Cloud security: Try these techniques now

From divvying up responsibility to using third-party tools, here's how some companies are approaching the problem.

1 2 3 4 5 Page 3
Page 3 of 5

One such product is Trend Micro's Deep Security 7. Once its agent is installed in a private or public cloud infrastructure, it can perform deep packet inspection, monitor event logs and monitor system activity such as file changes for unauthorized activities, Thiemann says.

Shavlik, a cloud-based vendor that provides systems management for private cloud installations, tackles public cloud security from a different angle. It licenses its patch and configuration management and compliance-monitoring software to cloud-based service providers -- including its own IaaS provider, says Mark Shavlik, the company's CEO.

Cloud-based service providers are catching on to the fact that using an established commercial security product can attract customers. For Logiq³'s Westgate, BlueLock's use of Shavlik's software was a definite selling point. "I am very familiar with Shavlik: I've been using it for patch and configuration management for years," he says.

Access control in the cloud

The dynamic, flexible resource provisioning that makes virtualization and cloud services so attractive to cost-challenged IT executives also makes it difficult to track where data is located at any given time, and who is accessing it. This is true in private clouds, and even more so in public cloud-based systems, where access control has to be correlated between the customer and the service provider -- and often several service providers.

Pfizer uses Symplified's Single Point Cloud Access Manager to provide single sign-on (SSO) functionality across different SaaS providers and applications. When the end user moves between an Oracle- and a Symplified-managed domain, for example, he still has to log on again but he can use the same set of credentials, Anderson says.

Cloud security icon

Symplified and Ping Identity Corp. are two vendors that currently provide SSO systems for both internal and SaaS cloud-based applications, using federated identity technology that coordinates user identity and access management across multiple systems. However, Anderson feels that it's up to the SaaS vendors to adopt a more holistic and standardized form of access management, so the customer would no longer have to bear that burden.

Another access management concern when dealing with a cloud-based service -- or any outsourced service for that matter -- is how to ensure that the service provider's system administrators don't abuse their access privileges. Again, SaaS customers don't have a lot of control or oversight of how the service provider addresses that issue. IaaS providers, in contrast, will often allow a customer to install event log monitoring software on their virtualized portion of the infrastructure.

Logiq³, for instance, uses Sentry Metrics Inc.'s security event management service, which monitors event logs, does trend analysis and reports on anomalies. So the Sentry Metrics system could, for example, alert Logiq³ when a BlueLock administrator logs on without being given a specific job to do, Westgate says.

Checking bona fides

Customer control and monitoring of a carrier's cloud can only go so far, however, no matter what the type of service. So how do you ensure that sensitive data is adequately secured and protected?

Service level agreements with monetary penalties don't cut it, says Pfizer's Anderson, especially for a Fortune 50 company, since "the small amount they get back is a pittance" compared to the cost of a major security breach.

1 2 3 4 5 Page 3
Page 3 of 5
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon