From the vendor’s standpoint, cloud computing promises to reduce customer headcount, make IT more efficient and deliver more consistent service levels. However, there’s a paradox that when it comes to security (and control over privileged identities in particular) cloud services are often among the least efficient. Many cloud service providers’ processes – based on ad-hoc techniques like scripting of password changes – are slow, expensive and unreliable. And that’s dangerous.
Fortunately the industry is starting to move beyond paralyzing discussions about the security and compliance problems that arise from cloud computing to address them head on. One example of this is the Trusted Cloud Initiative, which was launched at RSA Conference 2010. The goal of the initiative is “to help cloud providers develop industry-recommended, secure and interoperable identity, access and compliance management configurations, and practices.” However, only time will tell if it will help standardize cloud computing or turn out to be a technology certification of little use.
In addition, several major cloud vendors and ISPs have begun the difficult task of integrating security solutions that are capable of managing the large number of privileged identities that make up their infrastructure (hardware, VM hosts, VM Image OS, application stacks). This has really broken the fundamental model of IT being in control of security and has started to blur the lines between vendor and customer when it comes to the management of security.
The end user's challenge: Transparency
In my opinion, the cloud is a really good, compelling idea. It can reduce the cost of IT dramatically. Given that cloud computing is available, the idea of building new data centers these days seems like a last-century way of doing things. On the other hand, for enterprises, the ability to see and touch your own systems in your secured data center does give confidence that you have some measure control of your destiny. But most large corporations don’t have enough IT people or security talent to manage the IT resources they have, and so are turning to outsourcing. Cloud computing is essentially the next generation of outsourcing, so that we’re not only reducing man power, but we’re getting rid of our hard assets entirely by moving them over to data centers anywhere on the planet that are going to manage this more cheaply than we ever could. And the idea of outsourcing security and liability is extraordinary compelling.
Enterprises should ask the right questions of their cloud providers before taking the leap into cloud and blindly assuming that their data is safe there. Every point of compliance that you’re asked to meet an IT organization and every question you’ve been asked by an auditor should apply to your cloud vendor – and needs to be asked of them. And because today’s cloud vendors offer literally no transparency and little information, don’t be surprised if you don’t like the answers you get. Most cloud vendors would say that for security purposes, it’s on a “need to know” basis, and you don’t need to know. Others state that they’re SAS 70 compliant, but that’s really just a self-certification.
Here are some questions you must consider asking
- What kind of security does the cloud service provider have in place to protect your privileged accounts and most sensitive data?
- Do they have a Privileged Identity Management technology in place?
- How do they control privileged accounts used in cloud infrastructure to manage sensitive systems and data?
- How do they manage cloud stacks at the physical layer and application stack layers?
- What is your access to audit records?