This article originally appeared in the Jan. 2011 issue of InfoTECH SPOTLIGHT
Cloud computing adoption is alive and well among organizations despite concerns around security. A recent study conducted by Management Insight and sponsored by CA (News - Alert) Technologies showed that 80 percent of mid-sized and large enterprise organizations have implemented at least one cloud service, with nearly half saying they have implemented more than six cloud services. This adoption is happening even though 68 percent of respondents cite security as a barrier to cloud adoption.
These survey results indicate that for now cost and speed of deployment are leading reasons for cloud adoption and are strong enough to offset the perceived risks associated with deploying cloud services. This view also is supported by the results of a recent study of cloud providers conducted by the Ponemon Institute (News - Alert). That study found that cloud providers are more focused on delivering the benefits of cost, reliability, and speed of deployment to their customers, and are less focused on security.
This may be a sufficient for now, but as increasingly sensitive data and applications are selected to migrate to the cloud, organizations will quickly reach an impasse. Sensitive data and applications, such as financial or health-related, may be deemed too risky for cloud adoption despite the potential for cost savings and agility. When the potential cost of breach becomes too great for certain data types and applications, we may reach a point of “cloud stall” – unless we can make enterprises and their cloud service providers more inherently cloud ready from a security standpoint.
For the cloud to reach its full potential, organizations will demand that cloud services have the same level of security – or better – than they can provide within their enterprise. Given the varying scenarios of cloud computing – SaaS (News - Alert), PaaS, IaaS – and public, private and hybrid cloud environments, there are multiple perspectives to securing the cloud that need to be considered. Simply described, security must be provided “to, for and from” the cloud, using identity as the key context “glue” to make these inherently cross-domain security scenarios work.
To, For, From the Cloud with Identity and Access Management
Enterprises need to be able to evolve and extend their existing IAM systems, deployed today almost exclusively on-premise, to incorporate cloud services. This is referred to as extending IAM to the cloud. By extending proven enterprise IAM systems and processes to support cloud services, such as those offered by salesforce.com and Google (News - Alert), organizations can mitigate some of the cloud security concerns by using their own proven controls. For example, on-premises identity and access management systems can be used to manage user entitlements for both on-premise applications as well as cloud applications and enforce existing access policies as an integral part of their existing automated user entitlement management workflows.
Cloud providers of all types (SaaS, PaaS, IaaS) need to control and manage identities of both their internal users as well as those of their customers and partners using their cloud services; They need IAM for the cloud. Cloud providers, like large enterprises, need to optimize how their identities are managed to keep costs down, improve the trustworthiness of their services, and to integrate with the identity management systems and processes of their enterprise customers.
Finally, identity and access management services offered from the cloud (such as identity proofing, credential management, strong authentication, single sign-on, provisioning, and more), provide organizations with a choice of how to best get IAM done. In fact, done well, identity services offered from the cloud can help overall cloud adoption. By specifically addressing the security needs of the cloud and taking much of the IAM implementation burden off the already over-taxed enterprise security teams, IAM as a cloud service allows security experts within the enterprises focus their energies on governance and policy and less on implementation details.
The enterprise-ready cloud is achieved when all the security bases are covered at least as well as they are today with traditional applications. This happens when enterprises extend their existing IAM processes to the cloud, when cloud providers themselves use comprehensive and interoperable IAM systems for their cloud services, and when specialized cloud service providers provide IAM services from the cloud.