Log Management Authors: Dana Gardner, Pat Romanski, Elizabeth White, David H Deans, Carmen Gonzalez

Related Topics: @CloudExpo, Cloud Security

@CloudExpo: Article

Bucking the Trend: How Security Will Drive Cloud Adoption, Not Hinder It

Security, when done properly, is an argument in favor of cloud adoption

Security Track at Cloud Expo

If you've investigated cloud computing even a little bit, you've encountered story after story about how security is slowing adoption. There is some truth beneath all of the hand wringing, but not nearly as much as you'd think.

When deployed correctly, security should drive cloud adoption, rather than impede it.

Large cloud providers, such as Amazon, Google and Salesforce.com, have many more security tools in their data protection toolbox than you do. They have many dedicated security pros on staff, data centers that can withstand natural disasters, stringent security policies and procedures and the most up-to-date security solutions.

Why All the Doom and Gloom, Then?
Bad news sells. Whether it's an analyst report or an industry publication, fear-based headlines attract attention. Security vendors themselves are guilty of hyping the problem, hoping to push more product.

One recent op-ed by a VP from a very prominent security vendor noted that cloud applications are only as strong as "your weakest password." Um, that's not a cloud security problem; that's an access/authentication problem. You can say this exact same thing about any type of data in any storage medium with any sort of connection to the outside world. *

Similarly, a recent Forrester research report * noted that those moving to the cloud need to worry about identity management, compliance and disaster recovery.

Again, these are in no way specific to the cloud. These are general business computing issues.

This is not to say that there are not actual cloud security concerns. There are, and I'll get to some in a moment. However, for every cloud security issue, there is a corresponding security tool to address it - even though the hype would have you believe otherwise.

How Did We Get into This Mess in the First Place?
Simple: as with so many technologies that came before, developers created the applications first (or cloud-enabled existing ones) and left security concerns for later.

Fortunately, many security issues are being solved for you even as you read this story. All of the big cloud vendors are hyper-aware of the need to lock down their customers' data. All of them have best practices in place and a slew of security tools wrapped around their services designed to protect the integrity of your data.

Unfortunately, the cloud providers can't solve everything. The one fundamental security issue that you must solve for yourself is identity. Application access and the integrity of users' identities, as well as their roles and privileges, must be tackled by the enterprise.

Cloud providers can only do what you tell them to when it comes to identity enforcement. They can grant access to those who you've given credentials to and block all others, but if you don't have solid identity enforcement in place, there's not much they can do about it.

This is where many organizations falter. Using the same logic that drove people to cloud-enable applications before figuring out the security ramifications, many organizations have decided to synch identities to the cloud. Bad idea. Now, instead of protecting one identity directory, you must defend, patch and manage two, and you've doubled your risks.

The second misguided option that organizations consider is forklifting their entire infrastructure, including identity management, to the cloud. In this age of outsourcing, there is some herd-mentality logic to this line of thinking. However, I believe that identity is the absolute last thing you want to outsource.

Where Should You Draw the Line?
Nothing in the Internet age is 100% secure, but when you give away the keys to the front door, you better make sure the lock is sound and that only the people who are supposed to have keys actually get them.

If you give away your directory services, such as Active Directory or LDAP, you are basically ceding control over who gets keys and who doesn't.

Control over directory services, then, is where you draw the line.

Imagine what happens when something goes wrong. If identities are off in the cloud, you must trust that the identity provider is honest, forthcoming and quick in responding. If identities are in house, you track down those accountable and tell them they'll be working nights and weekends until the problem is solved.

Similarly, when identities are in house, your IT staff has much more power to enforce organizational policies when users stray away from best practices or concoct workarounds. If users screw up, IT shuts down their accounts, suspends privileges, requires password resets, etc.

Now imagine an even touchier scenario. A frisky IT pro suspends privileges to your CEO for bucking some security policy. With outsourced identities, your CEO (or most likely an executive secretary) wastes a lot of time on the phone trying to reach an overseas help desk to figure out the problem. When handled internally, the CEO is either granted an exception or brought up to speed on the importance of the policy by a colleague who understands your organization's bottom-line business concerns.

Other reasons to keep identities in house include maintaining compliance, avoiding vendor lock, protecting interoperability and avoiding opening yourself up to insider attacks from people who are actually outsiders to you.

Bridging the Enterprise to the Cloud by Becoming Your Own Identity Provider
The trouble with keeping directory services in house is that they were not designed for the cloud. However, this problem isn't nearly as big as it seems.

Most organizations are already under regulatory pressure to modernize authentication. What a few progressive identity enforcement providers are doing is hooking strong, multifactor authentication into directory services.

Because these new identity enforcement solutions are designed to be platform agnostic and to authenticate remote and mobile workers, they are perfectly situated to serve as a bridge between internal directories and public clouds.

Some of the big cloud providers, most notably Salesforce.com and Google, allow you to use an identity provider to enforce access and privileges. As a result, a bunch of small point solutions delivered as services have already popped up. Some of the vendors probably have staying power. Many do not.

However, there is no reason you can't act as your own identity provider. You've done it for years for client/server applications, and many organizations are already acting as an identity provider for internally hosted apps served up as a service to various departments, branches and partners, as well as to remote and mobile workers.

Instead of just authenticating users, you can control, manage and enforce user access, no matter where the users are or where the application data resides.

Returning to the title of this story, what does this all mean when it comes to cloud adoption? It means that security, when done properly, is an argument in favor of cloud adoption. The big providers have better resources to protect data than you do, while you have the ability to retain the control and management of your user base even as it accesses cloud-based applications.

You get the best of everything. Identities stay locked in house, data protection is improved and applications gain flexibility and operational efficiency by residing in the cloud.

More Stories By Craig Lund

Craig Lund is CEO of MultiFactor Corporation, a provider of two-factor SSO authentication and identity enforcement solutions. MultiFactor’s flagship product, SecureAuth, bridges applications from the enterprise to the cloud through strong, flexible identity enforcement.

As chief executive officer, Craig is responsible for guiding the overall strategy and operations of MultiFactor Corporation. He is a seasoned veteran of high technology management with over 25 years experience managing high performing teams in some of the world’s leading technology companies and startups alike. Craig holds a bachelor’s of science degree in business administration from Utah State University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

IoT & Smart Cities Stories
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...
Nicolas Fierro is CEO of MIMIR Blockchain Solutions. He is a programmer, technologist, and operations dev who has worked with Ethereum and blockchain since 2014. His knowledge in blockchain dates to when he performed dev ops services to the Ethereum Foundation as one the privileged few developers to work with the original core team in Switzerland.
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
Whenever a new technology hits the high points of hype, everyone starts talking about it like it will solve all their business problems. Blockchain is one of those technologies. According to Gartner's latest report on the hype cycle of emerging technologies, blockchain has just passed the peak of their hype cycle curve. If you read the news articles about it, one would think it has taken over the technology world. No disruptive technology is without its challenges and potential impediments t...
If a machine can invent, does this mean the end of the patent system as we know it? The patent system, both in the US and Europe, allows companies to protect their inventions and helps foster innovation. However, Artificial Intelligence (AI) could be set to disrupt the patent system as we know it. This talk will examine how AI may change the patent landscape in the years to come. Furthermore, ways in which companies can best protect their AI related inventions will be examined from both a US and...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Bill Schmarzo, Tech Chair of "Big Data | Analytics" of upcoming CloudEXPO | DXWorldEXPO New York (November 12-13, 2018, New York City) today announced the outline and schedule of the track. "The track has been designed in experience/degree order," said Schmarzo. "So, that folks who attend the entire track can leave the conference with some of the skills necessary to get their work done when they get back to their offices. It actually ties back to some work that I'm doing at the University of San...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the...
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science," is responsible for setting the strategy and defining the Big Data service offerings and capabilities for EMC Global Services Big Data Practice. As the CTO for the Big Data Practice, he is responsible for working with organizations to help them identify where and how to start their big data journeys. He's written several white papers, is an avid blogge...