Cloud security: Try these techniques now

From divvying up responsibility to using third-party tools, here's how some companies are approaching the problem.

1 2 3 4 5 Page 2
Page 2 of 5

The division of labor between Logiq³ and BlueLock actually strengthened security, because "no one person, or company, has all the keys to the kingdom." says Westgate. Because BlueLock manages the firewall, for example, "none of my admins can go in and decide to sell or move the data," he notes. "And BlueLock admins can't do it either, because they don't control the systems."

How much responsibility lies with the cloud-based service provider largely depends on the type of service.

With an IaaS setup, for example, the customer is usually responsible for protecting everything above the middleware and APIs, including the applications and operating system, says Todd Thiemann, senior director of security vendor Trend Micro Inc.'s Data Protection group. The terms of service for Amazon's IaaS offering, for example, state that the customer is responsible for protecting the data it puts into the public cloud, he adds.

In contrast to IaaS arrangements, a software-as-a-service provider is usually responsible for protecting whatever customer applications and data reside on its cloud. That setup often works well for budget-challenged businesses, because it gives them access to advanced security technologies and resources that they might not be able to afford in-house.

IBM's LotusLive SaaS offering, for example, which was launched January 2009, utilizes "the same standards, security, compliance and governance we use to run major business systems for some very large and important companies," says Sean Poulley, IBM's vice president of online collaboration services. For example, LotusLive data centers are protected by environmental and biometric controls, including closed-circuit TV. Access control is handled by IBM's enterprise-scale Tivoli software.

Pfizer's Kurt Anderson
Pfizer's Kurt Anderson figured out a way to insert agentless third-party security into a cloud-based incident-management application that his company wanted to use.

However, many cloud-based service providers -- and SaaS providers in particular -- feel that their security practices and technologies give them a competitive advantage, so they don't like to reveal details about how they approach security. This means companies have to take the vendor's word that its systems are indeed secure and compliant. "Vendors have done little to accommodate security risk evaluation," says Gartner's Heiser. "They may have incredibly secure and robust systems, but there's no sensible way to ensure this." Security accreditation standards such as ISO 27001 and SAS 70 Type 2 provide some assurance, he adds, noting that "27001 is more relevant to cloud security issues, but weak when applied to new forms of technology."

Playing nicely with the cloud

Many SaaS vendors are understandably reluctant to have a customer insert third-party security products into their proprietary platforms, even if it's just an agent that would permit a customer's security system to interact with theirs.

For example, Pfizer Inc. had outsourced some security services to D3 Security Management Systems Inc. and was interested in using Oracle Corp.'s Access Manager in D3's incident management applications. But D3 expressed concerns about installing Oracle agents on its systems, says Kurt Anderson, the pharmaceutical company's manager of global operations business technology.

Anderson solved the problem by using Symplified Inc.'s SinglePoint Cloud Access Manager, which does not use an agent, but rather interacts with D3's published APIs, he says.

Since IaaS customers technically own their virtualized slice of a vendor's infrastructure, they can install security software and controls. However, only a few vendors provide products that can protect both private and public cloud-based environments.

1 2 3 4 5 Page 2
Page 2 of 5
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon