Transparency by cloud provider essential in new normal
By Khoo Boo Leong 13-Apr-2012
"Organizations using a cloud provider have every right to demand transparency of what that provider is doing to secure its information - from the security measures of the data center itself to the systems security architecture and best practices," said Mike Denning, general manager of CA Technologies' Security Customer Solutions Unit.
Such transparency will certainly go a long way to assure organizations of reliable data protection and provide control and visibility of services outsourced.
"Ultimately the organization is responsible for the data as well as compliance, so they must demand transparency by cloud providers as far as what security systems are in place, what their breach policies are, and understand how the organization's own security systems might function with the public or hybrid cloud," Denning added.
New normal challenges
Meanwhile, business expectations and demands of IT in "new normal" dominated by cloud computing, consumer-driven IT and mobility will force a shift in IT's role from merely managing and maintaining IT to delivering agile business services. So, it is critical for internal IT and the cloud service provider to clarify the service level agreement for everything from service interruption to breach notification.
Further, as organizations expand their use of virtualization technologies to achieve the scalability and elasticity of cloud computing, they must grapple with not only the security challenge but also the compliance requirements governing who can access what information.
"This becomes especially important when it comes to the privileged users, or IT administrators, who have access across many systems," Denning said. "In addition, the multi-tenancy of the system must be secured [and organizations must ensure that] the cloud provider is doing everything to secure its data, customer information, applications, etc. to meet security and compliance requirements."
Denning hopes some control can be added back to public cloud use with a content-aware approach to identity and access management (IAM). "Any time you work with a public cloud provider - whether infrastructure or software as a service - the overriding concern is loss of control," he said. "With a private cloud there is a lot of control, but organizations still face all the traditional enterprise security challenges plus an emphasis on securing virtualized environments."
"Our approach is to not only manage and govern identities and control what users can access based on their roles across all computing environments - including the cloud - but also find and classify information and control how it's used based on its content and the user's identity," said Denning.
CA Technologies has extended this concept to its recently introduced security solution for Microsoft SharePoint that essentially provides intelligent control over who has access to what and what they can do with the information.