CIOs and chief information security officers (CISOs) are under pressure to redesign their information security practices to accommodate a new business paradigm: virtual cloud computing environments, in which resources are shared and transferable.
These technology executives are setting new policies and investing in new technologies to account for the elasticity, self-service provisioning and shared data infrastructure of both public and private clouds. New policies and systems are being designed for identity management as users tap third-party services beyond the firewall -- or even inside it -- to collaborate in this shared environment. In addition, new boundaries for data security and privacy monitoring need to be established that keep in mind how moving to a virtual cloud environment will affect regulatory compliance.
The use of the cloud hasn't ventured into the public realm at Waltham, Mass.-based Raytheon Co. The defense manufacturer is developing a shared, private "cloud-type service" for the cost savings that can be realized if it and its partners can test, build and collaborate on new programs or products for the likes of the U.S. Air Force, Army or Navy.
"As far as security concerns and controls [in a virtual cloud computing environment], it's a lot more complicated," said Michael Daly, deputy CISO and director of IT services at Raytheon. "Instead of just managing simple change controls, there's a lot of faith and finger-crossing going around: 'Hey, did the firewall controls move along with [the data or service]? Did it maintain the [security] keys to handle the encryption as these virtual machines were spawned and disappeared?'"
Like many other IT executives, at this point, Daly has more questions than answers when it comes to securing a shared environment: With projects spinning up and shutting down, how does a company know who needs access to which information? Does the user have the right access to it? How do all the parties involved in doing development on the private cloud come to an agreement on deprovisioning users? This situation transcends the cloud model. The cloud is a byproduct or a means to an end in what the business model is moving to: businesses sharing resources to develop products and services in a collaborative environment, he said.
Identity management inside and out
Business users are bypassing the IT department to sign up for virtual cloud computing services. So the question becomes, who has the right to dial a cloud service up and down?
The IT team at New York Life Retirement Plan Services (RPS), a Westwood, Mass.-based division of New York Life Investment Management LLC, has opted to block access to third-party virtual cloud computing services, and educate users on the risk of moving information off its own network.
"I know that it's very easy [for a user] to move to a cloud service, but with that comes a lot of risk," said Neal Ramasamy, managing director and CIO at New York Life RPS. "I sit down with the requestor to see why they are going to a third-party cloud. My goal is not to have four different [cloud providers] but to pick one for our corporate strategy."
When Raytheon's IT department tags a third-party cloud service request, Daly and his team explain such things as why it isn't a good idea to upload a document to Google Apps. They then show the business user other secure options, such as the company's approved EMC Corp. Documentum system.
"We deal with ITAR [International Traffic in Arms Regulations] and other regulations, so we see where people are uploading documents and information to Google and other things, and we need to show people the right way to do it," Daly said.
Because Raytheon is moving to a private cloud, a federated identity management system is being built. This means that Raytheon will authenticate its own employees, but corporations joining in on developing projects will be responsible for their own authentication.
It might sound simple, but it's not. "We all have to come to a legal agreement between us and our [cloud] development partners to say, 'OK, if we're going to check identity, you'll do it the same way,' because that isn't always the case," Daly said.
Containing risk is the idea behind private clouds, but even within a private cloud community, companies need to deal with segregation, compartmentalization, and onboarding and deprovisioning of users. "You really need to know what your ultimate boundary is to minimize your risk," Daly said. "We don't need everyone on the planet to have the opportunity to sign up for our cloud service on our programs, so physical security and more traditional IT security firewall rules are really important."
Even these precautions do not keep compliance in mind, however. "Vendors talk about follow-me data that follows the user [through a federated identity], using encryption to get data to different places, but what CIOs need to think about is follow-me compliance in the cloud," said Chris Wolf, a research vice president at Gartner Inc. in Stamford, Conn. "Sometimes sensitive data can't cross a border."
And before an enterprise can begin to think about deploying security practices around a cloud service, it should ask, "What is the outsourced application used for?" and "Who is going to use it?" said Richard E. Mackey, vice president at Sudbury, Mass.-based SystemExperts Corp. "When someone calls it the cloud, there are a lot of variables in determining your security that are completely different depending on which model you are deploying: private, Software as a Service, Infrastructure as a Service or Platform as a Service."
Beholden to cloud providers' security practices
Choosing a cloud provider is akin to marrying one, in that the customer uses the systems and the security policies the provider has decided on.
I know that it's very easy [for a user] to move to a cloud service, but with that comes a lot of risk.
Neal Ramasamy, managing director and CIO, New York Life RPS
How an enterprise monitors user access to a virtual cloud computing service depends on the interfaces the cloud provider gives it. "How are [the cloud providers] making sure that the user is really the user, before a request comes back and hits your network?" Mackey said. "Another scenario is that some services allow you to use your Google or Facebook account to sign in for a service. That's doesn't go through [Active Directory] directly, unless you design it to."
New York Life RPS' Ramasamy might consider a cloud provider for noncritical services like email and Web services, he said, but he wants to know whether the cloud provider would set the company up with a private cloud, in which no one else can come into the environment. If the environment is shared, how will resources be shared and who might be sitting on that adjoining resource set? What security audit does the provider go through, and with which part of international security mandates does the provider comply?
Willingness to be flexible during contract negotiations will be a deciding factor in the cloud provider his company selects, Raytheon's Daly said. "I don't want to have to tell [the business] that they can't outsource something because we will lose protections if we do so, so I have to make sure that we can change our password complexity [with the provider] if we need to, or change our encryption to 356-bit. Flexibility is a huge element of contract management when you shift over to cloud security."
One more takeaway: If an enterprise is going to leave the security of its data up to someone else, it needs a way of measuring the security performance of that environment. "If the provider won't let you do that, you probably don't want to get into an arrangement with them," Daly said.
Let us know what you think about the story; email Christina Torode, News Director.