Archive for the ‘Infrastructure as a Service (IaaS)’ Category

Security & Cloud Computing

Monday, May 23rd, 2011

A study of North American and European cloud computing service providers was recently completed by CA Technologies and the Ponemon Institute.  The study included Public, Private and Hybrid (both Private and Public cloud services).  Most of the service providers believe their biggest selling points are ‘lower cost and relative speed’ of Services falling in line with SaaS (Software as a service) and IaaS (Infrastructure as a Service) offerings.  Of note is the biggest concern that about lack of security in the cloud and within the applicable services.  Per the study, on average, providers have less than 10% of resources spent on security with most having no dedicated security personnel, leaving the onus for cloud security on the customer!

The areas of security, as viewed by the vendor/providers, not deemed critical were in areas of compliance and regulation (at the bottom of each list with very low percentages, 15% or less being deployed by Cloud Vendor/Providers). The prime example below being:

  • Single sign-on
  • Data loss prevention
  • Correlation or event management
  • Access governance systems
  • Encryption for wireless communication

Perhaps the most telling and worrisome quote in regards to this practice being:

“The majority of cloud providers believe it is their customer’s responsibility to secure the cloud and not their responsibility. They also say their systems and applications are not always evaluated for security threats prior to deployment to customers.”

So if security is the responsibility of the customer and areas such as User Provisioning, Access Management and Data Loss Prevention are on the bottom of the heap as priorities, customers need to be wary.

Going Cloud this year?  Give us at IDMWorks a shout and let’s talk security first.

Tags: , , , ,
Posted in Cloud Computing, Infrastructure as a Service (IaaS), Security & Risk, Software as a Service (SaaS) | 1 Comment »

Private Cloud Identity Management Considerations

Sunday, February 20th, 2011

The most natural evolution for many enterprises in their migration from traditional enterprise IT to a cloud model is the Private Cloud. One of the significant advantages of a private cloud model is the level of control and the level of security that if can offer IT organizations over their own cloud infrastructure.  Traditional Enterprise IdM relies on tight integration and heavy customization. The cloud’s model of sharing resources makes tight coupling a non starter.

The cloud model instead needs an identity management infrastructure with the following characteristics:

  1. Service Oriented – so that applications can take advantage of reusable shared components supported by your IT organization using SaaS (Software as a Service)
  2. Standard Oriented – so that your services can work seamlessly with other applications on premise and off premise (SAML, SPML, XACML, OpenID, etc.).
  3. Loosely Coupled – so that you can build and deploy services by leveraging existing ones using PaaS (Platform as a Service).
  4. Interoperable – work seamlessly with your traditional infrastructure without introducing any deployment risks using IaaS (Infrastructure as a Service).

In a private cloud, your IT has to worry about sustaining compliance and keeping compliance costs down. In a public cloud on other hand, service providers have a significantly higher bar when it comes to compliance.  Audit standards like SAS 70 are applicable to public cloud service providers.  Sustainable compliance demands automation. So technologies like Identity and Access Governance are necessary to meet complex demands of compliance such as attestation and access governance.

Self Service is also critical in private cloud scenarios. Self service can keep administrative overhead costs down. Delegated Administration is also necessary in private clouds so that central IT can delegate control of identity management for departments to departmental owners. Technologies like Identity Administration can help with self service provisioning, password reset and in enforcing delegated administration.

Questions? Feel free to reach out to us at IDMWorks.

Tags: , , , , , , , , , ,
Posted in Cloud Computing, Identity Management, Infrastructure as a Service (IaaS), Oracle Platform Security Services (OPSS), Platform as a Service (PaaS), Software as a Service (SaaS) | 1 Comment »

Cloud Layering through IaaS, PaaS & SaaS

Friday, February 18th, 2011

We have beaten the Public vs. Private Cloud advantages subject to death here on this blog.

So today’s subject will be an explanation of the various layers of Cloud offerings available.

A cloud-based offering can be provided at different levels and with different service models.

1) Infrastructure as a Service (IaaS) – A very basic, low-level infrastructure of servers with operating systems can be provided; Amazon EC2 is probably the most widely known example.

2) Platform as a Service (PaaS) - Offering more structure and composable components gives us “Platform as a Service” such as the Google App Engine or Salesforce’s Force.com.

3) Software as a Service (SaaS) – The highest level offering is a full application, “Software as a Service” such as Oracle’s “On Demand” offerings or Salesforce.com.

But be warned, the higher a level the cloud offering, the less the “customer” of the cloud has to do or build, but the more constrained he is. It’s a trade-off between effort and flexibility.

Furthermore, as you move from IaaS, to PaaS and finally SaaS, you get fewer controls and less visibility into what the service provide offers. Many Service Providers may not implement standards which can make interoperability and integration challenging.

Questions? Feel free to reach out to us at IDMWorks here.

Tags: , , , , , , , , , , ,
Posted in Cloud Computing, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Service Models, Software as a Service (SaaS) | No Comments »