The elephant in the room when it comes to barriers to the growth and adoption of cloud computing by enterprises is the lack of trust held for cloud service providers. Enterprise IT has legitimate concerns over the security, integrity, and reliability of cloud-based services. The recent high-profile outages at Amazon and Microsoft Azure, as well as security issues at DropBox and Sony, only add to the argument that cloud computing poses substantial risks for enterprises.
Cloud service providers realize this lack of trust is preventing enterprise IT from completely embracing cloud computing. To ease this concern, cloud service providers have traditionally taken one or both of the following approaches:
Both of these approaches boil down to a simple maxim, “trust me, I know what I am doing!” This “Trust Me” approach has launched the cloud computing industry, but to date most large enterprises have not put mission-critical applications and sensitive data into the public cloud. As enterprises look to leverage cloud technologies for mission-critical applications, the talk has now shifted toward private cloud, because fundamentally the “Trust Me” approach has reached its limit.
In terms of further development, cloud service providers must come to the realization that enterprises will never entrust the providers with their business critical applications and data unless they have more direct control over security, integrity, and availability. No amount of documentation, third-party certification, or on-site auditing can mitigate risks enough to replace the loss of direct control. As an industry, the sooner it is realized that we need solutions offering cloud control back to the customer, the sooner enterprises and the industry will benefit from the true commercial benefits of cloud computing.
As such, the approach would be: “you don’t have to trust your cloud providers, because you own the risk mitigating controls”. Security professionals normally talk about best practice approaches to implementing trust models for IT architectures. I like to refer to the self-enablement of the customer as the “Don’t Trust Model”. Let’s examine how we can put control back into the customer’s hands so we can shift to a “Don’t Trust Model”.
Manage Cloud Redundancy
Netflix has spread its cloud infrastructure across multiple vendors and has designed redundancy into its platform. Features like stateless services and fallback are designed specifically to deal with scenarios such as the AWS outage (see an interesting technical discussion at Netflix’s Tech Blog). Technologies like Cloud Gateway, Cloud Services Broker and Cloud Switch can greatly simplify the task of setting up, managing, monitoring, and switching of cloud redundancy.
For example, a Cloud Gateway can provide continuous monitoring of cloud service availability and quality. When service quality dips beyond a certain threshold, the Cloud Gateway can send out alerts and automatically divert traffic to back-up providers.
Put Security Controls On-premise
Cloud Data Gateway secures the data before it leaves the enterprise premises. The gateway monitors data traffic to the cloud and enforces policies to block, remove, mask, encrypt, or tokenize sensitive data. The Cloud Data Gateway technology has different deployment options. Using a combination of gateways at the cloud service provider and gateways on-premise, different levels of data security can be achieved. By giving customers control over data security before the data leaves the premises, customers do not have to trust the cloud service provider and need not rely on the cloud provider alone to ensure the safekeeping of its data.
Integrate Cloud with Enterprise Security Platforms
Single sign-on (SSO) is a great example. After years of effort to deploy an enterprise access management solution like CA Siteminder, Oracle Access Manager or IBM Tivoli Access Manager to enable SSO, and having finally trained all the users on how to perform a password reset, do you think IT has the appetite to let each cloud service become a security silo? From a user standpoint, they simply expect SSO to be SSO, not “SSO, excluding cloud-based services”. Most major cloud service providers support standards such as SAML (Security Assertion Markup Language) for SSO and provide detailed instructions on how to integrate with on-premise access management systems. Usually this involves some consulting work and maybe a third-party product. A more scalable approach would be using technologies such as Access Gateway (also known as SOA Gateway, XML Gateway, Enterprise Gateway) to provide integrated and out-of-the-box integrations to access management platforms. Gateway-based solutions extend existing access policies and SSO processes to cloud-based services, placing access control back with information security teams.
It’s clear that more needs to be done to place control back into the hands of the customer. Cloud computing is a paradigm shift and holds great promise for cost savings and new revenue generation. However, to accelerate the acceptance of cloud computing by enterprise IT, we as an industry must change from a trust model to a “Don’t Trust” model way of thinking.
Ed King, VP at Vordel, has responsibility for the firm's product marketing and strategic business alliances. Prior to Vordel, he was VP of product ,anagement at Qualys, where he directed the company’s transition to its next-generation product platform. As VP of marketing at Agiliance, King revamped both product strategy and marketing programs to help the company double its revenue in his first year of tenure. Before this he was with Oracle as senior director of product management, where he built Oracle’s identity management business from a niche player to the undisputed market leader in just three years. King also held product management roles at Jamcracker, Softchain and Thor Technologies. He holds an engineering degree from the Massachusetts Institute of Technology and an MBA from the University of California at Berkeley.
Get HelpContact Us
Follow Us on: