Security and data privacy/regulatory considerations are two of the biggest bottlenecks standing in the way of more organizations adopting cloud computing. Simply put, many organizations have serious misgivings about using cloud computing — in particular, software as a service (SaaS) offerings — due to regulatory requirements prohibiting them from using the cloud for storing sensitive data, or due to concerns about the privacy and security of data residing in the cloud.
Organizations have also gone to considerable lengths to put the systems and processes in place that enable them to enforce consistent access control policies for their enterprise applications. Thus, it is quite understandable that many organizations remain leery of the security capabilities for ensuring secure end-user access and control to cloud-based applications and services.
While cloud providers and other proponents frequently say that these issues are overblown — arguing that many cloud-based applications and services are much more secure than many organizations’ own internal, on-premise applications and networks — the fact of the matter is that hardly a week goes by that some company or government agency doesn’t announce that it has suffered a data breach or some other form of unauthorized system access or tampering. Consequently, it’s only natural that these fears linger — fears that continue to make some organizations hesitate to make a greater commitment to the cloud.
But there have been a number of recent developments that indicate that the industry is striving to address these issues. And we are now seeing real progress in the application of encryption and other security techniques to address these challenges.
Data Security, Regulatory/Compliance Developments
One of the more innovative examples of this trend is Navajo Systems. Navajo offers a SaaS application data security appliance designed to address the limitations and concerns of using cloud applications with sensitive corporate data. The appliance, called “Virtual Private SaaS” (VPS), installs on an organization’s LAN/WAN. It’s also available as a cloud service for licensing. Either way, VPS allows organizations to encrypt sensitive SaaS application data before it is moved to the SaaS provider. Moreover, all sensitive corporate data remains encrypted while residing on the SaaS provider’s servers. In addition, all encryption keys remain in the possession of the end-user organization. When the data is returned to the end-user organization from the SaaS provider, the process is reversed.
VPS works transparently, meaning that application functionality is unaffected by the data encryption process (e.g., sort and search functions continue to operate as expected) and end users remain unaware that it is taking place.
The advent of cloud data security offerings such as VPS are important because they should help organizations’ fears about adopting cloud computing for the simple fact that encryption makes the data unreadable when in transit to, or stored on, an SaaS provider’s servers. In effect, database theft and identity theft become, for all intents and purposes, negligible, because the sensitive data remains undecipherable when in transmission or in storage outside the end-user organization’s firewall. Regulatory compliance is also made more practical, which is especially important when it comes to the need to ensure the safety of medical, financial, and other sensitive customer information.
Bulletproofing Cloud End-User Access/Security
Organizations are also running into difficulties when it comes to providing secure end-user access to SaaS and other cloud applications. This becomes especially apparent when I talk with people whose organizations are using multiple SaaS offerings or cloud-based applications that need to work with on-premise enterprise applications (and most do). Simply put, knowing exactly who has access to SaaS applications and being able to easily activate and deactivate user accounts via a centralized management system are essential for organizations that need to manage large numbers of users of cloud-based applications and services.
A good example of the kinds of developments we are seeing in regard to cloud application access and security is provided by Symplified, which offers an integration as a service platform for integrating enterprise security policies and administration with cloud applications and data. Symplified’s SinglePoint platform allows end-user organization’s to centralize the management of user accounts for multiple cloud applications by extending and enforcing their existing security policies to the cloud. In other words, Symplified did not try to reinvent the wheel when it comes to end-user access and security for cloud-based applications. Rather, its platform is designed to work in conjunction with common enterprise provisioning systems (e.g., Oracle, CA, Quest, Identropy, Sun). I also like SinglePoint because organizations can implement it as an on-premise appliance, or it can be delivered from the cloud as a secure proxy.
SinglePoint functions by integrating with enterprise user directories to automate the creation, provisioning, modification, and deprovisioning of accounts that enable employees to access SaaS applications and data. (It integrates with existing identity and access control infrastructures, including Microsoft Active Directory and Salesforce.com, etc.). In effect, by bringing SaaS applications under the control of enterprise and cloud-based user-provisioning and -management systems, it automates the complex workflows that occur when users and their access privileges are added or removed from directories. It can also facilitate compliance audits.
Organizations naturally remain concerned when it comes to ensuring the security of their data residing in cloud-based application and services. It is no less reasonable to expect organizations to want to be able to apply the same rigorous access controls across their cloud-based applications and services as the ones that they have gone to great pains to implement for their on-premise, enterprise applications. The vendors and cloud providers recognize that in order to realize greater adoption of cloud computing and services they must address these concerns. We are now seeing new developments in these areas and, as trends suggest, they are moving very fast. To be sure, there is still room for improvements (particularly in the way of standards for ensuring and safeguarding data residing on cloud systems, a topic to be addressed some other time). However, when it comes to ensuring security and regulatory compliance in the cloud, I believe that progress has definitely been made, and that the cloud is no longer quite the “Wild West” it was just a few years ago.
Finally, I’d like to get your opinion on developments pertaining to cloud security and compliance. What issues has your organization encountered or expects to encounter? And what new tools and procedures do you think are needed?