Cloud/SaaS : Effects of migration on security landscape

Last week I met an experienced professional from similar domain to mine and we talked at length about SaaS. Most of the time we were talking about how SaaS is the future. Later, I got thinking about what would happens when SaaS gets mainstream and cloud adoption reaches a good ratio.

My last post talked a bit about what the people were not thinking about in all the cloud-buzz ( But this is something a little different.

It is pretty clear to me that a lot of generic services will be SaaS and will find good adoption, alongside, there will be a lot of people like Amazon AWS who will offer both general and specialized infrastructure services. The gaps will be filled by vendors selling stuff on these clouds for ready customization/use (like EC2 paid AMIs). Only very specialized, highly sensitive information will be kept on-premise. Of course there are many who will keep owning large datacenters (because it may be more economical) or have solutions that quite simply do not work well with any acceptable vendor’s offering (and there will certainly be many such things).

There is no “inside” anymore, need ubiquitous security

Its not hard to imagine that in such cases, many offices will really no longer have any on-premise critical servers/services to protect. You’ll need a secure way to connect and use your data even from inside the office. I was fascinated by the notion that we are now heading towards an era where there will be no “inside” network, we are all on the outside, all the time. Thinking back it should have been fairly obvious when we first started having internet on the go, at least to the people who are much smarter and more experienced than me, it probably was, the complication of feasible often beats reasonable!

I digressed. What it probably means is that either all the SaaS (and other *aaS) meant for mass consumption, will have to be fully security compliant for critical service adoption or there will be security brokers and managers who will do it for them. I find the former a dream at best, if you have ever worked on software and had the misfortune of dealing with interoperability issues, you understand. It looks like we’ll have to have security built right into the cloud (like a VPN and other stuff ) if we are to ever adopt a very serious ratio. There are efforts on for this, cloud security is expected to be the next big thing. CipherGraph itself is one such effort to ensure that only the right people will get access to authorized resources. More on this later.

Standards such broker based security SAML and other such things do come to mind, but that paradigm is suited only to certain kinds of services, not all. They do not secure the network anyway, just offer identity assertions, that is only part of security. Also, enterprise standard solutions of this kind are often quite expensive and challenging to maintain (or find compliant services for).

Policy Control

Its a known fact that all security vendors like to control policy, that is after all, the brain of the security infrastructure. But how far can policy go while being disconnected with the corporate identity and role? Not too far, I believe. Ultimately it is all about who is allowed to do what and if you do not keep the actual user’s identity in mind, enterprises are going to find it hard to adopt such systems. The current SaaS vendors rely on simple authentication mechanisms and are often completely corporate-role-agnostic. To be fair, they should not be duplicating security efforts anyway, there are powerful policy enforcers available (and it is a specialized field).

Prevention is the best cure

Security is like a chain, its only as strong as your weakest link. The idea hence should always be to layer security infrastructure not chain-link it. What I mean is that it is one thing to expose your Exchange server to the network and give credentials to authorized users, its another thing to ensure that only the authorized users even get to see the login page. It is hard enough to come up with enterprise class solutions, its even harder to have built-in enterprise class security (economically).

Just a few days back Checkpoint released some EC2 firewall security system. I should have been scared but I was excited since there was unassailable validation that my own effort (CipherGraph Networks) was in the right direction, but I was even more happy when I realized that CipherGraph is the first and probably the only one that caters to on-premise as well as cloud infrastructure.

One of the things I realized is that most of the formulas and fundamental are already in place, we just have to map it to a very different scenario (cloud, in this instance) and forge a fitting solution. It will take a different sensibility since the topology is completely changed and we are dealing with a different set of parameters, but it can be done :-) we’re on the job!


Cloud Tech / *aaS: We are not talking enough about flexibility and security

Cloud is available everywhere

I find it strange that some people don’t immediately see the other implication of “access from anywhere”. That being, it really is accessible from anywhere, it leaves your data/services open to a wider array of security threats (and as expected, from anywhere). Hence, you need specialized  security around your “accessible” services. I believe we are just one step away from  a security revolution since the rules are being changed by the cloud revolution. CipherGraph Cloud VPN can secure your cloud infrastructure from unauthorized and malicious access, while still allowing authorized people to use it from anywhere.

Do I need to understand security even for using SaaS?

Yes! The only person who understands your data’s worth, is you. For everyone else, its just a payload of bits.

You must choose your data’s location/accessibility wisely. You have to determine how and where your data gets accessed. This is the same reason why you have been investing in security all these years, the cloud does not implicitly address security, in fact its ubiquity makes it even more important.

There are certain things you cannot trust someone else to understand and decide, your security is one of them. Nobody will accept liability for the real loss your business incurs because of any operational failure.

If you are putting your data somewhere, you need to understand who else has access to it and how it is protected from unauthorized people. Cloud is not a bottomless pit of capacity and power, it too reacts badly to usage spikes and other adverse scenarios. Vendors are not really liable for any damage of any kind, you are solely responsible for making sure your business does not suffer.

 Your Cloud/*aaS choice may be binding, choose wisely the first time!

Extended *aaS use often locks you down to one vendor, make an informed choice the first time. *aaS is meant to be mass produced and mass-consumed, the implication is that there will be little flexibility. It is up to you to ensure you understand your vendor’s policy. Security and backup policy are also a must when considering a vendor.

Migration can be very difficult and expensive (if not impossible), so be extra sure of your choice and its implications. Self hosted or cloud hosted virtualization can may be a less painful and more flexible choice. It is not a coincidence that legacy systems are the hardest to maintain, they usually get that way because they locked your data and could not be migrated. After all, you know its not easy to migrate terabytes of data or replicate any working setup of one vendor with another.

SaaS magic

SaaS gets incredible press these days, it has a lot of romance associated with it. “Cloud” seems to be the magic elixir that will solve all the problems of any business. Its not everyday that security gets a mention in the SaaS context. Lets face it, people are just beginning to talk about it seriously. Security issues/considerations do not go away magically when software is hosted on the cloud. Often, it brings with it new set of issues that were non-existent in the traditional model of hosting servers.

I have often come across companies who have told me that they don’t need security because they do everything in cloud. I do understand that security is not something most people think about everyday. Most don’t really realize how security applies to their business model. Unfortunately I believe they are in a bubble, data breaches/attacks on cloud setups are making the news all the time.

*aaS model

*aaS model relies on “One size fits all” policy, where they can reuse the same infrastructure and same kind of service for all users. This mass consumption allows them to reduce the costs and ultimately make the service available at a cheaper rate. What they do not do is comply with your specific security policy, they have their own, which may not be aligned to yours. Before you use any IaaS/SaaS/Cloud service for your business, consider all options with security in context. Even if it does not have implicit security by themselves, they should be flexible enough for you to be able to use their own or a third party’s solution (I personally prefer Amazon’s AWS because of its higher flexibility).

Did you pay for security?

You will get only what you paid for. So if your SaaS vendor is charging you peanuts, they are optimizing (cutting corners) somewhere. You’ll see that when something bad happens, till then you are in a bubble. Security and secure access is a specialized field and needs specialized attention, your vendors own the infrastructure and is tuned to give maximum performance not necessarily to be fully secure.