Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: How to balance control and access in enterprise security

Mohan Veloo | March 21, 2013
Enterprise IT must put in place mechanisms for both controlling and providing control over data and access besides securing the data. Here's what to consider.

Enterprise IT must put in place mechanisms for both controlling and providing control over data and access besides securing the data. Here's what to consider.

Even as cloud computing continues to evolve one issue remains consistent—enterprise IT needs to retain control of both its data and access to it. This is not unreasonable. After all, it is enterprise IT that will be accountable if customer data leaks or if regulations are not complied with. It is enterprise IT that must put into place the mechanisms for both controlling and proving control over data and access.

A provider may offer services designed to give that control, but it is not the party that must implement the polices or report on their effectiveness.

Authentication, authorisation and accounting services (AAA) are often cited by companies as major concerns about using cloud services. They need the assurance of due process of data handling, or else a way to resolve the problem so that they lose no sleep over cloud.

One of the main problems with cloud is that it does not lend itself to static security policy. For example, one popular use of cloud is cloud-bursting, where excess traffic is directed to cloud resources. Firm policies about what kind of data can be moved to the cloud, at what capacity threshold, and any modifications which need to be made to data all need to be considered in a very short space of time.

These need to be accomplished while keeping data secure in transit, with minimal management at already busy times. Enterprise IT needs to consider AAA concerns and ensure that data is kept in the right hands at all times and to be able to extend policy to the cloud to make sure that data stays safe, wherever it is. Application delivery control enables companies to control all inbound and outbound application traffic, allowing them to export AAA services to the cloud.

Access control by its nature must include identity management. Without the means to manage the credentials and map authorisation of access to data and services to those credentials, control is lost. If customer data is the lifeblood of an organisation, then identity stores are its heart valves that control when and where that data is moved and by whom.

Two emerging architectures
Currently, two architectures for control over identity and access are beginning to emerge. Both have a common premise - identity stores are local while data and services are remote.

In one architecture a provider—usually a SaaS solution provider—deploys a virtual appliance on premise that brokers identity. This essentially enables LDAP/AD integration between the data centre and the SaaS.
In the second architecture, a strategic control layer acts as a cloud services broker to provide integration between environments using standard protocols, such as SAML. This enables control over authentication and authorisation of cloud services.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.