Transparency is a great way for cloud providers to demonstrate and prove good security practices to their customers. Often times, however, the transparency stops when outages or service hiccups occur. During an incident, how a cloud provider communicates to its customers says a lot. In a guest post for the Cloud Security Alliance, I discuss why customers should expect clear, transparent SLAs from their service providers, what customers should expect during an incident and why transparency is so important from a security and trust perspective. Head over to the Cloud Security Alliance to read the full post.
With the growing movement of enterprises to the cloud, it’s more important than ever that service providers demonstrate and prove good security practices to their customers, in good times and in bad. During an incident, how a cloud provider communicates to its customers says a lot about its commitment to security. Sounds obvious, right? Well, three different times during the past seven months — and once while I was on a panel at the 2012 CSA Congress in Orlando — I’ve learned that it isn’t clear after all. As CSO at Okta, I work closely with our customers and they always ask, “What will you guys do if a breach occurs?”
I recently released the first, second and third installments of a six-part blog series about what it takes to have an enterprise-ready cloud service, and the three characteristics that differentiate an enterprise-grade cloud service from a typical consumer service: security, reliability and trust. As a quick refresher, there are five categories to look at when evaluating a cloud service for security, reliability and trustworthiness:
I’ll focus on “endless 9s” reliability in this post. Availability of a cloud service is important. People I know get quite agitated when Facebook or Twitter is unavailable, but imagine the repercussions when a big enterprise such as Genomic Health can’t access a critical application, such as CRM. The phrase “four 9s availability” has been the benchmark for providers delivering critical online or hosted cloud services. Whether its five 9s or three 9s, the punch line is really how providers actually deliver those 9s.
The barrage of articles and blogs that cropped up following the personal identity hack on Wired’s Mat Honan got me thinking about the importance of security in the cloud. In my experience, what happened to Mat is not a unique issue. In fact, it’s actually a somewhat typical downside to – what I call – consumer cloud services.
It was, no doubt, a horrible thing to have happen. But outside of the hack itself, I was troubled by how many articles generalized the Amazon and Apple consumer service weaknesses as blanket weaknesses for the cloud as a whole. At best that’s disingenuous. Enterprise and consumer cloud services cannot be conflated.
Identity is at the center of cloud security. As a result, cloud identity and access management (IAM) is one of the most interesting – and critical – challenges in IT today. The rapid evolution of enterprise IT to the cloud has rendered on-premise identity solutions ineffective. With the acceleration of mobile device access, cloud business apps and extensive online collaboration with customers and partners, identity has migrated beyond the firewall. The new challenge is securing and managing these identities and controlling access to IT systems from any device, anytime, anywhere.
As an information and security executive, I’ve long since been exposed to the challenges of cloud-based IAM. High reliability, scalability and security are the three essential features of an enterprise-ready cloud identity solution. And, as evidenced by recent AWS outages and sophisticated data breaches like the one at CloudFlare, this is exceedingly hard to do.