Understanding Security and Authentication in the Cloud

The main thing you need to know about security in the cloud is that fundamentally it's no different from security anywhere else.

That's important to know because security is a major concern for businesses thinking about using cloud computing. "This is the No. 1 issue," says Doug Tidwell, a cloud computing evangelist at IBM. "In the last survey I saw, 87 percent of the people said security is their biggest concern. Every survey I have seen in the last three years, it's always security."

One of the reasons cloud security is so important to potential users of cloud services is that the cloud itself is so little understood. Cloud computing is still fairly new and most people haven't had experience with it. That makes them hesitant.

The other factor, Tidwell says, is giving up control. "I no longer know the person who's handling part of my infrastructure," Tidwell says. Or, as one manager put it to him: "Inside my firewall, I know whose butt I can kick if something goes wrong. With the cloud, I don't know who that is."

One of the results of that hesitancy, Tidwell says, is that for all the attention it's getting, very few people are running critical business services in the cloud. "The cloud is getting a tremendous amount of buzz," Tidwell says. "But if you start to talk to people about it, it's one thing to say I run my payroll system in the cloud, compared to saying I did a few things in the cloud to see what it's like."

The truth, Tidwell says, is that security in the cloud is basically no different than security in house. "It really builds on what people have already. If you have things like identity management, certificate management—things that every enterprise has—then the issue is how do you take these things and use them in the cloud?"

Whether your service is down the hall in the data center or off in the cloud, the fundamental issue is trust. You have to be able to authenticate users and know what they're allowed to do based on their roles and responsibilities, know that who you're dealing with is who they say they are and they have to be able to verify that you're who you say you are. "Once you get beyond that, everything builds on that foundation of trust," Tidwell says.

Building Trust
In today's environment, trust is a matter of policies, roles, certificates, and service agreements. This is true if you're trusting your own data center or out in the cloud.

Take identity management (IdM). Tidwell cited an example in which a cloud user has stored some sensitive documents in Lotus Live. "You can configure Lotus Live so that anytime someone attempts to access those documents, the user is redirected to your identity infrastructure. The user enters their user ID and password into your identity management infrastructure, and then your IdM system tells Lotus Live whether the user should get access. "

"It gets back to the whole point that you're reusing what you already have to implement security in the cloud. You're telling Lotus Live, 'I'm the one who handles access to this particular service. If someone knocks on the door, send them to me and I'll tell you whether or not they should get in.'"

"With data storage in the cloud, it's not that different from securing data that is moving around your enterprise. You want to make sure the data is encrypted when it gets to the disk where it's going to live, whether that disk is in your data center or in the cloud."

The key to all this is your cloud service provider. "That's one of the areas where we're starting to see the providers differentiate," Tidwell says. "Some of the providers have a best effort basis for uptime and security. A lot of providers say if something goes wrong you have two options: A coupon off next month's bill or close the account."

That level of security might suffice for some things, Tidwell says, but many users will need much more. "Depending on the sensitivity of the data and applications, there's a laundry list of standards that apply, such as SAML and X.509 for identity management, or IEEE's P1619 for data and storage security. Based on your industry, there may be additional standards or best practices that apply to you. If you're doing anything in the cloud that accepts credit cards as payment, PCI DSS applies, for example."

Another important consideration is transparency and auditability. It is important that your cloud service provider inform you if there is a breach or other security problem. "If I'm going to do business with you, you have to tell me if something breaks," Tidwell says. "With many public cloud providers, it's your responsibility to prove that something went wrong. That's clearly not acceptable for many applications."

The terms of your agreement with your cloud provider are critical to maintaining the level of security you need. "It really comes down to figuring out what you want to do in the cloud, then selecting a provider based on your requirements. Make sure they can enforce the policies you need and make sure they can do what you need done in the cloud," Tidwell says.

In some cases, assuming your cloud partner has the security features you need, enforcement of your policies becomes a joint effort. "The identity management scenario is a good example," Tidwell says. "You can let the cloud provider handle things like user IDs and passwords for each user in your enterprise, or you can have the cloud provider delegate that to you."

Because you are giving up some control by working in the cloud, you need to examine your security procedures. "If you're moving data to cloud storage instead of storing it in-house, you should look at how that data moves. If everything used to be inside your firewall, maybe you didn't worry about securing the data while it moved. But if you're sending that data outside the firewall, you want to use SSL at least to make sure your data is secure in transit," Tidwell says.

The basic principle in cloud security is to avoid reinventing the wheel. Use your existing security infrastructure to support your cloud computing efforts whenever possible. This not only avoids extra work, it allows you to use existing method and structures which have been tested and proven.

"It comes down to reusing the architecture you took a long time to build," Tidwell says. "What you don't want to have to do is rebuild that from scratch."