Protecting This House: IT’s Role in Cloud Security The increasing complexity of and the resulting security challenges are a force IT teams must reckon with. To succeed, admins need to solidify company-wide governance plans and policies.

EDITOR’S NOTE CLOUD SECURITY CLOUD DATA AND GOVERNANCE SECURITY COMES ACTION PLAN AT A COST EDITOR’S NOTE Shifting Security Needs to Maintain Effective Cloud Requirement

Cloud computing’s rise in popularity has infrastructure. HOME been mirrored by its increasing complexity and In this handbook, security expert David Lin- EDITOR’S NOTE heterogeneity. Organizational security needs thicum walks us through both the planning are changing because of this transition, and processes and potential costs for an effective CLOUD SECURITY AND GOVERNANCE IT is charged with managing the ever-growing cloud implementation. He addresses the chal- ACTION PLAN need to protect these resources. Thus, the lenges that arise during planning, industry best

CLOUD DATA challenge is to provide employees with a way practices and the main players. Linthicum also SECURITY COMES to effectively use the cloud while adhering to looks at the “real” cost of cloud security—the AT A COST company-specific cloud-use policies. people—and how this can be limited without Identity access management helps to achieve sacrificing quality.n this goal, especially when coupled with the right organizational approach. Governance Patrick Hammond plans should fit into this overall strategy, so Associate Features Editor , IT needs to be able to balance these needs Data Center and Virtualization Group, without limiting the effectiveness of its cloud TechTarget

2 PROTECTING THIS HOUSE: IT’S ROLE IN CLOUD SECURITY ACTION PLAN How to Pound Out an Enterprise Cloud Security and Governance Action Plan

Securing applications and data is CLOUD SECURITY CHALLENGES HOME essential for any organization, but the respon- Most businesses don’t have a good grasp of EDITOR’S NOTE sibility isn’t evenly distributed. IT needs to what’s reality and what’s fiction when it comes come up with specific compliance policies or to cloud security. According to Alert Logic’s CLOUD SECURITY AND GOVERNANCE principles that the rest of the organization can Fall 2012 State of Cloud Security Report, the ACTION PLAN follow. variations in threat activity are not as impor-

CLOUD DATA Public cloud removes some of the infrastruc- tant as where the infrastructure is located. SECURITY COMES ture and administrative overhead of the tradi- Anything that can be accessed from outside— AT A COST tional data center, but the onus to meet cloud enterprise or cloud—has a relatively equal governance requirements still falls squarely chance of being attacked, because attacks are on IT’s shoulders. In the ever-shifting cloud opportunistic in nature, but this isn’t always landscape, it’s important to create a governance the case. model that resembles an ongoing process, not a Web application-based attacks hit both ser- product. Therefore, necessary adjustments can vice provider environments and on-premises be made to help facilitate progress and limit environments, comprising more than 40% of any holdups. the total attacks on each environment. Though Matching cloud providers to your data loca- these events were the most prevalent type of tion, your privacy and governance needs, as attack, they hit on-premises environments well as best practices for creating an organi- with much more frequency. On-premises zation-wide cloud governance strategy, are environment users also suffered significantly important considerations for any IT shop. more brute-force attacks compared to their

3 PROTECTING THIS HOUSE: IT’S ROLE IN CLOUD SECURITY ACTION PLAN counterparts in service-provider environments. Indeed, most recent attacks The 2012 report still rings true—the recent occur on traditional systems data breaches at Sony, Home Depot and Tar- because those security systems get were unrelated to the cloud. Indeed, most are aging, and numerous vulner- attacks occur on traditional systems because those security systems are aging, and vulner- abilities have been exposed. HOME abilities have been exposed. EDITOR’S NOTE The importance of having effective secu- everyone gets an identity, including humans, rity strategies and technologies has increased servers, devices, APIs, applications and data. CLOUD SECURITY AND GOVERNANCE significantly. This is becausecloud computing Once that verification occurs, it’s just a matter ACTION PLAN continues to grow in popularity and because of defining which identities can access other

CLOUD DATA the implementations become more complex identities and creating policies that define the SECURITY COMES and heterogeneous. limits of that relationship. AT A COST Identity and access management (IAM), also One example would be to define and store the known as identity management, is not new, but identity of a set of cloud-based APIs that are the emergence of cloud computing has put it leveraged only by a single set of smartphones at center stage. Many cloud providers, such as that are running an application. The APIs each (AWS), provide IAM as have an identity, as do the smartphones, the a service right out of the cloud. Others require applications and the humans who are using the customers to select and deploy third-party phones. An IAM service would authenticate IAM systems. the identity of each entity each time an entity The concept is simple: Provide a security interacts with another resource. approach and technology that allows the right A prime example of IAM is the AWS version, individuals to access the right resources at the which is a full-blown identity management and right times and for the right reasons. The con- security system that allows users to control cept follows the precept that everything and access to AWS cloud services. This IAM allows

4 PROTECTING THIS HOUSE: IT’S ROLE IN CLOUD SECURITY ACTION PLAN you to create and manage AWS users and user should consider ones that meet both sets of groups by way of permissions, which allow and requirements. disallow access to data. The benefit of Ama- zon’s IAM is the ability to manage who can ■■ The design and architecture of your identity- access what, and in what context. based security solution. Sometimes security services can come from your cloud provider. HOME In many other cases, you have to select and EDITOR’S NOTE OTHER PLAYERS IN THE GAME deploy third-party security tools. Of course, not everyone runs AWS. Fortunately, CLOUD SECURITY AND GOVERNANCE many new IAM players are focusing on cloud ■■ Importance of testing, including “white hat” ACTION PLAN and usually promise to provide both iden- security tests. They are telling, in terms of

CLOUD DATA tity management and single sign-on services. the actual effectiveness of your security SECURITY COMES These players include , Centrify, Okta, systems. AT A COST OneLogin, Ping Identity and Symplified. Each of the providers approaches cloud ■■ The effect on performance. In some security and IAM differently, so you’ll need to instances, security can slow your system to review each product with regard to your spe- the point that it affects productivity. cific requirements. When selecting the right cloud security approaches, be certain to con- ■■ Industry and all required regulations for sider the following: compliance.

■■ The integration of cloud-based identity management solutions, or other security CHALLENGES IN GOVERNING THE CLOUD? solutions, with enterprise security sys- Cloud governance comes in many different tems. Security should be systemic to both flavors, including service-level, data-level and cloud and non-cloud systems, and you platform-level. What’s more, cloud governance

5 PROTECTING THIS HOUSE: IT’S ROLE IN CLOUD SECURITY ACTION PLAN and security typically work together, thus you to define and control access. can’t select the right security approaches and Data governance is becoming more important technology without first understanding your for businesses that implement cloud comput- governance strategy. ing. The Cloud Security Alliance (CSA) has a Service-level, or API governance, installs Cloud Data Governance Working Group that is policies around access to services exposed defining approaches and standard technology. HOME by public or private clouds—those who want Perspecsys and Acaveo are among the vendors EDITOR’S NOTE to access cloud services have to go through in the cloud data governance market. a centralized mechanism that checks to see Platform-level governance, sometimes called CLOUD SECURITY AND GOVERNANCE that those who request access are appropri- a cloud management platform, is related to the ACTION PLAN ately authorized. This mechanism also forces management of the platforms themselves. This

CLOUD DATA compliance with pre-defined policies that means placing automation services around SECURITY COMES can dictate when and how the services can be the governance and management of a cloud AT A COST accessed. Companies that provide API/service platform, including provisioning and deprovi- management and governance products include sioning of cloud resources as needed by appli- Mashery and Apigee. cations or data. Data-level governance, much like service- The objective of platform-level governance level governance, focuses on the management is to provide a single point of control for com- of both storage and data. Once again, policies plex, distributed, and heterogeneous public are placed around data and data storage systems and private cloud-based resources. This allows

Data-level governance, like service-level governance, focuses on the management of both storage and data. Again, policies are placed around data and data storage systems to define and control access.

6 PROTECTING THIS HOUSE: IT’S ROLE IN CLOUD SECURITY ACTION PLAN policies to define when and where resources work to define your requirements, both busi- are put to work and makes sure users leverage ness and technical. Once that’s accomplished, only what is necessary. The end result is that it’s easy to create a comprehensive strategy we do not overpay for subscription-based ser- and then proceed to implement the right vices, and the system works around issues such technology. as outages. RightScale and ServiceMesh (now Most organizations continue to be concerned HOME owned by CSC) are among the vendors offering about the risks introduced by cloud comput- EDITOR’S NOTE platform-level governance products. ing. Those risks, however, are substantially less than many of the traditional systems in use CLOUD SECURITY AND GOVERNANCE today. ACTION PLAN CREATING YOUR OWN APPROACH The cloud has too many benefits to ignore,

CLOUD DATA Your customized approach to cloud security and the risks around security and governance SECURITY COMES and cloud governance requires a great deal of are now solvable problems. —David Linthicum AT A COST

7 PROTECTING THIS HOUSE: IT’S ROLE IN CLOUD SECURITY COST OF SECURITY Cloud Data Security Comes at a Cost

Breaches are a recurring event in the IT be expensive, so admins tasked with secur- HOME world, with the U.S. Postal Service’s computer ing the cloud should prepare their CIOs for a EDITOR’S NOTE network among the latest victims. Authori- big bill. The cost of the talent needed to create ties suspect the attack compromised sensitive proper security architectures and approaches CLOUD SECURITY AND GOVERNANCE data—names, date of birth, Social Security and then to run them effectively, will set com- ACTION PLAN information, addresses and employment panies back.

CLOUD DATA records—of more than 800,000 employees. Clouds are complex distributed systems, so SECURITY COMES This attack follows significant credit card what’s the best way to protect them? The best AT A COST data breaches at Target and Home Depot. But cloud security model and practice is identity these attacks were not cloud-related. Hackers access management (IAM). Many cloud pro- exploited poorly protected traditional systems. viders, such as Amazon Web Services (AWS), As cloud adoption rises and hackers continue provide IAM as a service. Others require third- their attacks, cloud data security, which isn’t party IAM systems. cheap, becomes paramount. To ensure cloud data security, use the So the question not only becomes how to method and technology that enable the right protect your cloud-based systems, but can you individuals to access these resources at the afford it? right times and for the right reasons. This means that everything and everyone gets an identity—including humans, servers, APIs, BREAKDOWN OF CLOUD SECURITY COSTS applications, data and more. After verify- The technology needed for cloud security can ing identities, define which can access other

8 PROTECTING THIS HOUSE: IT’S ROLE IN CLOUD SECURITY COST OF SECURITY identities and create policies to define the lim- systems. Everything needs to be locked up the its of those relationships. same way; if cloud-based systems are secure, but traditional systems aren’t, then the system isn’t completely secure. Just ask Target and the EXPLORE DIFFERENT CLOUD U.S. Postal Service. SECURITY AVENUES However, technology isn’t the real expense— HOME There are a few approaches to cloud security, it’s the security engineers needed to build and EDITOR’S NOTE including using IAM for your cloud provider, operate effective cloud security systems that IAM and a third-party cloud. Cloud- cost the most. Indeed.com reports that the CLOUD SECURITY AND GOVERNANCE based IAM system expenditures, such as those average annual salary for a U.S. worker with ACTION PLAN provided by AWS, are nominal. Most busi- the words “cloud security” in his or her title

CLOUD DATA nesses, however, choose security options that is $134,000. And these talented engineers are SECURITY COMES are not tied to a single cloud provider. extremely hard to find, so you’ll pay even more AT A COST The cost to run an IAM system, whether for the best talent. Capable consultants can on-premises or as a service, varies. The aver- cost $2,000 to $2,500 per day. age yearly cost is $5,000 per application, so it Moving to the cloud has tremendous ben- can get expensive if you manage 1,000 applica- efits, but security done right is costly. tions in private or public clouds and traditional —David Linthicum

9 PROTECTING THIS HOUSE: IT’S ROLE IN CLOUD SECURITY ABOUT THE AUTHOR DAVID LINTHICUM is with Cloud Technology Partners and an internationally recognized cloud industry expert and thought leader. He is the author and co-author of 13 books on computing, including the best-selling Enter- prise Application Integration. Linthicum keynotes at many leading technology conferences on cloud computing, Protecting this House: IT’s Role in Cloud Security HOME SOA, enterprise application integration and enterprise is a SearchCloudComputing.com publication. architecture. EDITOR’S NOTE Margie Semilof | Editorial Director

CLOUD SECURITY Phil Sweeney | Managing Editor AND GOVERNANCE ACTION PLAN Patrick Hammond | Associate Features Editor

CLOUD DATA Linda Koury | Director of Online Design SECURITY COMES AT A COST Neva Maniscalco | Graphic Designer

Rebecca Kitchens | Publisher [email protected]

TechTarget 275 Grove Street, Newton, MA 02466 www.techtarget.com

© 2015 TechTarget Inc. No part of this publication may be transmitted or re- produced in any form or by any means without written permission from the publisher. TechTarget reprints are available through The YGS Group. About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and pro- cesses crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.

COVER ART: THINKSTOCK

10 PROTECTING THIS HOUSE: IT’S ROLE IN CLOUD SECURITY