As information security program managers begin the new year, it's common practice to identify the key themes that...
will affect an enterprise security strategy.
However, there's one theme that arguably stands out above all others: cloud computing. The tough economic climate does help make the case for cloud computing very persuasive. Because on-demand resources are dynamically scalable and flexible; on-demand resources have been the hot topic of 2009 and will always be attractive to businesses large and small. Whatever the state of the economy during 2010, cloud computing will surely continue to change the way we do IT.
For everyone involved in trying to protect their organizations' network users and data, a move to cloud computing will present a huge change and challenge. Compliance regulations will most likely prevent an enterprise from moving all its data and operations to the cloud, so the transition is in fact an additional security challenge on top of protecting existing network infrastructures. Moving to the cloud requires data and applications to be placed outside the comfort zone of well-established perimeter defenses and physical access controls. An increasing number of users who don't come under the controls of HR, such as suppliers, clients and partners, will access your data via Web-based collaboration tools. IT administrators already struggle with the task of securing mobile users who access corporate networks, but cloud computing is on a different scale altogether.
For me, one of the key security challenges is how to efficiently manage and enforce access control for employees, customers and partners beyond the enterprise firewall. Cloud computing turns us all into remote workers, and cloud applications and data, by definition, are outside the enterprise. This means that you can no longer rely on multiple layers of authentication, firewalls and other perimeter defenses to do the job for you.
Strategically, managing these challenges requires a number of actions. HR security policies must be reviewed and tightened up so they enforce robust lifecycle management of users. A detailed identity and access management strategy must also be put in place, one that makes full use of federated identity management, an arrangement that enables users to securely access data or systems across autonomous security domains. I recommend enabling single sign-on (SSO) within your own enterprise applications and leveraging this architecture to simplify cloud provider integration and implementation.
Cloud computing also requires an even greater reliance on Internet connections, so even smaller operations will need to establish some form of redundancy to ensure data and applications are available at all times. Despite the hype, cloud services are still quite immature, with many experiencing outages of some form or another. Some could easily go bust; it's a new industry in a fragile economic environment. Multiple service providers will give you better network diversity and business continuity so any cloud-based project should employ applications and data structures that are vendor-neutral. This includes backups in a cloud-independent format, and one independent of the machine image, too. You need to make the transition as straightforward as possible or have contingency plans to pull operations back to an internally hosted cloud. Although cloud computing may reduce certain continuity concerns, it will never eliminate the need for well-tested business continuity plans.
In the near future, cloud-based services and cloud computing technology will come under increased and prolonged attack because they're attractive targets for hackers and cyberterrorists. Building a data encryption strategy and implementing technology to support it, therefore, is the best proactive defense. Encrypted data is intrinsically protected, which is why so many laws and regulations mandate the practice. All data and communications should be encrypted, even if other services protect them. Encryption also allows you to separate roles and data as encryption keys control access to your data.
The new year will certainly see many new cloud-based services coming online, many offering substantial economic benefits for enterprises. Some will no doubt change long-established risk-reward relationships, and you will need to review your organization's business strategy and appetite for risk when assessing the ROI of a switch to a cloud-based service. Cloud computing is changing IT, so in 2010, be sure to consider how to embed security into any new business processes so that infrastructure, data and users remain protected.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.