Cloud/SaaS : Effects of migration on security landscape

Last week I met an experienced professional from similar domain to mine and we talked at length about SaaS. Most of the time we were talking about how SaaS is the future. Later, I got thinking about what would happens when SaaS gets mainstream and cloud adoption reaches a good ratio.

My last post talked a bit about what the people were not thinking about in all the cloud-buzz (http://wp.me/p1ZlqR-z). But this is something a little different.

It is pretty clear to me that a lot of generic services will be SaaS and will find good adoption, alongside, there will be a lot of people like Amazon AWS who will offer both general and specialized infrastructure services. The gaps will be filled by vendors selling stuff on these clouds for ready customization/use (like EC2 paid AMIs). Only very specialized, highly sensitive information will be kept on-premise. Of course there are many who will keep owning large datacenters (because it may be more economical) or have solutions that quite simply do not work well with any acceptable vendor’s offering (and there will certainly be many such things).

There is no “inside” anymore, need ubiquitous security

Its not hard to imagine that in such cases, many offices will really no longer have any on-premise critical servers/services to protect. You’ll need a secure way to connect and use your data even from inside the office. I was fascinated by the notion that we are now heading towards an era where there will be no “inside” network, we are all on the outside, all the time. Thinking back it should have been fairly obvious when we first started having internet on the go, at least to the people who are much smarter and more experienced than me, it probably was, the complication of feasible often beats reasonable!

I digressed. What it probably means is that either all the SaaS (and other *aaS) meant for mass consumption, will have to be fully security compliant for critical service adoption or there will be security brokers and managers who will do it for them. I find the former a dream at best, if you have ever worked on software and had the misfortune of dealing with interoperability issues, you understand. It looks like we’ll have to have security built right into the cloud (like a VPN and other stuff ) if we are to ever adopt a very serious ratio. There are efforts on for this, cloud security is expected to be the next big thing. CipherGraph itself is one such effort to ensure that only the right people will get access to authorized resources. More on this later.

Standards such broker based security SAML and other such things do come to mind, but that paradigm is suited only to certain kinds of services, not all. They do not secure the network anyway, just offer identity assertions, that is only part of security. Also, enterprise standard solutions of this kind are often quite expensive and challenging to maintain (or find compliant services for).

Policy Control

Its a known fact that all security vendors like to control policy, that is after all, the brain of the security infrastructure. But how far can policy go while being disconnected with the corporate identity and role? Not too far, I believe. Ultimately it is all about who is allowed to do what and if you do not keep the actual user’s identity in mind, enterprises are going to find it hard to adopt such systems. The current SaaS vendors rely on simple authentication mechanisms and are often completely corporate-role-agnostic. To be fair, they should not be duplicating security efforts anyway, there are powerful policy enforcers available (and it is a specialized field).

Prevention is the best cure

Security is like a chain, its only as strong as your weakest link. The idea hence should always be to layer security infrastructure not chain-link it. What I mean is that it is one thing to expose your Exchange server to the network and give credentials to authorized users, its another thing to ensure that only the authorized users even get to see the login page. It is hard enough to come up with enterprise class solutions, its even harder to have built-in enterprise class security (economically).

Just a few days back Checkpoint released some EC2 firewall security system. I should have been scared but I was excited since there was unassailable validation that my own effort (CipherGraph Networks) was in the right direction, but I was even more happy when I realized that CipherGraph is the first and probably the only one that caters to on-premise as well as cloud infrastructure.

One of the things I realized is that most of the formulas and fundamental are already in place, we just have to map it to a very different scenario (cloud, in this instance) and forge a fitting solution. It will take a different sensibility since the topology is completely changed and we are dealing with a different set of parameters, but it can be done :-) we’re on the job!

Advertisements