Cloud Security MODERNIZING ENTERPRISE IT

DIGITAL SPOTLIGHT WINTER 2014 Cloud Security MODERNIZING ENTERPRISE IT

 Introduction 2

 The leap of faith to the cloud 4

 Identity management meets the cloud 9

 Hanging on to cloud identity 13

 Practical cloud encryption solutions 17 CLOUD SECURITY SPOTLIGHT DIGITAL Staying safe INSIDE Introduction 2 in the cloud BY ERIC KNORR The leap of faith to the cloud 4 HE CLOUD IS fast becoming an underlying assumption Cloud providers typically have better security defenses of computing, mainly because everyone wants the ability to than your own data center – yet risks remain. The Cloud provision and scale applications with minimal fuss. Often, Security Alliance flags the nine most likely threats. T public cloud services — from SaaS apps such as Salesforce to BY ERIC KNORR IaaS offerings such as Rackspace Cloud — present the best options. Identity management The problem for IT is that business managers frequently fire up meets the cloud 9 accounts with public cloud services and fail to think through the se- Organizations always wrestle with authentication and curity implications. That can lead to increased risk of data loss, indus- access control, but rapid adoption of cloud apps and services is complicating the problem. trial spying, compromised customer data, and more. In this Digital BY FAHMIDA Y. RASHID Spotlight on cloud security, we dive into the key security issues for organizations that — by accident or design — have moved a substan- Hanging on to cloud identity 13 tial portion of their computing workloads to the cloud. Organizations are embracing cloud-based apps – and incurring new risks in the bargain. We begin by walking through the nine most pressing cloud se- Identity management lowers the liability. curity liabilities. Next, we explain identity management, and delve BY PAUL F. ROBERTS into the ways organizations are using it to extend authentication and authorization to the cloud. Finally, we tackle data encryption and the Practical cloud encryption options cloud providers should offer to ensure your data stays safe. solutions 17 Encryption has become a huge issue, thanks to the NSA. Today, nearly all businesses have one foot in the cloud whether For cloud customers, this has already led to a wider array of they realize it or not. We hope this Digital Spotlight helps enable encryption solutions. you to assess your own exposure and reap the benefit of public BY ROGER A. GRIMES cloud services without creating worry or unnecessary risk. —Eric Knorr, Editor in Chief

Digital Spotlight | CLOUD SECURITY | WINTER 2014 infoworld.com 2 Stop daNcINg arouNd thiS guy.

Instead, face real security threats head on. NaviSite’s managed cloud services provides a holistic approach to enterprise-class data security.

Learn more at NaviSite.com.

a tIme WarNer cable compaNy 3 DIGITAL SPOTLIGHT Digital Spotlight Digital CLOUD SECURITY |

CLOUD SECURITY The tothe

| WINTER 2014 leap

cloud of

faith N seen? You’ve got to be kidding me. the nine most likely threats. Thecustomers. Cloud Security Alliance identifies should, since any flaw could affect many, many than your average enterprise data center – as they haveCloud better providers security defenses

platform in a data center I’ve never My Out data? there on some shared managersIT as mildly insane at best. cloud service would have struck most vital companytrusting data to a public OT LONG AGO,

t he notion of en BY ERIC KNORR - info world .com 4 CLOUD SECURITY SPOTLIGHT DIGITAL

That attitude has shifted. The risks is reckless at best. Fortunately, availability and security of cloud pro- Subscribing to cloud services there’s a nonprofit organization solely viders have continuously improved, without considering the dedicated to addressing the problem. to the point where you frequently hear that your own data center is potential security risks is The Cloud Security Alliance’s much more likely to experience reckless at best. “notorious nine” downtime or a successful malicious Formed in 2008, the Cloud Security attack than the hardened, redundant Alliance is dedicated to promoting fortresses of big-name cloud service best security practices for the cloud. providers. cloud customer data — but even default, deployed in such a way that Membership includes a who’s who True, cloud providers’ reputations that episode may ultimately work in outside, unauthorized parties will of tech companies, from traditional were dealt a damaging blow in 2013 cloud providers’ favor. In response to have a very hard time cracking it. software vendors Microsoft and Or- when reports surfaced that the NSA the NSA debacle, some providers are The truth is that today, evalua- acle to native cloud providers Ama- demanded and received access to already offering strong encryption by tions of cloud risk tend to occur in zon and Google. In 2013, the Cloud hindsight. With or without the bless- Security Alliance published what ing of IT, many line-of-business and it called its Notorious Nine cloud departmental managers have sub- computing threats based on a survey scribed to cloud services — in part of industry experts. Here are those to gain much-needed capabilities threats in order of severity, with my that IT departments can’t or won’t own interpretation of the implica- deliver, and in part because some key tions of each. cloud services are simply better than solutions obtainable on premises. It’s becoming a cloud world, to Data breaches the point where corporate CIOs are No surprise that data attempting to emulate the hyperef- breaches are the No. 1 ficient clouds of major providers in 1.fear, since anxiety over exposing data their own data centers. Nonetheless, has always been the chief inhibitor subscribing to cloud services without to cloud computing adoption. On considering the potential security one level, the antidote is simple: a

Digital Spotlight | CLOUD SECURITY | WINTER 2014 infoworld.com 5 CLOUD SECURITY SPOTLIGHT DIGITAL

full array of strong encryption op- ing it — and when they call on IT to through phishing or social engi- tions. Roger Grimes’ article “Practi- recover data from a cloud service, neering can result in compromised cal encryption solutions” walks you it may be too late. financial data, stolen intellectual through the options. Moreover, although top cloud property, and other dire conse- But locking down data with en- service providers have an excellent quences for any business. But stolen cryption is only part of the story. record when it comes to accidental cloud service logons incur a special Encryption keys can fall into the data corruption or loss, users some- set of risks. wrong hands. You need proper au- times select third-tier providers with- For one thing, security profes- thentication and access control to out making a realistic assessment sionals routinely use a specific set of ensure only those authorized can ac- of their viability. An SLA may be in tools to determine whether an orga- cess data. Plus, you need proper data place, but a subscription refund does nization has been compromised — governance to manage the lifecycle of not amount to adequate compensa- and few would be willing or able to data — and under which conditions tion for data lost by a dysfunctional use those tools to check cloud ser- data can be stored in a shared cloud provider. In addition, if either the vices. If a SaaS application is com- environment or in any other location. user or the provider practices lax ac- promised, for example, an intruder Another issue is data deletion. cess control, data could be deleted by might be able to monitor activity Over the years, occasional reports vandals, disaffected former employ- and peruse data over a long stretch have surfaced that customer data ees, or other malicious individuals. of time without being detected. that was supposed to have been de- In a 2013 study by the security Other risks can be incurred if a leted remained with the cloud pro- vendor Symantec, 43 percent of the malicious hacker steals logon cre- vider. Encryption obviously reduces 3,200 organizations surveyed lost dentials to a business user’s IaaS risk should that slipup occur. data in the cloud and had to recover account. In the past, infrastructure from backups. Data in the cloud clouds have been used to launch needs to be protected as you would new VMs for botnets, DDoS at- Data loss protect it on any system. tacks, and other malicious activity. Because cloud ser- That’s one reason cloud monitoring vices are often ad- is essential. 2.opted without IT’s permission, users Account or service may lose company data simply by traffic hijacking misplacing it or accidentally delet- 3. Logons stolen Digital Spotlight | CLOUD SECURITY | WINTER 2014 infoworld.com 6 CLOUD SECURITY SPOTLIGHT DIGITAL

have now deployed rela- Insecure inter- tively effective, automated faces and APIs defenses against DDoS Cloud interfaces and attacks. Smaller providers 4.APIs enable integration with SSO may or may not have the (single sign-on) solutions, as well as wherewithal to mount such data or process integration with other a defense. cloud services or on-premises software. But those interfaces and APIs are also potential targets for attack. Malicious To secure APIs, providers give users insiders tokens or API keys that are validated In a 2013 in order for a client to connect. 6.survey by Forrester re- If an API is secured poorly, an search, 25 percent of re- attacker could launch a DoS attack spondents said that abuse and render a cloud service unusable. by a malicious insider was the most Second, due to the decentralized APIs may provide access to all sorts common cause of data breaches. pattern of cloud adoption typical of Abuse of cloud of cloud functions, including ac- The truth, however, is that no one many organizations, IT’s purview services count provisioning; if compromised, knows. Malicious insider attacks – over identity management and ac- Cloud computing pro- APIs may even enable an attacker to by disgruntled employees or those cess control may not extend to all 7.viders such as Amazon Web Services extract critical data. who jump ship to competitors and cloud services. Such lax control may offer something the world has never take data with them – frequently go give employees free reign over data seen before: the ability to spin up undetected or, for political reasons, they would normally be unauthor- massive computing power on de- Denial of service unreported. ized to access. In the worst case, mand for any conceivable workload, Public cloud ser- Insider threats specific to the cloud logons may be retained by employ- pay for only the cloud resources re- vices are, well, public. are twofold. First, there’s the added ees after they leave an organization, quired, then simply close the cloud 5.Hacktivists have targeted cloud ser- risk that a rogue insider working for opening opportunities for mischief service account. vices for political reasons, rendering a cloud service provider might be or data theft. That’s ideal for, say, actuarial cal- them temporarily unusable. Fortu- tempted to view, sell, or tamper with culations. But it’s also an opportunity nately, most of the large providers customer data and avoid detection. for cyber criminals to engage in an-

Digital Spotlight | CLOUD SECURITY | WINTER 2014 infoworld.com 7 DIGITAL SPOTLIGHT through acquisition. through ers will be “gone” by 2015, mainly in four of the top 100 IaaS provid Gartner study predicted that one of the provider’s business: A recent viability the is consideration Another customers are unwilling to invest. more faith, which many enterprise of a public track record demands lesser-known providers, the lack tomers pause. With smaller, newer, many (especially European) cus though the NSA debacle has given strophic data breaches to date — al number of outages and few cata confidence thanks to a declining in the cloud have earned customer the customer. The big brand names on between trust the provider and 8. scale. require that operations criminal other and home for botnets, DDoS attacks, computing services may provide a ing encryption. In addition, cloud other compute-intensive task: crack Digital Spotlight Digital CLOUD SECURITY

CLOUD SECURITY The cloud depends depends cloud The diligence due Insufficient

WINTER 2014WINTER - - - - - and Technology’s Cloud Comput the National Institute of Standards curity, Trust & Assurance Registry, the Cloud Security Alliance’s Se standards and guidelines, such as ture and practices. True, there are a cloud provider’s security infrastruc ers’ inability to continuously monitor cloud computing has been custom One of the biggest inhibitors to - - - - offer strong isolation properties for GPUs, etc.) … were not designed to infrastructure (e.g., CPU caches, ing components that make up this Nine report puts it, underly “the as “multitenancy.” the Notorious As infrastructure — a concept known tiple customers sharing the same nature, is based on the idea of mul 9. sure of critical data. compensate for major or theft expo agreement is likely to sufficiently desirable. On the other hand, no reparations for security breaches are facilities. and allowed to physically inspect sometimes given audit privileges 24/7 compliance, but customers are the shoulder of a provider to ensure dards. No customer can look over family of information security stan SSAE 16, or the ISO/IES’s 27001 and the American Institute of CPA’s Reference Security ing Architecture, Obviously, that include SLAs The cloud, by its vulnerabilitiesgy technolo Shared - - - - - Eric Knorr Knorr Eric overblown. are ploit to assert that fears of sortthis of ex sor-based attacks, encouraging some es have been attributed to hypervi server. same the graphic keys in use by other on VMs formation to extract private crypto could use side-channel timing in described how machine a virtual of North Carolina research paper chines. Later that year, a University of infecting VMware ma virtual of which was found to be capable Crisis Trojan, the Windows version In 2012, researchers discovered the accounts. multiple across machines er to compromise multiple virtual could theoretically enable an attack at the hypervisor level, since these vulnerabilities security potential customers. other tack who create accounts expressly to at are not exploited — and foil hackers ensure such potential vulnerabilities vider must put controls in place that a multitenant architecture.” A pro So far, however, no known breach concern particular Of have been info is Editor in Chief at InfoWorld. world .com - 8 ------DIGITAL SPOTLIGHT Identity management CLOUD SECURITY Organizations always wrestle with authentication cloudthe meets Digital Spotlight Digital BY FAHMIDA Y. RASHID This quick a straightforward guide offers antidote. apps and services is complicating the problem. and access control, but rapid adoption of cloud

CLOUD SECURITY

WINTER 2014WINTER O enterprise perimeter, is needed IAM more ever. than employees may access multiple cloud services outside the the solution — and in the cloud era, when (identityIAM and access management) is people are or what they’re allowed to do. from organizations not knowing who problem. Numerous data breaches result RGANIZATIONS HAVE AN info world .com identity identity 9 CLOUD SECURITY SPOTLIGHT DIGITAL

IAM requires concerted planning to implement effectively. Plus, each IAM solution takes a dif- It’s easy to get trapped in evaluating technology ferent approach, making it compli- cated to assess which one makes the and hashing out deployment details, but such most sense for a given organization. efforts should be undertaken later in the process. Major vendors such as Dell (as a result of its Quest acquisition), Mi- crosoft, Oracle, and IBM, include on-premise IAM in their portfolios. Then there are the nimble startups ning will ensure the final rollout applications migrating to hosted access to corporate data. If there’s with cloud-based platforms, such reflects what the organization re- servers, and users trying to access no governance over applications as Okta, Ping Identity, and One ally needs. enterprise resources from outside owned and maintained by busi- Login. Just recently Salesforce.com the network, IT needs to share the ness managers, IT may not be stepped into the fray with its own How to think about IAM responsibility for user and identity aware of the risk until it’s too late. offering, Salesforce Identity. The gist of IAM boils down to two management with stakeholders. It’s easy to get trapped in evalu- basic questions: “Who is this per- Typically, IT gives users an inter- IAM vs. SSO ating technology and hashing out son?” and “Is this person allowed to nal corporate ID to log in to their Authentication is the most visible deployment details, but such ef- do this?” Users need to be authen- computers and access enterprise part of IAM, because end-users forts should be undertaken later ticated first, then authorized with applications. These days a business have to identify themselves with in the process. Before considering the appropriate access levels to ful- unit may also subscribe to a SaaS a password or some other mecha- platforms and providers, IT needs fill their responsibilities. When all (software as a service) offering to nism, and IT has to figure out to figure out access rules, use case applications and resources were in create a certain number of user whether or not that person is really scenarios, and business require- a data center, IT was able to assert accounts. If a member of that team who he or she claims to be. Autho- ments. After identifying the re- some control. Nowadays, identity leaves the company, IT has proce- rization is the trickier part, because quired controls, IT needs to build has spread beyond those confines to dures in place to disable accounts the organization has to decide access policies, make changes to multiple end points, cloud applica- belonging to that employee — but whether the user’s request is reason- the applications, and test the inte- tions, and cloud services. a business manager may forget to able and if it should be granted. gration. This doesn’t have to be a With business units signing up disable a former employee’s SaaS A common misperception lengthy process, but proper plan- for cloud services on their own, core accounts, providing continued among IT executives is that SSO

Digital Spotlight | CLOUD SECURITY | WINTER 2014 infoworld.com 10

CLOUD SECURITY SPOTLIGHT DIGITAL

(single sign-on) and IAM are the the user roles and access deleted or have overly broad access, same, when in fact SSO is just rules within the organiza- or even uncover missing roles and one component of the larger IAM tion. This can be done in accounts that should already exist. whole. Implementing SSO makes the form of a matrix, mapping A final audit will make it easier to life easier for users because they users with accounts, applications, create the centralized user reposi- no longer have to keep track of all roles, and privileges. This will tory during deployment. their passwords, and IT can add help the organization understand One thing to keep in mind is to gatekeeping mechanisms such as who has access to which applica- stay small. Instead of trying to do a device fingerprinting, multifac- tion, how the application is be- full deployment with every single tor authentication, and IP address ing used, and what types of roles user and application, a better ap- tracking, depending on the prod- should be in place. proach is to focus on a few applica- uct. But arguably, authorization “Users” in this matrix refers not tions and a subset of users. Once is important when an employee’s just to employees, but also to any that phase is complete, more users job function or employment status accounts used by other applica- can be added. Applications should changes. tions or systems. For example, also be added in a controlled man- Some IAM vendors offer little the content management system ner so it’s clear what configuration more than SSO, which may mean should not be using the adminis- changes or customizations need to automated provisioning and de- trator credential to get to the da- be made. provisioning of accounts is not tabase, but a more restricted one, Whether an organization has included. If an organization is rela- and that needs to be included in only on-premise applications, only tively small and doesn’t need mul- the matrix. If an application sup- cloud infrastructure, or most likely tiple levels of access control, SSO ports third-party log-ins, such as a mix of both, having the access alone may be sufficient. Needless Facebook or OpenID credentials, matrix is critical for a successful to say, detailed discussions of re- those need to be included as well. IAM rollout. quirements related to this issue are The matrix serves two purposes: paramount. To understand what types of use Diving into use cases cases the final IAM deployment With all the access rules defined, Defining scope has to support, and also to act as an the next step is to understand the The most critical step in the IAM audit. This exercise can help iden- use cases and the business require- planning process is to identify all tify accounts that should have been ments. For example, whether

Digital Spotlight | CLOUD SECURITY | WINTER 2014 infoworld.com 11 CLOUD SECURITY SPOTLIGHT DIGITAL

identity should be controlled internally or can be outsourced to an external provider depends on an Organizations need to look deeply into what iden- organization’s specific use cases. In many cases, it’s the business tity means for them. Several recent high-profile manager who understands appli- data breaches have resulted from a failure of IAM. cations and their benefits — and determines who can use the application. In such scenarios, the manager should retain at least role information. Depending on makes the technology evaluation be tested as part of integration, and some of that control. the use case, organizations may de- straightforward, since it quickly IT will need to look at scalability As organizations become more cide to stick with Active Directory becomes clear which features and load balancing as well. Testing hybrid, some will want IAM to and bolt on the appropriate IAM and capabilities will be essential. will also verify that use cases, espe- encompass both on-premise and platform, while others may de- But even after selecting the plat- cially the ones that trigger certain cloud applications. Others may cide that starting over with a fresh form, IT must allocate time for restrictions, have been designed decide everything doesn’t need to source would be more effective. custom development. Policies correctly. tie back to a single identity. It may Some providers offer hooks into and workflows have to be cre- Organizations need to look make perfect business sense to Active Directory so IT doesn’t ated based on previously defined deeply into what identity means have one identity credential tied need to recreate user entries for use cases to indicate what kind of for them. Several recent high-pro- to on-premise applications and cloud IAM solutions, which typi- actions would trigger an alert or file data breaches have resulted physical hardware, while main- cally use SAML or similar frame- block access. from a failure of IAM. Spend the taining a separate set for external works to hook applications to- Many IAM vendors promise time and effort to determine user cloud applications. gether. Users are given accounts to a seamless integration where no access control rules and use cases, Most organizations already log in to the IAM Web portal, and code must be changed, but this is and the actual technical imple- use Active Directory, LDAP, or a from there they can open all the almost never the case. Integration mentation will become much similar centralized repository to other cloud applications they have always requires some configura- easier to manage. manage user accounts. Systems access to. tion changes and tweaks — for like Active Directory provide a example, to ensure an application Fahmida Y. Rashid is a veteran business good starting point, because they The right controls for the job works with SAML or OAuth con- and technology journalist living in the already contain plenty of user and Identifying use cases beforehand nectors. These connectors have to greater New York City area.

Digital Spotlight | CLOUD SECURITY | WINTER 2014 infoworld.com 12 CLOUD SECURITY SPOTLIGHT DIGITAL

Hanging on to cloud identity Organizations are embracing cloud-based applications and realizing big productivity gains – THE NOT so distant past, enterprise IT shops operated as enlight- and incurring new security ened dictatorships. With hands risks in the bargain. firmly on the keys to the technol- Identity management ogy kingdom — application serv- solutions lower the liability. ers, identity stores, and so on – the INIT group was the final arbiter of any new technology. BY PAUL F. ROBERTS No longer. Today, separate lines of business and even individual employees procure cloud applications with little more than a credit card. Moreover, they often do so without the knowledge or approval of IT. That kind of agility is great for productivity. But if the IT-as-dictator model is untenable, so is the chaos of ad- hoc cloud technology adoption that, in recent years, has created new security risks and management headaches. What’s to be done? Forward-looking organizations are finding ways to walk the tightrope between control and chaos. Specifically, new cloud-based identity management tools give organizations a way to temper the chaos of cloud adoption, dragging SaaS (software as a service) application use within the enterprise into the sunlight.

Digital Spotlight | CLOUD SECURITY | WINTER 2014 infoworld.com 13 CLOUD SECURITY SPOTLIGHT DIGITAL

Web applications: cure cloud services to fill needs that Barbarians at the gates the IT organization can’t fulfill effec- At Shire PLC, a leading biopharma- Today, separate lines of tively or quickly enough; that means ceuticals firm that developed drugs that CISOs too often become aware like Adderall and Vyvanse, employ- business and even individ- of security issues after it’s too late.” ees have been adept at identifying ual employees procure cloud Okta, a San Francisco-based and using a slew of Web-based tools, firm that offers cloud-based identity says Bob Litterer, a senior informa- applications with little more management tools, regularly finds a tion security executive at Shire. than a credit card. They often laundry list of common Web-based “I came here three years ago, and applications already deployed at we were already well on our way. do so without the knowledge companies it engages with. Some- There were quite a few cloud-based or approval of IT. times they find two dozen or more, services our business was leverag- constituting what some call a “shad- ing,” Litterer says. But rather than ow IT” infrastructure. seeing those services as a threat, he “Think about survey applications,” embraced them. “Our employees and cloud-based applications they Shire’s situation is not unusual, says Frederic Kerrest, Okta’s chief were using them to help our compa- needed to do their job — a manage- says Eve Maler, an analyst at For- operating officer. “In the old days ny achieve its vision, which is to help ment nightmare. rester Research. you would hand out pieces of pa- patients lead better lives,” he says. A publicly traded pharmaceutical Maler and her colleagues have per. Then you had tools like Survey “I really saw it as an opportunity.” company, Shire must comply with a found that organizations rushing Monkey. Today, there are three, four There were problems, however. host of federal, state, international, headlong into the cloud soon run up or five similar products that do that.” Adoption of Web-based tools had and industry regulations govern- against a familiar list of complications. Any or all of those could be in use been organic, rather than orderly. “It ing everything from health data At the top of the list is what Forrest- in a given environment, and they’re was really business-by-business and to the release of data regarding its er refers to as “an inability to set and often repositories for critical business product-by-product,” says Litterer. financial performance, clinical trial enforce controls” in hybrid IT envi- data concerning an organization, its Because adoption happened with- results, and so on. According to Lit- ronments comprised of both cloud personnel, its projects, and so on. out guidance from the IT group, terer, that raised the stakes for the and on-premises systems. Shire employees might have five or company as it sought to bring cloud In their drive to “win, serve, and Taming the cloud’s identity 10 different user names and pass- and Web application use in line retain customers,” Forrester noted in a complexity words to access the various internal with company policy. recent report, “business managers pro- The task of bringing sprawling cloud-

Digital Spotlight | CLOUD SECURITY | WINTER 2014 infoworld.com 14 CLOUD SECURITY SPOTLIGHT DIGITAL

based services and SaaS applications pany’s existing identity infrastructure. fact, says Litterer. occurring,” he observes. under control starts with identity and Shire was in the latter group, ac- Shire found that sup- “Is it Okta or did the authentication, experts agree. cording to Litterer. The company port for the SAML 2.0 cloud guys not provision “Once you start on the roller coast- has about 6,000 employees working standard, which is used the user correctly? Did er of making deals with SaaS vendors from offices in the United States and to exchange authen- someone change a name and enabling SaaS applications, IT Europe, as well as a roving staff of tication information but not change it in Ac- groups want to be able to provision medical sales representatives. Behind between Web domains, tive Directory? If so, that’s and control things like user permis- the scenes, the company still relies was uneven. “Some get it not an Okta problem.” sions and password resets for those on Active Directory as its sole identity and some are new to it,” “Don’t underestimate external applications,” Maler says. management platform and doesn’t Litterer says. That can the support process Cloud identity providers such as plan on investing in a larger enter- add to the time and effort flow,” Litterer warns. OneLogin, Ping Identity, Sympli- prise identity management platform. to get those applications “You have homework to fied, and Okta do just that: synchro- Litterer says that deploying Okta working with a cloud- do, which is figuring out nize with Microsoft’s Active Direc- to manage the cloud applications his identity platform that where things might fail, tory or other LDAP repositories, employees used was easy. An Okta uses SAML for single sign-on and how they might fail and who is re- allow companies to manage local Active Directory agent with access user management. sponsible for handling the issue.” and Web-based access permissions to the local domain controller con- Finally, Litterer says that Shire’s together, and enable single sign-on nected the Active Directory instance Okta deployment has gone off almost Mobility and migration to SaaS applications. with Shire’s Okta instance in the without a hitch. He notes only one to the cloud Kerrest, Okta’s COO, says that cus- cloud. Once Active Directory user or two hiccups in almost two years Cloud-based identity providers are tomers use his company’s technology accounts are imported, Okta uses since the company went live with the proving themselves valuable in corral- in different ways. Some see it as a matching algorithms to link Active cloud-based identity management ling enterprise SaaS usage. Will they way to tame rampant SaaS adoption, Directory user accounts to existing technology. Unfortunately, when challenge or displace traditional, on- using Okta’s Web portal as a gateway Okta user accounts as well as any ac- problems do crop up, the distributed premises identity and access manage- to IT-sanctioned SaaS applications. counts in other SaaS applications. nature of cloud identity platforms can ment systems like those by RSA, IBM, Others take an “all comers” approach, But the ease of that transition re- make it difficult to troubleshoot. Oracle and CA? That’s less clear. allowing employees to use whatever vealed faults in the company’s Active “If you have an issue with authenti- Many Shire employees have SaaS applications they deem relevant Directory configuration, including cation that arises in an application in- switched — or are in the process of to their work — but use Okta to tie orphaned accounts and user groups tegrated with Okta, it can be difficult switching — from traditional laptops those applications back to the com- that had to be sorted out after the to figure out where the problem is to iPads. That transition is accelerat-

Digital Spotlight | CLOUD SECURITY | WINTER 2014 infoworld.com 15 CLOUD SECURITY SPOTLIGHT DIGITAL

ing the migration from tradition- complex infrastructure to also pull mote workers more flexibility in the al client/server applications for in cloud-based resources and SaaS kinds of software tools they use and functions like human resources applications than it is to go the other the manner in which they use them. to cloud-based alternatives, even “We’re way, he said. That was the goal be- The result may be akin to the for internal users. However, the hind EMC’s purchase of Aveksa, a old Maoist adage of letting a thou- company has yet to expand Okta looking company Taneja founded last July. sand flowers bloom, says Forrester’s to manage internal applications, very hard at “We’re looking very hard at ex- Maler. Cloud-based tools will end including the company’s Microsoft panding our reach aggressively into up enabling innovation at the line-of- SharePoint deployments. “We just expanding the cloud in all different dimen- business or even the department level. haven’t had a clear business case to sions,” he says. “But its a lot easier By reducing the friction for smaller do that,” Litterer says. our reach to go out to the cloud when we have groups within an organization to “When you look at companies with aggressively a strong hand on complexity inside experiment (and succeed) with tech- ten thousand or twenty thousand em- the firewall.” nology deployments, companies may ployees, things haven’t changed a lot,” into the actually find they achieve better secu- says Deepak Taneja, CTO of Identity cloud in all The long march rity through less discipline, not more. at RSA. Most mature enterprises have The monolithic, brittle identity As low-hanging fruit such as en- hundreds of applications operating different management infrastructure that terprise single sign-on, and central inside the firewall. They might also dimensions.” has become common in the past 20 user and identity management get have scores of SaaS applications, but years won’t disappear overnight, but checked off the list, companies can the core challenges are the same: user — DEEPAK TANEJA, it will eventually be replaced. finally move on to real transforma- authentication, authorization, single CIO of Identity, RSA “I don’t know why anyone would tion: removing identity barriers that sign-on for applications, provisioning want to set up and maintain their own separate businesses from their part- and deprovisioning, and policy en- [identity] infrastructure and maintain ners and suppliers from their custom- forcement, Taneja says. internally if you don’t have to,” says ers, fostering ever deeper and more There’s no doubt that changing Litterer of Shire Pharmaceuticals. powerful collaboration. technology use patterns – mobility Cloud-based identity tools that chief among them – mean changes make it easy to manage cloud-based Paul F Roberts is Editor-in-Chief of The to the way authentication is done. resources today will, in the near fu- Security Ledger, an independent security But it’s easier to extend technology ture, expand to cover both cloud and news website, and is a former Senior Edi- capable of managing that kind of on-premises applications, giving re- tor for InfoWorld.

Digital Spotlight | CLOUD SECURITY | WINTER 2014 infoworld.com 16 DIGITAL SPOTLIGHT Digital Spotlight Digital CLOUD

Encryption as a defense against snooping is on everyone’s mind, thanks to the excesses of the NSA. For cloud customers, this has already resulted in a wider array of encryption solutions to choose from. SECURITY

BY ROGER A. GRIMES |

CLOUD SECURITY Practical cloud

encryption

WINTER 2014WINTER solutions IF IF process. Such an environment demands data uploadfrequently or gather valuable data in the tiple customers share the same resources and encryption, so that customers needn’t fear exposing data to others, to eitherdata exposing by accident or via the designs of malicious hackers or overzealous government agencies. government overzealous public utilities, where mul of equivalent computing invent it. Clouds are the puting would have had to already existed, cloud com HADN’T ENCRYPTION info world .com 17

- - CLOUD SECURITY SPOTLIGHT DIGITAL

We’re accustomed to encryption suing outcry by saying that they had then it may spend a certain amount not, will try to access the cloud data. “in transit,” such as an SSL/TLS to follow the law. of time in an unencrypted state — If it’s encrypted and inaccessible to connection between a user’s browser Not surprisingly, this did not sat- for example, data may be decrypted the cloud vendor, it’s probably worth- and an e-commerce site. The cloud isfy customers. The lack of guaran- when retrieved or when being in- less to the third party as well. complicates matters, because some teed data privacy was a deal breaker. dexed. quantity of a cloud customer’s data Cloud vendors saw this for what it Ultimately, all private data should Proven crypto only, please is almost always stored in the cloud, was — a very large existential threat be encrypted end to end, preferably ncryption solutions should use demanding encryption “at rest” as — and quickly began beefing up ex- from the moment it is created until Eindustry-accepted, publicly well. Clouds are Internet-accessible, isting encryption services and offer- the moment it is destroyed. If that’s known, and reviewed ciphers. Cloud multitenanted, accessed via shared ing new ones. Consequently, cloud not possible, get as close as you can. vendors claiming to have invented authentication schemes, and widely customers now must contend with a Of course, all data must eventu- their own “unbreakable” ciphers distributed (often to locations un- very quickly evolving set of encryp- ally be decrypted in order for it to should be avoided like the plague. known and uncontrollable by the cus- tion options. be used. The question is when and Good encryption is hard and must tomer). These attributes combine to where that decryption takes place. undergo lengthy public peer review in make it harder to secure data for both WHAT TO LOOK FOR IN The closer it is to the customer’s order to be considered for protecting the cloud vendor and the customer. CLOUD DATA ENCRYPTION computers the better. It’s important data. Cipher key sizes must be suffi- In 2013, cloud providers were giv- Encryption can never be completely to ask the cloud vendor who on staff cient to protect the data for the desired en an added push to increase cloud unbreakable. However, it can be a can possibly see the data in an unen- length of time. Today, this typically security. The general public was highly effective deterrent depending crypted state. Their answer should means private key sizes 256 bits or shocked to learn that many cloud on its attributes. The following fea- be “no one” or at least “limited to a more, and public crypto key sizes of vendors were forced, in some cases tures should be in place, document- very few.” And of course, you don’t 2048 bits (for traditional public ciphers tens of thousands of times a year, to ed, and easily discoverable: want other cloud tenants to see your like RSA and Diffie-Hellman) and provide customer data to request- data — and that means no shared 384 bits for public ciphers like ECC ing legal parties, and were often End-to-end protection encryption keys between tenants. (elliptic curve cryptography). prevented from telling customers. onfidential data must be en- The best encryption solutions do Further, it was divulged that the Ccrypted at rest and in transit. not let the cloud vendor ever see the Key management is crucial NSA had the expertise and technol- Many vendors promise this, but don’t data in an unprotected state. This not any encryption solutions suc- ogy to intercept the data, even when quite spell out what it means. Some only protects both the vendor and cus- Mceed or fail on how well they the customer was told it was secure. vendors encrypt data only when it’s tomer, but also significantly decreases manage the digital keys. Who creates Cloud vendors responded to the en- stored on their hard drives, and even the chance that other parties, legal or the keys and where are they stored?

Digital Spotlight | CLOUD SECURITY | WINTER 2014 infoworld.com 18 CLOUD SECURITY SPOTLIGHT DIGITAL It’s a big cloud out there, and if recent The best solutions allow the customers to create and events have taught us anything, it’s that keep private keys. How are other people want to look at your data. they stored? Are they protected by a hardware storage It’s your job to make that as hard as possible. module, smartcard, or some other multifactor authentication method? How often are keys up- and multiple mobile device types, or three basic types: customer encryp- (Pkzip, etc.) offer this feature. Be dated, and who can initiate? Who has just one? If multiple device coverage tion, encryption provided by the sure to enable the strong encryption a copy of the keys? You should always is allowed, how do encryption keys cloud vendor, and third-party en- and use passwords that are 15 char- have at least one backup of all private get created and communicated to the cryption. acters or longer and use complexity encryption keys that are used to protect devices? If a person encrypts data on (i.e. multiple character sets). Then data at rest. What are the key revoca- one device can they readily decrypt Encrypted by the customer upload the encrypted data archive tion procedures? Who can request on another device? Do devices need he strongest encryption solutions into the cloud. revocation and what actions require shared keys? These are the sorts of Twith the most customer control Most customers prefer a process revocation? Who performs it? How questions that need to be answered. are those completely controlled by much more automated. This can be long does it take? Anytime you have an the customer. In these scenarios, the accomplished by building the en- encryption solution you need to an- Transparency customer encrypts the data before it is cryption routine into the customer swer these key management questions hatever cloud encryption solu- ever shipped into the cloud. Because program before interfacing with the before enabling. W tion you choose, you should the cloud vendor and their other ten- cloud service, or by utilizing built-in have a full understanding of how the ants don’t have the decryption keys, encryption routines that are part of Coverage encryption works. It’s no longer ac- it’s never a possibility that the vendor the programs you are already using. t’s important to understand what ceptable for a cloud vendor to tell you will see the data or be forced to dis- For example, most database pro- Ian encryption solution covers. they have the encryption handled close it to third parties. grams offer per-database, per-table, Not only what data is encrypted and and not to worry about the details. A very basic customer encryption or field-level encryption. Enable that when, but what devices are included. You want the details in writing. solution could be accomplished by encryption so that data is encrypted What devices can create and read archiving data into single, larger locally before being shipped off into content that’s encrypted? Does it cov- TYPES OF CLOUD ENCRYP- files, and then encrypting and pass- the cloud. er multiple computer operating sys- TION SOLUTIONS word-protecting the data during the The drawbacks of customer-side tems, multiple computer platforms, Cloud encryption solutions come in archival. Many archival programs data encryption mostly boil down

Digital Spotlight | CLOUD SECURITY | WINTER 2014 infoworld.com 19 DIGITAL SPOTLIGHT about encryption capabilities down to the last but it’s impossible to verify provider claims of sorry. You your may trust cloud provider, tion system — ome choose to be safe instead encryp cloud documented fully functioning, normally needed — especially in a high- not is double encryption While encryption. by a provider, essentially yielding double offered encryption with encryption tiated requirements. your meet can look for” section and make sure your provider theless, have aclose look at the above to “What fault encryption and offering more of it. None cloud providers are both getting better at de M provider by cloud the Encryption countability. are accepting all the responsibility and ac If you opt for customer-side encryption you ingly, will be performed poorly. Remember: unwelcome chore which, ifaccepted grudg desirable. For others, key management is an words. For some responsibilitythis is highly keep track of all encryption keys and/or pass use your own encryption, it’s up to you to to key management. When you create or Digital Spotlight Digital CLOUD Some customers combine customer-ini combine customers Some cryption to the cloud provider. Luckily, Luckily, provider. cloud the to cryption ost cloud customers leave all the en SECURITY

CLOUD SECURITY

WINTER 2014WINTER ------written eight books on computer security. computer on books eight written Microsoft, he holds over 40 certifications and has blog every Tuesday. A Principal Security Architect for tor to InfoWorld who posts to his Security Adviser Grimes Roger A. It’s your job to make that as hard as possible. it’s that other people want to look at your data. and if recent events have taught us anything, fully documented. It’s a big cloud out there, ments are met and that the capabilities are you use, you need to ensure all your require solution in the cloud. the provider has properly implemented the self — but you still have to take it on faith that the encryption and software examine it your — at least, when you can get your hands on solutionthird-party can be easier to evaluate feature on the cloud provider’s platform. A termediate proxy gateway, or as an additional supported client end-point device, on an in alike. Their solutions may be installed at each providers cloud and customers to services I Encryption by athird party detail. That’s simply the nature of the cloud. No matter which encryption solution type many third parties now offer encryption n response to recent privacy violations, is a longtime contributing longtime edi a is -

- - - © IDGCommunicationsInc.2014 Images byShutterstock 415.978.3313 Kristi Nelson N. CA/ORWA 949.713.5153 Becky Bogart West /Central 603.583.5044 Chris Rogers East, NewEngland,York 508-820-8279 Chip Zaboroski East, Southeast,ILandMI 508-620-7760 Christina Donahue Account Coordinator 508-202-4468 Farrah Forbes President,Vice DigitalSales 508-820-8246 Sean Weglage PresidentSenior Vice Digital/Publisher SALES Lisa Blackwelder Senior OnlineProduction Editor Pete Babb Associate Editor Lisa Schmeiser Newsletter Editor Caroline Craig East CoastSiteEditor Serdar Yegulalp Senior Writer Paul Krill Editor atLarge Jason Snyder Senior Editor Uyen Phan Managing Editor Doug Dineley Executive Editor, Test Center Galen Gruman Executive Editor Eric Knorr Editor inChief EDITORIAL 415.978.3200 San Francisco,CA94107 501 SecondSt. InfoWorld www.infoworld.com

info 508.935.4448 Sue Yanovitch PresidentVice MARKETING Direct Toll free Steve Tozeski Director ofListManagement IDG LISTRENTAL SERVICES 508.935.4734 Patty Chisholm PresidentSenior Vice HUMAN RESOURCES 508.935.4038 Matthew C.Smith PresidentSenior Vice /COO FINANCE &OPERATIONS 508.935.4273 Ellen Daly PresidentSenior Vice EVENTS 508.766.5426 John Gallant PresidentSenior Vice /ChiefContentOfficer EDITORIAL 508.271.8013 Gregg Pinsky PresidentSenior Vice /GeneralManager DIGITAL SOLUTIONSGROUP 508.935.4796 Charles Lee PresidentSenior Vice CUSTOM SOLUTIONSGROUP 508.820.8167 Diana Turco Circulation Manager CIRCULATION 508-820-8246 Sean Weglage PresidentSenior Vice Digital/Publisher 508.935.4586 Brian Glynn President,Senior Vice DigitalSales SALES 508-820-8105 Nelva Riley Executive AssistanttotheCEO 508-766-5656 Matthew Yorke CEO 508.879.0700 (Fax)508.875.4394 Framingham, MA01701-9208 492 OldConnecticutPath,P.O. Box9208 IDG Enterprise world 508.370.0822 800.IDG.LIST(U.S.only)

.com

Resources SPONSORED BY:

AAA improved reliability Assessing application Cloud-hosted desktops A Pragmatic Overview of 7 Manageable Steps to a and member satisfaction performance is critical when provide the benefits of VDI Hybrid Clouds Cloud Security Plan with managed cloud services choosing a cloud provider without the hassles A hybrid cloud is proving to Craft an optimized cloud from NaviSite Evaluating cloud-based solutions Desktop computing has become be a pragmatic strategy to security plan using the proven When AAA decided to reengineer has become the norm for most an increased cost burden for IT, methodically adopt cloud framework in this guide. These their data center operations they companies. In this whitepaper, and a source of frustration for computing. This guide highlights seven sequential steps enable turned to NaviSite’s NaviCloud the test results of how top cloud tech-savvy users who expect key considerations to optimally organizations to structure Platform to run their 24-7 service provider’s identical more flexibility. Cloud-hosted balance the components of a security and compliance customer support services. AAA configurations and workloads desktops enable companies to hybrid cloud architecture and programs that take advantage continues to realize tremendous perform are shared. The results mitigate the complexity placed offers advice on evaluating of the financial benefits of value from the partnership by show a proper evaluation must on IT while reducing the risks licensing security, performance, managed cloud applications and leveraging NaviSite’s consulting incorporate more then just the associated with lost or stolen previous IT investments, billing services while meeting security experts and keeping technology network. devices, all at a reduced TCO. terms, and the cloud service and compliance goals. costs predictable each month. provider’s track record for G DOWNLOAD HERE G DOWNLOAD HERE G DOWNLOAD HERE infrastructure management and G DOWNLOAD HERE service levels.

G DOWNLOAD HERE

Digital Spotlight | CLOUD SECURITY | WINTER 2014 infoworld.com 21