Log Management Authors: Dana Gardner, Pat Romanski, Elizabeth White, David H Deans, Carmen Gonzalez

Related Topics: @CloudExpo, Cloud Security

@CloudExpo: Article

Bucking the Trend: How Security Will Drive Cloud Adoption, Not Hinder It

Security, when done properly, is an argument in favor of cloud adoption

Security Track at Cloud Expo

If you've investigated cloud computing even a little bit, you've encountered story after story about how security is slowing adoption. There is some truth beneath all of the hand wringing, but not nearly as much as you'd think.

When deployed correctly, security should drive cloud adoption, rather than impede it.

Large cloud providers, such as Amazon, Google and Salesforce.com, have many more security tools in their data protection toolbox than you do. They have many dedicated security pros on staff, data centers that can withstand natural disasters, stringent security policies and procedures and the most up-to-date security solutions.

Why All the Doom and Gloom, Then?
Bad news sells. Whether it's an analyst report or an industry publication, fear-based headlines attract attention. Security vendors themselves are guilty of hyping the problem, hoping to push more product.

One recent op-ed by a VP from a very prominent security vendor noted that cloud applications are only as strong as "your weakest password." Um, that's not a cloud security problem; that's an access/authentication problem. You can say this exact same thing about any type of data in any storage medium with any sort of connection to the outside world. *

Similarly, a recent Forrester research report * noted that those moving to the cloud need to worry about identity management, compliance and disaster recovery.

Again, these are in no way specific to the cloud. These are general business computing issues.

This is not to say that there are not actual cloud security concerns. There are, and I'll get to some in a moment. However, for every cloud security issue, there is a corresponding security tool to address it - even though the hype would have you believe otherwise.

How Did We Get into This Mess in the First Place?
Simple: as with so many technologies that came before, developers created the applications first (or cloud-enabled existing ones) and left security concerns for later.

Fortunately, many security issues are being solved for you even as you read this story. All of the big cloud vendors are hyper-aware of the need to lock down their customers' data. All of them have best practices in place and a slew of security tools wrapped around their services designed to protect the integrity of your data.

Unfortunately, the cloud providers can't solve everything. The one fundamental security issue that you must solve for yourself is identity. Application access and the integrity of users' identities, as well as their roles and privileges, must be tackled by the enterprise.

Cloud providers can only do what you tell them to when it comes to identity enforcement. They can grant access to those who you've given credentials to and block all others, but if you don't have solid identity enforcement in place, there's not much they can do about it.

This is where many organizations falter. Using the same logic that drove people to cloud-enable applications before figuring out the security ramifications, many organizations have decided to synch identities to the cloud. Bad idea. Now, instead of protecting one identity directory, you must defend, patch and manage two, and you've doubled your risks.

The second misguided option that organizations consider is forklifting their entire infrastructure, including identity management, to the cloud. In this age of outsourcing, there is some herd-mentality logic to this line of thinking. However, I believe that identity is the absolute last thing you want to outsource.

Where Should You Draw the Line?
Nothing in the Internet age is 100% secure, but when you give away the keys to the front door, you better make sure the lock is sound and that only the people who are supposed to have keys actually get them.

If you give away your directory services, such as Active Directory or LDAP, you are basically ceding control over who gets keys and who doesn't.

Control over directory services, then, is where you draw the line.

Imagine what happens when something goes wrong. If identities are off in the cloud, you must trust that the identity provider is honest, forthcoming and quick in responding. If identities are in house, you track down those accountable and tell them they'll be working nights and weekends until the problem is solved.

Similarly, when identities are in house, your IT staff has much more power to enforce organizational policies when users stray away from best practices or concoct workarounds. If users screw up, IT shuts down their accounts, suspends privileges, requires password resets, etc.

Now imagine an even touchier scenario. A frisky IT pro suspends privileges to your CEO for bucking some security policy. With outsourced identities, your CEO (or most likely an executive secretary) wastes a lot of time on the phone trying to reach an overseas help desk to figure out the problem. When handled internally, the CEO is either granted an exception or brought up to speed on the importance of the policy by a colleague who understands your organization's bottom-line business concerns.

Other reasons to keep identities in house include maintaining compliance, avoiding vendor lock, protecting interoperability and avoiding opening yourself up to insider attacks from people who are actually outsiders to you.

Bridging the Enterprise to the Cloud by Becoming Your Own Identity Provider
The trouble with keeping directory services in house is that they were not designed for the cloud. However, this problem isn't nearly as big as it seems.

Most organizations are already under regulatory pressure to modernize authentication. What a few progressive identity enforcement providers are doing is hooking strong, multifactor authentication into directory services.

Because these new identity enforcement solutions are designed to be platform agnostic and to authenticate remote and mobile workers, they are perfectly situated to serve as a bridge between internal directories and public clouds.

Some of the big cloud providers, most notably Salesforce.com and Google, allow you to use an identity provider to enforce access and privileges. As a result, a bunch of small point solutions delivered as services have already popped up. Some of the vendors probably have staying power. Many do not.

However, there is no reason you can't act as your own identity provider. You've done it for years for client/server applications, and many organizations are already acting as an identity provider for internally hosted apps served up as a service to various departments, branches and partners, as well as to remote and mobile workers.

Instead of just authenticating users, you can control, manage and enforce user access, no matter where the users are or where the application data resides.

Returning to the title of this story, what does this all mean when it comes to cloud adoption? It means that security, when done properly, is an argument in favor of cloud adoption. The big providers have better resources to protect data than you do, while you have the ability to retain the control and management of your user base even as it accesses cloud-based applications.

You get the best of everything. Identities stay locked in house, data protection is improved and applications gain flexibility and operational efficiency by residing in the cloud.

More Stories By Craig Lund

Craig Lund is CEO of MultiFactor Corporation, a provider of two-factor SSO authentication and identity enforcement solutions. MultiFactor’s flagship product, SecureAuth, bridges applications from the enterprise to the cloud through strong, flexible identity enforcement.

As chief executive officer, Craig is responsible for guiding the overall strategy and operations of MultiFactor Corporation. He is a seasoned veteran of high technology management with over 25 years experience managing high performing teams in some of the world’s leading technology companies and startups alike. Craig holds a bachelor’s of science degree in business administration from Utah State University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

IoT & Smart Cities Stories
The challenges of aggregating data from consumer-oriented devices, such as wearable technologies and smart thermostats, are fairly well-understood. However, there are a new set of challenges for IoT devices that generate megabytes or gigabytes of data per second. Certainly, the infrastructure will have to change, as those volumes of data will likely overwhelm the available bandwidth for aggregating the data into a central repository. Ochandarena discusses a whole new way to think about your next...
DXWorldEXPO LLC announced today that Big Data Federation to Exhibit at the 22nd International CloudEXPO, colocated with DevOpsSUMMIT and DXWorldEXPO, November 12-13, 2018 in New York City. Big Data Federation, Inc. develops and applies artificial intelligence to predict financial and economic events that matter. The company uncovers patterns and precise drivers of performance and outcomes with the aid of machine-learning algorithms, big data, and fundamental analysis. Their products are deployed...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...
All in Mobile is a place where we continually maximize their impact by fostering understanding, empathy, insights, creativity and joy. They believe that a truly useful and desirable mobile app doesn't need the brightest idea or the most advanced technology. A great product begins with understanding people. It's easy to think that customers will love your app, but can you justify it? They make sure your final app is something that users truly want and need. The only way to do this is by ...
CloudEXPO | DevOpsSUMMIT | DXWorldEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Cell networks have the advantage of long-range communications, reaching an estimated 90% of the world. But cell networks such as 2G, 3G and LTE consume lots of power and were designed for connecting people. They are not optimized for low- or battery-powered devices or for IoT applications with infrequently transmitted data. Cell IoT modules that support narrow-band IoT and 4G cell networks will enable cell connectivity, device management, and app enablement for low-power wide-area network IoT. B...
The hierarchical architecture that distributes "compute" within the network specially at the edge can enable new services by harnessing emerging technologies. But Edge-Compute comes at increased cost that needs to be managed and potentially augmented by creative architecture solutions as there will always a catching-up with the capacity demands. Processing power in smartphones has enhanced YoY and there is increasingly spare compute capacity that can be potentially pooled. Uber has successfully ...
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the...