Comments
yourfanat wrote: I am using another tool for Oracle developers - dbForge Studio for Oracle. This IDE has lots of usefull features, among them: oracle designer, code competion and formatter, query builder, debugger, profiler, erxport/import, reports and many others. The latest version supports Oracle 12C. More information here.
Cloud Expo on Google News
SYS-CON.TV
Cloud Expo & Virtualization 2009 East
PLATINUM SPONSORS:
IBM
Smarter Business Solutions Through Dynamic Infrastructure
IBM
Smarter Insights: How the CIO Becomes a Hero Again
Microsoft
Windows Azure
GOLD SPONSORS:
Appsense
Why VDI?
CA
Maximizing the Business Value of Virtualization in Enterprise and Cloud Computing Environments
ExactTarget
Messaging in the Cloud - Email, SMS and Voice
Freedom OSS
Stairway to the Cloud
Sun
Sun's Incubation Platform: Helping Startups Serve the Enterprise
POWER PANELS:
Cloud Computing & Enterprise IT: Cost & Operational Benefits
How and Why is a Flexible IT Infrastructure the Key To the Future?
Click For 2008 West
Event Webcasts
Bucking the Trend: How Security Will Drive Cloud Adoption, Not Hinder It
Security, when done properly, is an argument in favor of cloud adoption

Security Track at Cloud Expo

If you've investigated cloud computing even a little bit, you've encountered story after story about how security is slowing adoption. There is some truth beneath all of the hand wringing, but not nearly as much as you'd think.

When deployed correctly, security should drive cloud adoption, rather than impede it.

Large cloud providers, such as Amazon, Google and Salesforce.com, have many more security tools in their data protection toolbox than you do. They have many dedicated security pros on staff, data centers that can withstand natural disasters, stringent security policies and procedures and the most up-to-date security solutions.

Why All the Doom and Gloom, Then?
Bad news sells. Whether it's an analyst report or an industry publication, fear-based headlines attract attention. Security vendors themselves are guilty of hyping the problem, hoping to push more product.

One recent op-ed by a VP from a very prominent security vendor noted that cloud applications are only as strong as "your weakest password." Um, that's not a cloud security problem; that's an access/authentication problem. You can say this exact same thing about any type of data in any storage medium with any sort of connection to the outside world. *

Similarly, a recent Forrester research report * noted that those moving to the cloud need to worry about identity management, compliance and disaster recovery.

Again, these are in no way specific to the cloud. These are general business computing issues.

This is not to say that there are not actual cloud security concerns. There are, and I'll get to some in a moment. However, for every cloud security issue, there is a corresponding security tool to address it - even though the hype would have you believe otherwise.

How Did We Get into This Mess in the First Place?
Simple: as with so many technologies that came before, developers created the applications first (or cloud-enabled existing ones) and left security concerns for later.

Fortunately, many security issues are being solved for you even as you read this story. All of the big cloud vendors are hyper-aware of the need to lock down their customers' data. All of them have best practices in place and a slew of security tools wrapped around their services designed to protect the integrity of your data.

Unfortunately, the cloud providers can't solve everything. The one fundamental security issue that you must solve for yourself is identity. Application access and the integrity of users' identities, as well as their roles and privileges, must be tackled by the enterprise.

Cloud providers can only do what you tell them to when it comes to identity enforcement. They can grant access to those who you've given credentials to and block all others, but if you don't have solid identity enforcement in place, there's not much they can do about it.

This is where many organizations falter. Using the same logic that drove people to cloud-enable applications before figuring out the security ramifications, many organizations have decided to synch identities to the cloud. Bad idea. Now, instead of protecting one identity directory, you must defend, patch and manage two, and you've doubled your risks.

The second misguided option that organizations consider is forklifting their entire infrastructure, including identity management, to the cloud. In this age of outsourcing, there is some herd-mentality logic to this line of thinking. However, I believe that identity is the absolute last thing you want to outsource.

Where Should You Draw the Line?
Nothing in the Internet age is 100% secure, but when you give away the keys to the front door, you better make sure the lock is sound and that only the people who are supposed to have keys actually get them.

If you give away your directory services, such as Active Directory or LDAP, you are basically ceding control over who gets keys and who doesn't.

Control over directory services, then, is where you draw the line.

Imagine what happens when something goes wrong. If identities are off in the cloud, you must trust that the identity provider is honest, forthcoming and quick in responding. If identities are in house, you track down those accountable and tell them they'll be working nights and weekends until the problem is solved.

Similarly, when identities are in house, your IT staff has much more power to enforce organizational policies when users stray away from best practices or concoct workarounds. If users screw up, IT shuts down their accounts, suspends privileges, requires password resets, etc.

Now imagine an even touchier scenario. A frisky IT pro suspends privileges to your CEO for bucking some security policy. With outsourced identities, your CEO (or most likely an executive secretary) wastes a lot of time on the phone trying to reach an overseas help desk to figure out the problem. When handled internally, the CEO is either granted an exception or brought up to speed on the importance of the policy by a colleague who understands your organization's bottom-line business concerns.

Other reasons to keep identities in house include maintaining compliance, avoiding vendor lock, protecting interoperability and avoiding opening yourself up to insider attacks from people who are actually outsiders to you.

Bridging the Enterprise to the Cloud by Becoming Your Own Identity Provider
The trouble with keeping directory services in house is that they were not designed for the cloud. However, this problem isn't nearly as big as it seems.

Most organizations are already under regulatory pressure to modernize authentication. What a few progressive identity enforcement providers are doing is hooking strong, multifactor authentication into directory services.

Because these new identity enforcement solutions are designed to be platform agnostic and to authenticate remote and mobile workers, they are perfectly situated to serve as a bridge between internal directories and public clouds.

Some of the big cloud providers, most notably Salesforce.com and Google, allow you to use an identity provider to enforce access and privileges. As a result, a bunch of small point solutions delivered as services have already popped up. Some of the vendors probably have staying power. Many do not.

However, there is no reason you can't act as your own identity provider. You've done it for years for client/server applications, and many organizations are already acting as an identity provider for internally hosted apps served up as a service to various departments, branches and partners, as well as to remote and mobile workers.

Instead of just authenticating users, you can control, manage and enforce user access, no matter where the users are or where the application data resides.

Returning to the title of this story, what does this all mean when it comes to cloud adoption? It means that security, when done properly, is an argument in favor of cloud adoption. The big providers have better resources to protect data than you do, while you have the ability to retain the control and management of your user base even as it accesses cloud-based applications.

You get the best of everything. Identities stay locked in house, data protection is improved and applications gain flexibility and operational efficiency by residing in the cloud.

About Craig Lund
Craig Lund is CEO of MultiFactor Corporation, a provider of two-factor SSO authentication and identity enforcement solutions. MultiFactor’s flagship product, SecureAuth, bridges applications from the enterprise to the cloud through strong, flexible identity enforcement.

As chief executive officer, Craig is responsible for guiding the overall strategy and operations of MultiFactor Corporation. He is a seasoned veteran of high technology management with over 25 years experience managing high performing teams in some of the world’s leading technology companies and startups alike. Craig holds a bachelor’s of science degree in business administration from Utah State University.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

Latest Cloud Developer Stories
SYS-CON Events announced today that Evatronix will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Evatronix SA offers comprehensive solutions in the design and implement...
SYS-CON Events announced today that Synametrics Technologies will exhibit at SYS-CON's 22nd International Cloud Expo®, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Synametrics Technologies is a privately held company based in Plainsboro, New Jers...
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitiga...
DevOps promotes continuous improvement through a culture of collaboration. But in real terms, how do you: Integrate activities across diverse teams and services? Make objective decisions with system-wide visibility? Use feedback loops to enable learning and improvement? With tec...
"Digital transformation - what we knew about it in the past has been redefined. Automation is going to play such a huge role in that because the culture, the technology, and the business operations are being shifted now," stated Brian Boeggeman, VP of Alliances & Partnerships at ...
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021



SYS-CON Featured Whitepapers
ADS BY GOOGLE