Cloud security is a topic that enjoys coverage by thousands of voices and nearly as many vendors offering services and products aimed at taking the pain out of moving data and applications to the cloud. Perhaps no more onerous is the topic of trust placed in individuals. When you move to the cloud the people who you are asked to trust grows exponentially and there are those who say this is indeed the most difficult of security concerns.
In his revealing paper 10 Security Concerns for Cloud Computing, Michael Gregg, an instructor and someone with an arm’s length of security certifications, names Who Has Access as a “huge risk.” He cites a Fannie Mae insider accused of planting a logic bomb that when launched could have caused massive damage. The Cloud Security Alliance has a comprehensive guide on cloud security entitled Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 where the organization states:
Managing identities and access control for enterprise applications remains one of the greatest challenges facing IT today. While an enterprise may be able to leverage several Cloud Computing services without a good identity and access management strategy, in the long run extending an organization’s identity services into the cloud is a necessary precursor towards strategic use of on-demand computing services.
So you not only have to ensure the people YOU trust are trustworthy, but ultimately you have to extend that person’s ability to manage your data into the cloud along with an identity and access management (IAM) scheme that is bullet proof. Along the way you will inevitably be extending trust to the people who the cloud vendor hires and has placed its trust in. With so much at stake you really can’t assume the person you are trusting today with the keys to the kingdom will remain trustworthy. To complicate things you will want to leverage investments already made in IAM at the enterprise level, but they may be difficult to extend to the cloud.
For Identity Provisioning the CSA says those functions offered by cloud vendors are not currently adequate for enterprise requirements and you should resist vendor proprietary solutions like custom connectors and insist instead on standard connectors that use the SPML schema.
When it comes to SaaS and PaaS authentication, authenticate users with your identity provider and use federation for trust with the SaaS vendor. Interestingly the CSA recommends enabling the use of a single set of credentials valid across multiple sites for individual users and to avoid vendor proprietary methods. The alliance says using dedicated VPN for IT personnel will help them leverage existing investments.
As with most things in life, nothing is really guaranteed and that’s probably why Andy Grove, the former CEO of Intel once quipped: “only the paranoid survive.” When it comes to the people you place your trust in we’d all like to think the trust is well-placed, and in most cases it probably is. There is always a “but” though. There is much more on this subject in the papers referenced above.