Posted by: Beth Cohen
Cloud architectures, cloud compliance, Cloud innovation, Cloud security, Cloud Strategy
Question: What are some emerging cloud security products and approaches that assuage IT and Business executive concerns?
New technologies require new approaches; the cloud is a new technology that has already had a profound effect on IT service delivery. As I discussed in a previous blog on the current state of cloud security, building private clouds is just one way to at least temporarily duck security concerns. Ultimately however, the best solutions will take an entirely fresh approach.
Overall the cloud security market is just starting to address this need. While some new cloud security products are just variations on previous themes or relabeled products with a cloud spin, others are taking a radically new approach to the problem. Many startups are just emerging or still in stealth mode. At the other end of the spectrum, established companies are announcing security add-ons and products. Since this is such a nascent market, there is little industry consolidation yet. Now that the cloud has the attention of the venture community, hopefully any gaps in market will be quickly addressed by cloud security startups.
While the Cloud Security Alliance has been working diligently on developing new standards in anticipation of the upcoming second annual conference in Orlando in November, there is still little consensus on what is needed and what constitute the best approaches to take. The cloud is far more defuse than any previous technology; think of it as the ultimate intangible portfolio of IT services. The abstraction makes it very difficult to identify which entity owns the responsibility for securing the systems, or even the best place to apply security. When your network is the Internet, a separate hardware firewall makes little sense, even if it were possible to place it at all. Another major issue is the need for the proper separation of applications, data and users to support multi-tenancy both inside and outside the enterprise.
Here is just a small sampling of some emerging companies that are taking cloud security seriously and will deliver workable new solutions that benefit everyone. They are organized in rough buckets of security concerns mapped on the now standard cloud layer model.
At the application layer security often targets identity and user access management. This might be a combination of VPN and application authentication services or security built into the application itself. Federated authentication and authorization is always a complex issue in any company, so adding enterprise cloud applications and SaaS to the corporate portfolio only adds to the headache. Some ID management/SSO solutions include products from AEP Networks, Citrix and Symplified to name just a few. AEP. Networks (www.aepnetworks.com) has a mix of VPN and authentication solutions for a globally distributed workforce, including a SaaS based authentication service. For the more traditional enterprise, Citrix Open Cloud Access adds the ability to authenticate a portfolio of SaaS applications to its unified ID management products. Symplified (www.symplified.com) and Ping Identity (www.pingidentity.com) offer comprehensive SSO that extends authentication out to mobile interfaces for comprehensive enterprise solutions.
Depending on your definition of the platform layer, platform layer security would include secure development tools or tools to secure the instances. An example of the former is MLSlate (www.mlstate.com), a French company with OPA, a secured programming language and development platform. For instance security, High Cloud Security (www.highcloudsecurity.com) uses a key management system to encrypt images of highly sensitive applications in the cloud.
I deliberately added the network to the definition because so many of cloud security solutions available now touch the network in some way. There are several cloud based firewalls, such as Cloud Flare (www.cloudflare.com) which is a community based firewall. It works a bit like Postini and other cloud based anti-spam services. Blue Coat Systems (www.bluecoat.com) offers a similar cloud based solution derived from their firewall appliance.
Vyatta (www.vyatta.com) takes a somewhat different approach and offers a virtual firewall with network shaping capabilities. Bromium secures the hypervisor, so it is more appropriate for a private cloud or service provider. Of course access to cloud applications through VPN sessions is one of the most common methods, so systems that manage sessions and authentication often touch the network.
Not all products or services fall into neat buckets, some like AEP offer services that cross boundaries, while others such as AFORE Solutions (www.aforesolutions.com) and Hytrust (www.hytrust.com) approach the problem from a compliance perspective by limiting access to the hypervisor layer and creating auditable logs.
No matter what a security product does, as with anything in IT security, no single solution will address all the vulnerabilities, so it is best to use a mix of products to secure your public, private, hybrid or community cloud.
About the Author
Beth Cohen, Cloud Technology Partners, Inc. Moving companies’ IT services into the cloud the right way, the first time!