safeguards to
preserve integrity of the business.
Essentially they created strict guidelines that an employee must follow or they
will lose the convenience of using their own device. What this does is shift the
burden to the user to ensure certain security protocols are followed. One of
the rules is that IBM reserves the right to “wipe the device” in the event a
phone is lost, stolen or if the user leaves the company. But that does nothing
to protect data while it is in the hands of users. These smartphones are just
mini-computers. Most don’t realize they need to have some sort of malware
protection AND some degree of access provisioning once they are authorized
to reach the network.
One of the great benefits provided via security-as-a-service is the idea that you
don’t have to recreate the wheel. That many of these best practice policies are
pre-configured and all you need to is identify the user responsibilities and
concentrate on enforcement.
It all boils down to this: Conduct an inventory of all the types of personally-
owned devices employees want to use for work-related tasks. Take every
A CSO’S OPINION ON BYOD
“Devices are not the issue. It is a
compliance and liability issue.
We secure devices for a living and
we are very good at it, however
the discussion is about what
rights you give up when you
decide to use personal
equipment. What can I monitor?
What happens if the phone is
lost? What happens if it breaks?
What happens when you leave
the company…does the company
retain the right to wipe the phone
clean; even personal pictures,
contacts etc. My personal and
professional opinion as a security
professional is equivocating it to
entering the military-you give up
certain rights including privacy.
Before I let anyone use their own
device, the employee must sign
an agreement that puts in writing
my companies answers to all the
above questions.”
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
possible step to apply as many of the same precautions to these
personally-owned devices as you apply to corporate-owned devices.
One of the things you can control is passwords. You can dictate terms of
access by ensuring strong (no birthdays or dog names!) passwords are
used, that it expires every few months, and that it has a lockout and wipe
protocol after so many failed attempts. You can also insist (and control)
that if anyone wants to store, access or transit any data, that there devices
must be encrypted. Again, there are great tools to make this happen
(especially from the cloud), but the dictates have to come from above.
These must be corporate policies agreed to by management and signed-off
by any user looking for the convenience of using their own device. It might
dissuade some users, but there needs to be a trade-off to prevent data
loss, data leakage and any type of security breach.
I made mention earlier that the cloud itself can be a conduit towards a more
seamless integration of BYOD. But beyond the cost savings and the rapid
deployment, the question begs, does cloud-based security have the
functionality to properly administrate a variety of endpoints? The answer is
yes. It uses best-of-breed technologies to make sure that real time
provisioning/deprovisioning, on- and off-boarding, and enforce rules based
on an individual’s specific HR models are in effect and active. Moreso, a true
cloud based program will not only provide Identity Management, but it loads
the features of Access Management. This includes SaaS Single Sign-On, Web
SSO, integration with any legacy application, fine grained entitlements and
interoperable federation based on standards like SAML. But as an IT
professional, you know this. What you need appreciate is that security-as-a-
service creates the centralizing bridge that allows you to combine the silos of
data to more easily manage all users regardless of their endpoints. It also goes
a long way in maintaining compliance, but that is a blog for another day.
If you haven’t already confronted the issue of BYOD, you will. To get ahead
of the issue you need to receive upper management blessings, create
proactive policies, and educate your users. Then they receive the benefits
of the greater productivity and expediency and you sleep just a bit better
at night knowing that someone’s iPhone hasn’t gone missing or that a sales
administrative assistant can’t mistakenly corrupt any R&D testing data.
The genie won’t go back in the bottle, but you can at least learn a few
magic words to keep it under control.
THE 10 COMMANDMENTS OF
BYOD
Courtesy of Fiberlink
1. Create Thy Policy Before
Procuring Technology 2. Seek The Flocks’ Devices 3. Enrollment Shall Be Simple 4. Thou Shalt Configure Devices
Over the Air 5. Thy Users Demand Self-
Service 6. Hold Sacred Personal
Information 7. Part the Seas of Corporate
and Personal Data 8. Monitor Thy Flock—Herd
Automatically 9. Manage Thy Data Usage 10. Drink from the Fountain of
ROI
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
CASTING LIGHT ON SHADOW IT AND ID
It's not a new term or concept. You probably
recognize that it’s happening within your own
organization. Shadow IT is the appropriation
and use of IT assets and applications without
organizational approval. And it happens
more than you know. Sally the sales rep gets
a label template design application, Marco
from HR downloads software that manages
inbound resumes. Kelsey in marketing signs
up for a WordPress page and social media accounts. All too often,
employees are not going through corporate channels to get what they
need to achieve their goals.
And every time they do, the vulnerability cracks in your network widen.
Now on top of the obvious issues with unauthorized applications is the
creation of Shadow Identities. For all of these applications there are user
names and passwords. Across an enterprise that could mean thousands
and thousands of identities. And, because some are even using their
personal commercial mail accounts to create these new IDs, you now have
your corporate data going out through an external service with which you
have no control.
The world of SaaS has exacerbated the security problem, but the cloud also
provides the solution.
To understand how to best approach the quandary, you must realize that
traditional concepts of IT are out of date. At one time you just built a wall
around everything. However, with SaaS, mobile users, customers, partners,
the perimeter has been erased—you simply can’t open an LDAP query from
your directory and plug in applications to your enterprise infrastructure.
Identity Management is the new Network Perimeter. And identity
management from the cloud centralizes, ordains, and automates your
corporate policies. The idea is when you can’t pull your curtain of
protection around where the data resides, your only point of control is
identity credentialing and authorization. You create the rules for access
and entrance and then pass the user along to the specific resource.
THE PARADIGM CHANGE IS
HAPPENING NOW
According to Forrester Research,
it is estimated that the managed
cloud services security (MSS)
market stands at $4.5 billion.
Gartner, the nationally respected
IT research firm predicted that
the total worth of the cloud
computing market will rise to
more than $150 billion by 2013.
In 2015, public cloud services will
account for 46% of net new
growth in overall IT spending.
Morgan Stanley estimates that by
2015, the mobile web will be
bigger than desktop internet.
With user expectations about
where and how they access
information changing
dramatically, there'll be growing
pressure on IT to make enterprise
applications available in similar
ways.
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
In any organization this can mean dozens of applications for a variety of
departments and niche users. This means managing potentially thousands
of passwords...and that’s not a place most IT professionals wish to spend
their time. But rather than belabor the problem, let’s highlight the solution
broken down by type:
Data has two general directions: inbound and outbound. The key is to
create federated relationships. You need to ensure that those who you
invite to access or add data to your network are properly vetted. And these
can be broken into two very general categories: high and low risk. Lower
risk would include partners and customers because you can automatically
provision them to see just a small part of your network. Customers don’t
need to access production, they simply want to process an order or maybe
query the help desk…and that’s all they should be given. For something
like this all you really need is cloud identity management to control the
reach and scope of their access. The same holds true with partners like
VARs or suppliers.
Then there are higher risk transactions. These are usually driven by your
mobile users and internal employees. They obviously need more access to
things like payroll or benefit packages. For these, in the scope of identity
management, you would be best served by using a multi-factor
authorization.
It is obviously more complex than a 750 word blog can delve into but, the
ability to automatically provision and deprovision, to manage countless
passwords, to federate access to your data is easily handled by cloud-based
security. If the goal is to rethink how IT works in order to make it more
cost-effective and asset protective, then IT departments must evolve from
a developer of stacks to brokers and facilitators of service. The mission is
still to keep the data safe, but you are now analyzing where you once were
building. You are now acquiring and integrating in concert with enterprise
business needs and goals. When that is the case, then security-as-a-service
must be a consideration for your enterprise.
Now let’s also consider outbound data. Federation is not only important.
It is the driving need to ensure the safety of this nebulous enterprise
perimeter. Your users are accessing 3rd party applications like
salesforce.com or ADP, Webex, SharePoint, etc and you must provide the
access in support of business needs. Whereas much of inbound can be
THE TOP 10 INSIDER THREATS
1. Data Leakage Enabled By USB Devices
2. Hijacking the Local
Administrators Group 3. Hijacking the Domain Admin
Group
4. Unauthorized application install
5. Unauthorized application
usage 6. Unauthorized deletion of
corporate data 7. Abuse of the Administrator
account (local and domain) 8. Log on failures from
Administrator account (local and domain)
9. Unauthorized access to
another’s email 10. Excessive resource access
failure
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
federated using cloud-based identity management as a baseline, anything
outbound must be SAML-aware. You need to insist on SAML-based
federation before you approve any outside program. If not, you better
think twice about including it as an option.
If there is one takeaway from this, it is that unless you decide to evolve
with the changing demands of business, your architecture will be
compromised by an expanding creep of Shadow IT and their accompanying
Shadow Identities. If you realize that now your data can be anywhere, you
must centralize the access to that data. By taking full advantage of cloud-
based security, you not only benefit from the cost-efficiencies, but your
gain all the built-in federations and integrated resources, as well as best-of-
breed password management and single-sign on. Then there are the
compliance and reporting needs and how a strong security-as-a-service
offering effectively addresses that pressing requirement…but we’ll leave
that for another day.
WHAT IS REACT?
REACT is a unified security (UniSec) strategy. It stands for Realtime Event and Access Correlation Technology.
It’s designed to leverage the
cooperative functionality of key
toolsets and/or deployed solutions.
It creates a unique holistic
approach to security management
and asset protection by broadening
the reach and scope of enterprise
monitoring, strengthening access
authentication and centralizing
control.
REACT is comprised of four
independent synergistic solutions
that, when layered/integrated,
provide a single source of
analysis, alert and action:
SIEM
Log Management
Identity Management
Access Management
Each of the four solutions brings a
certain enterprise-grade feature
set that work seamlessly in
concert as a single interoperable
process.
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
MENTION THIS WHITE PAPER AND WE WILL EXTEND A FREE MONTH OF SERVICE WHEN YOU SIGN UP FOR A YEAR OR MORE PAY-AS-YOU-GO SUBSCRIPTION
CONTACT CLOUDACCESS FOR A
LIVE ONLINE DEMONSTRATION OF OUR SIEM AND LOG MANAGEMENT SOLUTIONS DELIVERED AND MANAGED FROM THE CLOUD.
MORE INFORMATION:
CONTACT: 877-550-2568
Read Our Blog: http://cloudaccesssecurity.wordpress.com/
LIKE Us on Facebook Follow Us On Twitter Join us on LinkedIn
The sky is no longer the limit
with secure, affordable cloud
security solutions from
CloudAccess.
WANT TO LEARN
MORE ABOUT
COMPLIANCE?
www.CloudAccess.com