The UK’s new Coalition Government is implementing the “G-Cloud” strategy (actually the strategy of the last Government) and there are some who claim that it will save the government £3.2bn from its annual £16bn IT budget of £16bn. That’s not just a big saving for the Government – it’s an obvious opportunity for suppliers who can ensure it is secure.
The proposal is to replace the present ad-hoc network of department - hosted systems with a dozen dedicated government secure data centers, costing £250m each. The G-Cloud plans could support everything from pooled government data centers to a communal email solution and collaboration. By 2015 the plan is that 80% of government departments could be using this system. But will it be secure enough?
Safeguarding the IT infrastructure from unmonitored access, malware and intruder attacks grows more challenging as the operation evolves for cloud service providers. And as a cloud infrastructure grows, so too does the presence of unsecured privileged identities – those so-called super-user accounts that hold elevated permission to access sensitive data, run programs, and change configuration settings on virtually every component of IT. Privileged identities exist on all physical and virtual operating systems, on network devices such as routers, switches, and firewalls, and in programs and services including databases, line-of-business applications, Web services, middleware, VM hypervisors and more.
Left unsecured, privileged accounts leave an organization vulnerable to IT staff members who have unmonitored access to sensitive customer data and can change configuration settings on critical components of your infrastructure through anonymous, unaudited access. It can also lead to financial loss from failed regulatory audits such as Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance, Portability and Accountability Action (HIPAA) of 1996, and the Sarbanes–Oxley Act of 2002 standards that require privileged identity controls.
One of the largest challenges for cloud service customers inside and outside of government is attaining transparency into how public cloud providers are securing their infrastructure. How are your identities being managed and secured? Many cloud providers won’t give their customers much more of an official answer than a SAS 70 certification. How can we trust in the cloud if the vendors of cloud-based infrastructure neglect to implement both the process and technology to assure that segregation of duties are enforced, and customer and vendor identities are secured?
The cloud vendor’s challenge: Accountability
Cloud computing has the potential to transform business technology, but it brings a spectrum of security issues that IT organizations should consider before trusting their sensitive data to the cloud. These issues cause security experts and auditors to rethink many fundamental assumptions about Privileged Identity Management in terms of who is responsible for managing these powerful accounts, how they manage them, and who exactly is in control.