COLUMN

Cloud security begins with infrastructure assessment

By Eric Ogren 10 Jun 2009 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Security professionals are facing the difficult challenge of extending security requirements to take advantage of cloud computing and software-as-a-service applications.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Particularly difficult is finding ways to secure the new boundaries between the enterprise, the cloud service and the end user while managing dependencies on off-premise infrastructure and privileged operators. And they have to do all this without inhibiting flexibility and agility.

Research firm IDC predicts that 76% of U.S. organizations will use at least one SaaS-delivered application for business use by the close of 2009. Cloud-based services adoption is being driven by the business performance benefits and realized cost efficiencies. This isn't new for those of us in IT. Mission critical information already is handled in the cloud for companies that outsource email services or maintain customer information in CRM systems such as Salesforce.com. The challenge for security teams is to safely integrate extended cloud capabilities into corporate policies and procedures.

Forrester recommends the usual checklist of cloud security requirements that any enterprise would have for internally hosted applications. Authenticate users and control access to applications, tightly log and audit privileged operations, protect sensitive data to prevent loss and meet compliance mandates, and reduce risk with rigorous vulnerability management, according to Forrester. Take into account differences in the SaaS vendor's infrastructure and business practices when evaluating the sensitivity to security. For instance, expect the cloud vendor to be replicating data between data centers for performance and business continuity and expect to have a degree of shared resources with virtualized application environments.

A certain amount of due diligence is necessary before choosing a cloud business partner that should include:

SearchSecurity radio:

• Integrate the boundaries between enterprise systems, cloud services, and the end user. In a SaaS operation, enterprise data, identities and authorizations have to flow easily between enterprise storage and cloud storage. This is essential to initially populate the system, to move data when migrating to another vendor and to manage changes in the business structure. Have security and application architects review API's and the interchange process to protect authentication strength and sustain data integrity.

• Implement a process of regular update reviews of the cloud service technology and best practices, even extending participation in staff meetings to the cloud partner. The enterprise may be exposed to undesirable side effects, or may be slow adapting to new features, as the SaaS vendor improves their service delivery capability to grow their business. Coordination between organizations requires more effort and discipline to comment on interface plans, coordinate application release cycles, and review audit logs to avoid unpleasant surprises.

• Focus on data security. Sensitive data can linger in third party archive vaults, end-user laptops and cloud vendor data centers. For instance, periodically ask for and inspect copies of data archives to reduce the risk of business disruption when switching vendors at the end of the agreement and require joint audit reviews to keep security efforts coordinated.

Businesses frequently take advantage of external services for special processing and/or access efficiencies. Manage the security risks to the organization by paying special attention to the new boundary conditions as data and access control policies are shared between the enterprise, SaaS vendor, and end-users.

Tags: Secure SaaS: Cloud services and systems,  Web Application and Web 2.0 Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure SaaS: Cloud services and systems Cloud computing data security starts with internal strategy, experts say Network security expert urges hardening of cloud protocols Security challenges with cloud computing services Is Identity Management as a Service (IDaaS) a good idea? Burton Group warns of cloud computing risks Researchers say search, seizure protection may not apply to SaaS data McAfee to acquire email SaaS vendor MX Logic How secure is 'Platform as a Service (PaaS)?' When to use the service features of the Metasploit hacking tool Cloud-based security services should start private Web Application and Web 2.0 Threats Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Kaspersky system analyzes malicious URLs on Twitter for malware Pushdo botnet uses Facebook to spread malicious email attachment Do Facebook URL security concerns justify blocking social networks? Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Massive phishing scheme affects Microsoft Hotmail accounts Phishing websites, rogue antivirus skyrocket in 2009 An enterprise strategy for Web application security threats

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary content filtering  (SearchSecurity.com) Web filter  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary