The barrage of articles and blogs that cropped up following the personal identity hack on Wired’s Mat Honan got me thinking about the importance of security in the cloud. In my experience, what happened to Mat is not a unique issue. In fact, it’s actually a somewhat typical downside to – what I call – consumer cloud services.
It was, no doubt, a horrible thing to have happen. But outside of the hack itself, I was troubled by how many articles generalized the Amazon and Apple consumer service weaknesses as blanket weaknesses for the cloud as a whole. At best that’s disingenuous. Enterprise and consumer cloud services cannot be conflated.
That said, it would be a mistake to ignore how the lessons learned from particular enterprise and consumer cloud service vulnerabilities can inform one another. Especially when these vulnerabilities are exposed through social engineering attacks, which can be very difficult to anticipate.
Differentiating the Consumer & Enterprise Clouds
I use consumer cloud services for personal email and to store the music and media that I purchase. I certainly don’t use them for work. While these consumer services have security measures in place, I do not treat them as silos for maintaining my privacy and security. The enterprise cloud is different. At work, services like SalesForce or Box are trusted to secure the private data maintained on them.
Regardless of its particular service offering, an enterprise cloud must be secure, highly reliable, and extremely trustworthy. While seemingly simple, these are difficult features to attain. Before joining Okta, I ran professional services at a top security research firm – and many hundreds of penetration tests later, I can attest to the fact that a lot of advertised security is merely theater.
So what does it take to be secure, reliable, and trustworthy at the enterprise level?
Quite a lot, actually.
This is the beginning of a five-part blog series, where I will discuss what makes a cloud service enterprise-ready. Whether it’s an IdM, CRM, or Content Management solution, I’ll explore the features that ensure a cloud service meets enterprise requirements.
To kick things off, I’d like to take a step back and discuss what I mean by “enterprise cloud.” The term itself if pretty oblique, and a quick search on Google (or Bing, if that’s your speed) doesn’t get you very far beyond competing definitions and a bunch of company links.
It’s a difficult term to define. Saying that the enterprise cloud is a bunch of enterprise users accessing a virtualized computing environment is not quite sufficient. After all, people are still trying to decide what, exactly, “cloud” means. Rather than trying to nail down an exact definition, it’s more valuable to discuss what components make a cloud service enterprise-ready.
I believe there are five things that make a cloud service truly enterprise-ready. These are things I’ve not only seen first-hand here at Okta, but also as a trusted security advisor of many dozens of service organizations. Outlined below are the most important areas — and questions — that enterprise cloud buyers need to be aware of:
- Development for the enterprise: How does the cloud service build in security, reliability, and trust at the most basic level? Another way of looking at this is, does the cloud service have a Security Development Lifecycle? Is it audited and transparent? This can be very hard to do today’s age of fast-development shops where Agile is even too slow.
- Endless 9s reliability: High availability is great – having it built into your customer SLAs is even better. But these days, cloud service providers are moving away from building and managing their own infrastructure. How does the enterprise-ready cloud service build out its virtualization to compensate for an IaaS that doesn’t guarantee the same level of reliability?
- Benchmarked and audited service: A SOC 2 report is the benchmark report for enabling a provider to demonstrate security, reliability, and trustworthiness of its service. Less than 1 percent of SaaS providers are SOC 2 compliant against all five trust principles. When selecting an enterprise cloud service, make sure they can stand up to a rigorous third party audit. Enterprises comply with many rigorous audits – so should their cloud service providers.
- Strong encryption throughout: Protecting customer data with strong encryption is a given, but be wary of providers that use so-called proprietary encryption schemes. I have seen time and time again how easy it is to do encryption or key management wrong.
- Singular focus on the customer: It turns out customer service is extremely important at the enterprise level. But it’s not the super-friendly-guy-on-the -phone type of customer service. Enterprise service relationships are close partner relationships. Enterprise cloud services need to have a talented customer success team that is focused on helping integrate the service – because that’s the challenge; every enterprise is a unique network of different orgs, apps, and people.
And that’s just the beginning. In this series I will explore these five components in detail —connecting back to how they each contribute toward making a cloud service secure, highly reliable, and extremely trustworthy. As a CIO or CSO, selecting cloud services requires research. Hopefully this series will make that process easier by identifying the necessary vendor investments that make a cloud service enterprise-ready.