Comments
yourfanat wrote: I am using another tool for Oracle developers - dbForge Studio for Oracle. This IDE has lots of usefull features, among them: oracle designer, code competion and formatter, query builder, debugger, profiler, erxport/import, reports and many others. The latest version supports Oracle 12C. More information here.
Cloud Expo on Google News
SYS-CON.TV
Cloud Expo & Virtualization 2009 East
PLATINUM SPONSORS:
IBM
Smarter Business Solutions Through Dynamic Infrastructure
IBM
Smarter Insights: How the CIO Becomes a Hero Again
Microsoft
Windows Azure
GOLD SPONSORS:
Appsense
Why VDI?
CA
Maximizing the Business Value of Virtualization in Enterprise and Cloud Computing Environments
ExactTarget
Messaging in the Cloud - Email, SMS and Voice
Freedom OSS
Stairway to the Cloud
Sun
Sun's Incubation Platform: Helping Startups Serve the Enterprise
POWER PANELS:
Cloud Computing & Enterprise IT: Cost & Operational Benefits
How and Why is a Flexible IT Infrastructure the Key To the Future?
Click For 2008 West
Event Webcasts
Bucking the Trend: How Security Will Drive Cloud Adoption, Not Hinder It
Security, when done properly, is an argument in favor of cloud adoption

Security Track at Cloud Expo

If you've investigated cloud computing even a little bit, you've encountered story after story about how security is slowing adoption. There is some truth beneath all of the hand wringing, but not nearly as much as you'd think.

When deployed correctly, security should drive cloud adoption, rather than impede it.

Large cloud providers, such as Amazon, Google and Salesforce.com, have many more security tools in their data protection toolbox than you do. They have many dedicated security pros on staff, data centers that can withstand natural disasters, stringent security policies and procedures and the most up-to-date security solutions.

Why All the Doom and Gloom, Then?
Bad news sells. Whether it's an analyst report or an industry publication, fear-based headlines attract attention. Security vendors themselves are guilty of hyping the problem, hoping to push more product.

One recent op-ed by a VP from a very prominent security vendor noted that cloud applications are only as strong as "your weakest password." Um, that's not a cloud security problem; that's an access/authentication problem. You can say this exact same thing about any type of data in any storage medium with any sort of connection to the outside world. *

Similarly, a recent Forrester research report * noted that those moving to the cloud need to worry about identity management, compliance and disaster recovery.

Again, these are in no way specific to the cloud. These are general business computing issues.

This is not to say that there are not actual cloud security concerns. There are, and I'll get to some in a moment. However, for every cloud security issue, there is a corresponding security tool to address it - even though the hype would have you believe otherwise.

How Did We Get into This Mess in the First Place?
Simple: as with so many technologies that came before, developers created the applications first (or cloud-enabled existing ones) and left security concerns for later.

Fortunately, many security issues are being solved for you even as you read this story. All of the big cloud vendors are hyper-aware of the need to lock down their customers' data. All of them have best practices in place and a slew of security tools wrapped around their services designed to protect the integrity of your data.

Unfortunately, the cloud providers can't solve everything. The one fundamental security issue that you must solve for yourself is identity. Application access and the integrity of users' identities, as well as their roles and privileges, must be tackled by the enterprise.

Cloud providers can only do what you tell them to when it comes to identity enforcement. They can grant access to those who you've given credentials to and block all others, but if you don't have solid identity enforcement in place, there's not much they can do about it.

This is where many organizations falter. Using the same logic that drove people to cloud-enable applications before figuring out the security ramifications, many organizations have decided to synch identities to the cloud. Bad idea. Now, instead of protecting one identity directory, you must defend, patch and manage two, and you've doubled your risks.

The second misguided option that organizations consider is forklifting their entire infrastructure, including identity management, to the cloud. In this age of outsourcing, there is some herd-mentality logic to this line of thinking. However, I believe that identity is the absolute last thing you want to outsource.

Where Should You Draw the Line?
Nothing in the Internet age is 100% secure, but when you give away the keys to the front door, you better make sure the lock is sound and that only the people who are supposed to have keys actually get them.

If you give away your directory services, such as Active Directory or LDAP, you are basically ceding control over who gets keys and who doesn't.

Control over directory services, then, is where you draw the line.

Imagine what happens when something goes wrong. If identities are off in the cloud, you must trust that the identity provider is honest, forthcoming and quick in responding. If identities are in house, you track down those accountable and tell them they'll be working nights and weekends until the problem is solved.

Similarly, when identities are in house, your IT staff has much more power to enforce organizational policies when users stray away from best practices or concoct workarounds. If users screw up, IT shuts down their accounts, suspends privileges, requires password resets, etc.

Now imagine an even touchier scenario. A frisky IT pro suspends privileges to your CEO for bucking some security policy. With outsourced identities, your CEO (or most likely an executive secretary) wastes a lot of time on the phone trying to reach an overseas help desk to figure out the problem. When handled internally, the CEO is either granted an exception or brought up to speed on the importance of the policy by a colleague who understands your organization's bottom-line business concerns.

Other reasons to keep identities in house include maintaining compliance, avoiding vendor lock, protecting interoperability and avoiding opening yourself up to insider attacks from people who are actually outsiders to you.

Bridging the Enterprise to the Cloud by Becoming Your Own Identity Provider
The trouble with keeping directory services in house is that they were not designed for the cloud. However, this problem isn't nearly as big as it seems.

Most organizations are already under regulatory pressure to modernize authentication. What a few progressive identity enforcement providers are doing is hooking strong, multifactor authentication into directory services.

Because these new identity enforcement solutions are designed to be platform agnostic and to authenticate remote and mobile workers, they are perfectly situated to serve as a bridge between internal directories and public clouds.

Some of the big cloud providers, most notably Salesforce.com and Google, allow you to use an identity provider to enforce access and privileges. As a result, a bunch of small point solutions delivered as services have already popped up. Some of the vendors probably have staying power. Many do not.

However, there is no reason you can't act as your own identity provider. You've done it for years for client/server applications, and many organizations are already acting as an identity provider for internally hosted apps served up as a service to various departments, branches and partners, as well as to remote and mobile workers.

Instead of just authenticating users, you can control, manage and enforce user access, no matter where the users are or where the application data resides.

Returning to the title of this story, what does this all mean when it comes to cloud adoption? It means that security, when done properly, is an argument in favor of cloud adoption. The big providers have better resources to protect data than you do, while you have the ability to retain the control and management of your user base even as it accesses cloud-based applications.

You get the best of everything. Identities stay locked in house, data protection is improved and applications gain flexibility and operational efficiency by residing in the cloud.

About Craig Lund
Craig Lund is CEO of MultiFactor Corporation, a provider of two-factor SSO authentication and identity enforcement solutions. MultiFactor’s flagship product, SecureAuth, bridges applications from the enterprise to the cloud through strong, flexible identity enforcement.

As chief executive officer, Craig is responsible for guiding the overall strategy and operations of MultiFactor Corporation. He is a seasoned veteran of high technology management with over 25 years experience managing high performing teams in some of the world’s leading technology companies and startups alike. Craig holds a bachelor’s of science degree in business administration from Utah State University.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

Latest Cloud Developer Stories
Sometimes I write a blog just to formulate and organize a point of view, and I think it’s time that I pull together the bounty of excellent information about Machine Learning. This is a topic with which business leaders must become comfortable, especially tomorrow’s business lead...
"Storpool does only block-level storage so we do one thing extremely well. The growth in data is what drives the move to software-defined technologies in general and software-defined storage," explained Boyan Ivanov, CEO and co-founder at StorPool, in this SYS-CON.tv interview at...
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices ...
The question before companies today is not whether to become intelligent, it’s a question of how and how fast. The key is to adopt and deploy an intelligent application strategy while simultaneously preparing to scale that intelligence. In her session at 21st Cloud Expo, Sangeeta...
While some developers care passionately about how data centers and clouds are architected, for most, it is only the end result that matters. To the majority of companies, technology exists to solve a business problem, and only delivers value when it is solving that problem. 2017 ...
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021



SYS-CON Featured Whitepapers
ADS BY GOOGLE