Cloud Security: Oxymoron?

Here's how some early adopters of cloud computing are approaching the problem.

1 2 3 4 5 Page 3
Page 3 of 5

Anderson solved the problem by using Symplified Inc.'s SinglePoint Cloud Access Manager, which does not use an agent but rather interacts with D3's published APIs, he says.

Since IaaS customers technically own their virtualized slice of a vendor's infrastructure, they can install security software and controls. However, only a few vendors provide products that can protect both private- and public-cloud-based environments.

One such product is Trend Micro's Deep Security 7. Once its agent is installed in a private or public cloud infrastructure, it can perform deep packet inspection, monitor event logs and monitor system activity, such as file changes, for unauthorized actions, Thiemann says.

Shavlik, a vendor that provides systems management for private cloud installations, tackles public cloud security from a different angle. It licenses its patch and configuration management and compliance-monitoring software to cloud-based service providers -- including its own IaaS provider, says Mark Shavlik, the company's CEO.

Cloud-based service providers are catching on to the fact that using an established commercial security product can attract customers. For Logiq3's Westgate, BlueLock's use of Shavlik's software was a definite selling point. "I am very familiar with Shavlik. I've been using it for patch and configuration management for years," he says.

The dynamic, flexible resource provisioning that makes virtualization and cloud services so attractive to cost-challenged IT executives also makes it difficult to track where data is located at any given time, and who is accessing it. This is true in private clouds, and even more so in public-cloud-based systems, where access control has to be correlated between the customer and the service provider -- and often several service providers.

Pfizer uses Symplified's Single Point Cloud Access Manager to provide single sign-on functionality across different SaaS providers and applications. When an end user moves between an Oracle- and a Symplified-managed domain, for example, he has to log on again, but he can use the same credentials, Anderson says.

Symplified and Ping Identity Corp. are two vendors that currently provide single sign-on systems for both internal and SaaS cloud-based applications, using federated identity technology that coordinates user identity and access management across multiple systems. However, Anderson feels that it's up to the SaaS vendors to adopt a more holistic and standardized form of access management so the customer will no longer have to bear that burden.

Another access management concern when dealing with a cloud-based service -- or any outsourced service, for that matter -- is how to ensure that the service provider's system administrators don't abuse their access privileges. Again, SaaS customers don't have a lot of control or oversight regarding how the service provider addresses that issue. IaaS providers, in contrast, will often allow a customer to install event log monitoring software on their virtualized portion of the infrastructure.

1 2 3 4 5 Page 3
Page 3 of 5
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon