Maintaining security after a cloud computing implementation

IAM
Cloud computing turns us all into remote workers, which makes identity and access management (IAM) one of the key challenges after a cloud computing move. It is important to have robust lifecycle management regarding users and user access so that user accounts, credentials and access rights are always relevant and up to date, including disabling an account when an employee leaves. Also look to initiate an IAM strategy that can make full use of federated identity management, which enables users to securely access data or systems across autonomous security domains.

More specifically, consider introducing single sign-on (SSO) for enterprise applications and leveraging this architecture to simplify cloud provider implementations. A move to the cloud will appear far more seamless to your users if they are already used to SSO, and it'll make managing trust across different types of cloud services less onerous. You will also have logged baseline data to help you monitor and gauge changes due to cloud activity.

A SSO product should use one of the common standards for implementing federation, such as Security Assertion Markup Language (SAML) and Liberty Alliance ID-FF. These standards extend existing access and identity policies from the internal network beyond the firewall and out to the cloud, while still enforcing the appropriate authentication strength mandated by your information protection and data classification policies.

Bandwidth
The increased Internet usage that cloud computing brings also increases the increased risk of network congestion bottlenecks. Web-based applications are extremely latency-sensitive, many barely functioning if the network is too busy. Downtime or slow processing frustrates employees and can lead to breaches in policy. Slow file or data transfers, for example, can lead workers to use alternative methods that may be far less secure and break security policy rules.

One answer to this problem is to deploy a WAN optimization product, which is designed to ease enterprise application traffic on the network by improving application traffic management and eliminating redundant transmissions. Products such as the Citrix NetScaler from Citrix Systems Inc. offer a Web application firewall and combine traffic management through Layer 4-7 load balancing. Other WAN optimization vendors include Riverbed Technology Inc. and Blue Coat Systems Inc.

Firewalls
Connections between the internal network and the cloud should certainly be encrypted; sending any sensitive or mission-critical data back and forth in the clear over the Internet is like offering attackers an invitation to steal the data. As a network engineer, ensure network devices can handle the processor-intensive, public-key encryption algorithms involved in SSL-encrypted communications. SSL accelerator cards or proxies that handle all SSL operations may need to be added to the infrastructure. However, encryption alone won't stop malware and other network attacks. It's important, therefore, to upgrade the firewalls protecting your internal network so that they can inspect SSL traffic. Encryption should ideally work in union with data loss prevention (DLP) products, which will classify and monitor data while enforcing policies.

Audit
Another important task after a cloud computing implementation will be to conduct an audit of all security policies to ensure they remain relevant. Also review, update and test disaster recovery and business continuity plans and procedures. Processes, and more importantly, people's roles, will have changed now that cloud computing infrastructure is a part of day-to-day systems management. The internal IT team will certainly need to work closely with the cloud provider so each understands the other's responsibilities within the context of the continuity plan, including which aspects of any recovery will be handled by whom. Being prepared for service disruptions will reduce the severity of any event.

Finally, don't take statements in your provider's SLA for granted. Check that it does perform backups and patch systems within the agreed timeframes. You should certainly request a copy of the findings of its own audits and ensure that any recommendations have been implemented. Engaging in constructive dialogue will make addressing both parties' security issues a lot easier, so make sure you are in regular contact, particularly during any application or system upgrades. This communication will help prevent changes from adversely affecting your compliance with relevant industry or government regulations.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.IN. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Application and Web threat defenses Noted cryptographer on SSL, encryption and cloud computing Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection 11 application security tweaks for a secure SDLC Fraudulent mobile applications will threaten mobile banking security Mobile Reputation Security prototype from Symantec: A closer look A botnet and rootkit removal 101 Microsoft warns that IE zero-day vulnerability causes data leakage What to do with network penetration test results Network discovery and the Simple Network Management Protocol Enterprise risk management strategies Noted cryptographer on SSL, encryption and cloud computing What's a risk management strategy worth to your S&P credit rating? ISO 27001 certification: Preparation in four steps Two factor authentication gets token agnostic at Central Bank of India Considering two-factor authentication? Do cost, risk analysis PCI tokenization push promising but premature, experts say Clientless SSL VPN vulnerability and Web browser protection Information rights management helps L&T protect its knowhow Cloud Security Alliance releases top cloud computing security threats Voice data security risks on the rise, say experts Identity management, authentication and access control solutions Two factor authentication gets token agnostic at Central Bank of India Considering two-factor authentication? Do cost, risk analysis PCI tokenization push promising but premature, experts say How to perform an Active Directory health check Information rights management helps L&T protect its knowhow Voice data security risks on the rise, say experts Security awareness is the key... cultivate employee loyalty Preventing password fatigue with single sign-on (SSO) authentication How to choose online data backup services for data protection Protecting enterprise networks from new mobile application downloads RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.