yourfanat wrote: I am using another tool for Oracle developers - dbForge Studio for Oracle. This IDE has lots of usefull features, among them: oracle designer, code competion and formatter, query builder, debugger, profiler, erxport/import, reports and many others. The latest version supports Oracle 12C. More information here.
Cloud Expo on Google News
Cloud Expo & Virtualization 2009 East
Smarter Business Solutions Through Dynamic Infrastructure
Smarter Insights: How the CIO Becomes a Hero Again
Windows Azure
Why VDI?
Maximizing the Business Value of Virtualization in Enterprise and Cloud Computing Environments
Messaging in the Cloud - Email, SMS and Voice
Freedom OSS
Stairway to the Cloud
Sun's Incubation Platform: Helping Startups Serve the Enterprise
Cloud Computing & Enterprise IT: Cost & Operational Benefits
How and Why is a Flexible IT Infrastructure the Key To the Future?
Click For 2008 West
Event Webcasts
Bucking the Trend: How Security Will Drive Cloud Adoption, Not Hinder It
Security, when done properly, is an argument in favor of cloud adoption

Security Track at Cloud Expo

If you've investigated cloud computing even a little bit, you've encountered story after story about how security is slowing adoption. There is some truth beneath all of the hand wringing, but not nearly as much as you'd think.

When deployed correctly, security should drive cloud adoption, rather than impede it.

Large cloud providers, such as Amazon, Google and, have many more security tools in their data protection toolbox than you do. They have many dedicated security pros on staff, data centers that can withstand natural disasters, stringent security policies and procedures and the most up-to-date security solutions.

Why All the Doom and Gloom, Then?
Bad news sells. Whether it's an analyst report or an industry publication, fear-based headlines attract attention. Security vendors themselves are guilty of hyping the problem, hoping to push more product.

One recent op-ed by a VP from a very prominent security vendor noted that cloud applications are only as strong as "your weakest password." Um, that's not a cloud security problem; that's an access/authentication problem. You can say this exact same thing about any type of data in any storage medium with any sort of connection to the outside world. *

Similarly, a recent Forrester research report * noted that those moving to the cloud need to worry about identity management, compliance and disaster recovery.

Again, these are in no way specific to the cloud. These are general business computing issues.

This is not to say that there are not actual cloud security concerns. There are, and I'll get to some in a moment. However, for every cloud security issue, there is a corresponding security tool to address it - even though the hype would have you believe otherwise.

How Did We Get into This Mess in the First Place?
Simple: as with so many technologies that came before, developers created the applications first (or cloud-enabled existing ones) and left security concerns for later.

Fortunately, many security issues are being solved for you even as you read this story. All of the big cloud vendors are hyper-aware of the need to lock down their customers' data. All of them have best practices in place and a slew of security tools wrapped around their services designed to protect the integrity of your data.

Unfortunately, the cloud providers can't solve everything. The one fundamental security issue that you must solve for yourself is identity. Application access and the integrity of users' identities, as well as their roles and privileges, must be tackled by the enterprise.

Cloud providers can only do what you tell them to when it comes to identity enforcement. They can grant access to those who you've given credentials to and block all others, but if you don't have solid identity enforcement in place, there's not much they can do about it.

This is where many organizations falter. Using the same logic that drove people to cloud-enable applications before figuring out the security ramifications, many organizations have decided to synch identities to the cloud. Bad idea. Now, instead of protecting one identity directory, you must defend, patch and manage two, and you've doubled your risks.

The second misguided option that organizations consider is forklifting their entire infrastructure, including identity management, to the cloud. In this age of outsourcing, there is some herd-mentality logic to this line of thinking. However, I believe that identity is the absolute last thing you want to outsource.

Where Should You Draw the Line?
Nothing in the Internet age is 100% secure, but when you give away the keys to the front door, you better make sure the lock is sound and that only the people who are supposed to have keys actually get them.

If you give away your directory services, such as Active Directory or LDAP, you are basically ceding control over who gets keys and who doesn't.

Control over directory services, then, is where you draw the line.

Imagine what happens when something goes wrong. If identities are off in the cloud, you must trust that the identity provider is honest, forthcoming and quick in responding. If identities are in house, you track down those accountable and tell them they'll be working nights and weekends until the problem is solved.

Similarly, when identities are in house, your IT staff has much more power to enforce organizational policies when users stray away from best practices or concoct workarounds. If users screw up, IT shuts down their accounts, suspends privileges, requires password resets, etc.

Now imagine an even touchier scenario. A frisky IT pro suspends privileges to your CEO for bucking some security policy. With outsourced identities, your CEO (or most likely an executive secretary) wastes a lot of time on the phone trying to reach an overseas help desk to figure out the problem. When handled internally, the CEO is either granted an exception or brought up to speed on the importance of the policy by a colleague who understands your organization's bottom-line business concerns.

Other reasons to keep identities in house include maintaining compliance, avoiding vendor lock, protecting interoperability and avoiding opening yourself up to insider attacks from people who are actually outsiders to you.

Bridging the Enterprise to the Cloud by Becoming Your Own Identity Provider
The trouble with keeping directory services in house is that they were not designed for the cloud. However, this problem isn't nearly as big as it seems.

Most organizations are already under regulatory pressure to modernize authentication. What a few progressive identity enforcement providers are doing is hooking strong, multifactor authentication into directory services.

Because these new identity enforcement solutions are designed to be platform agnostic and to authenticate remote and mobile workers, they are perfectly situated to serve as a bridge between internal directories and public clouds.

Some of the big cloud providers, most notably and Google, allow you to use an identity provider to enforce access and privileges. As a result, a bunch of small point solutions delivered as services have already popped up. Some of the vendors probably have staying power. Many do not.

However, there is no reason you can't act as your own identity provider. You've done it for years for client/server applications, and many organizations are already acting as an identity provider for internally hosted apps served up as a service to various departments, branches and partners, as well as to remote and mobile workers.

Instead of just authenticating users, you can control, manage and enforce user access, no matter where the users are or where the application data resides.

Returning to the title of this story, what does this all mean when it comes to cloud adoption? It means that security, when done properly, is an argument in favor of cloud adoption. The big providers have better resources to protect data than you do, while you have the ability to retain the control and management of your user base even as it accesses cloud-based applications.

You get the best of everything. Identities stay locked in house, data protection is improved and applications gain flexibility and operational efficiency by residing in the cloud.

About Craig Lund
Craig Lund is CEO of MultiFactor Corporation, a provider of two-factor SSO authentication and identity enforcement solutions. MultiFactor’s flagship product, SecureAuth, bridges applications from the enterprise to the cloud through strong, flexible identity enforcement.

As chief executive officer, Craig is responsible for guiding the overall strategy and operations of MultiFactor Corporation. He is a seasoned veteran of high technology management with over 25 years experience managing high performing teams in some of the world’s leading technology companies and startups alike. Craig holds a bachelor’s of science degree in business administration from Utah State University.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

Latest Cloud Developer Stories
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Ind...
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build ...
Traditional IT, great for stable systems of record, is struggling to cope with newer, agile systems of engagement requirements coming straight from the business. In his session at 18th Cloud Expo, William Morrish, General Manager of Product Sales at Interoute, will outline ways...
"MobiDev is a Ukraine-based software development company. We do mobile development, and we're specialists in that. But we do full stack software development for entrepreneurs, for emerging companies, and for enterprise ventures," explained Alan Winters, U.S. Head of Business Deve...
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)!

Advertise on this site! Contact advertising(at)! 201 802-3021

SYS-CON Featured Whitepapers