When companies consider cloud computing, they often think of its numerous benefits: no more costly infrastructures and administration tasks, and instant gratification in terms of availability. Small and midsize businesses in particular can benefit from this easy-to-use software that comes without the burden of ongoing administration and system maintenance (see sidebar for a cloud computing refresher).
But what about the potential risks? Unfortunately, too few companies make security a priority when it comes to their cloud explorations. While solutions outsourced to the cloud are convenient (because your staff will not have to deal with the applications and the data that passes through them), it’s important to remember that someone else will. Cloud computing means letting external administrators access, manage, and, to a certain extent, control your business data. It also means moving your information out of the relatively secure perimeter of your own company, into the cloudy environs of the Internet. It’s a jungle out there, and you need to ensure that appropriate security measures are in place to protect your vital assets and interests — from both a business perspective and a legal one.
But note: Securing the cloud isn’t rocket science. With proper planning and the right tools, companies can take advantage of the benefits of a cloud environment and mitigate potential risks.
Exploring the Cloud? 3 Key Questions You Should Get Answered First
There are many considerations for companies looking into cloud computing. Here are three questions your company should ask itself at the outset of any cloud project.
1. What Kind of Cloud Offering Should We Use?
Depending on the degree of privacy they offer, clouds can be categorized into four subtypes, each of which offers a different level of security:
- A private cloud offering is a hosted offering for just one business and a selection of its suppliers — here, a company can “privately” access its applications and data. You would choose a private cloud for data that you consider highly security-critical, such as business or financial data that would give someone insider knowledge.
- A public cloud offering is a hosted solution available for multiple tenants and open to anyone who would like to participate in the offering. This is a cloud you would choose for sharing open information geared toward your own customers, such as help portals and product descriptions.
- A hybrid cloud offering consists of multiple internal and external providers and is geared toward specific business-to-business applications with a focus on commercial usage. Less critical applications can be run in a public cloud, whereas the more sensitive, business-critical applications can be run in a private cloud. This offering is for those looking to set up restricted marketplaces or with public invitations to tender.
- A community cloud offering consists of hosted offerings for Internet communities (usually organized around a specific topic), thus easing the information exchange. This is an offering for information sharing and decision making that enables all participants to comment on information and share additional data — by uploading files or inserting links, for instance.
2. How Will the Provider Ensure Privacy?
Cloud providers are responsible for ensuring that companies and users see only their own portion of the data hosted in the cloud. To do so, these providers use a concept called multi-tenancy — meaning that a single instance of a hosted application is provided for multiple clients (tenants). An additional benefit of this multi-tenant architecture is that it allows tenants to configure the user interface according to their corporate branding and configure their own business processes and rules without changing the code, which is shared by all tenants.
Of course, there’s still an element of risk in this scenario. Administrators can still access the servers and data — and potentially abuse their access privileges for industrial espionage. Data privacy issues could also arise due to the aggregation of data. Consider, for example, that your controlling application and its data were hosted on a server alongside your fiercest competitor’s data. This might give someone the opportunity to compare the internal costs and profit margins of the two.
This is why a company might require that its solutions never get deployed along with those of its competitors. A good workaround for this situation is to deploy your solution in a private cloud, or to encrypt data at rest (that is, data in computer storage that is never changed or is changed in regular intervals) and data in transit (that is, data that is being transferred over a network or that is temporarily stored in memory to be used or updated) to ensure confidentiality. And, of course, strong authentication mechanisms are a must.
It is also highly crucial to understand the outsourcer’s key management policy. Ask the outsourcer where the encryption keys will be stored and who has access to them. Ideally, only the businesses themselves or the end users should be able to see the keys.
3. What Should I Look for in a Provider’s SLA?
Service-level agreements (SLAs) regulate the conditions and define the contract for a cloud offering. As a business or an end user, you should carefully read and make sure you understand these terms. In regards to security, pay special attention to security management and secure configuration. For example, ask:
- What are the provider’s encryption offerings for credit card payments? Are they compliant with the Payment Card Industry Data Security Standard (PCI-DSS)?
- How often do servers receive security patches? What are the guarantees for high availability? When are the scheduled downtimes?
- Where are the servers located? How is the staff at that location trained?
- What are the provider’s back-up and recovery offerings, and which access rights are mandatory? What happens when a back-up does not run smoothly or if data gets lost?
- How do you transfer security policies when moving data from an on-premise installation to a cloud application?
- What are the procedures if there is a data breach or if data is lost or accessed by an unauthorized entity? Who will investigate such a breach, and what are the mitigation measures?
- Who owns the data? How is retention handled?
When considering a cloud offering, you also want to ensure that the outsourcer can enforce what it states in its SLA. That’s why it’s also a good idea to pay the provider of your choice a site visit and ask for a demonstration.
Adapt Existing Identity Management Tools and Strategies for the Cloud
Identity management is another important part of cloud computing, and it will only become more so as the cloud evolves. Consider this: In the future, customers, regardless of size, will have to open their on-premise applications to make them accessible from cloud applications. Why? To attract younger customers, businesses need to expand access to their software via community cloud applications, such as Twitter or Second Life.
Business applications will then be run as connections in the form of networked applications or networked solutions. Of course, the business won’t want to outsource all of its critical data to a cloud solution, but will instead complement its on-premise software with on-demand extensions.
To bridge the gap between these on-premise and on-demand solutions, software vendors will have to ensure that their solutions are both interoperable and secure. Of course, on-premise solutions generally call for stronger authentication procedures, while on-demand solutions often thrive on their users’ anonymity. To meet both of these needs, companies need a solid identity management strategy and tools.
Luckily, many companies already have some kind of identity management functionality and strategy for the cloud. For example, many businesses have offered Internet-based access to their systems for a long time, and they also have the appropriate security measures to ensure authentication, encryption of communication paths, and the security of web services. The evolving security tools that enable all this will also help authenticate user credentials at registration, while still ensuring privacy — thus allowing a secure connection between on-premise and on-demand solutions.
The key here is identity federation, a new industry standard that allows a business to establish cross-domain single sign-on within heterogeneous landscapes.1 The standard was developed to enable the new kind of trust relationships that cloud computing requires. Identity federation can be combined with an identity and access management (IAM) infrastructure to create a strong authentication and to link access management with the administration of the repositories where the identities reside. And with the latest release of SAP NetWeaver Identity Management, the standards needed to enable this identity federation are now available to SAP customers. Let’s take a look at the identity federation concept in practice.
Identity Federation in Action: Securing a Business Process in the Cloud
Consider an airline that wants to offer special services for its members. For example, the airline wants to work with a hotel agency to offer its Platinum members a free room upgrade, and with a car rental company to offer Regular members a discount. This cooperation between different companies requires a cloud-based business process to exchange information about the customer. And the key to securing that information exchange is identity federation (see Figure 1).
||Using SAP NetWeaver Identity Management’s identity federation standards to securely send information between different companies
In this case, the airline company acts as the identity provider (IdP) in the process — this means that the airline is responsible for handling the authentication and identification of a user. The IdP stores the central ID of all users — here, the airline members — and all the federation information for the participating target systems — here, the car rental company and the hotel agency’s systems. These target systems act as the service providers (SPs) in this scenario. To establish identity federation, the airline and the administrators from each SP company need to set up agreements about how to exchange the user ID information. In this example, the companies go about this requirement in different ways:
- Attribute-based identity federation: The only information the hotel agency requires is the airline’s name and the member’s status. It does not need a named user, but instead uses the attribute “member status” to process the user. The required information about the airline company is included in the authentication information from that company. With attribute-based identity federation, companies can use virtually any information to identify the user: cost center and company code combinations or a social security number, for example.
- Named user-based identity federation: The car rental company requires named users in its systems, but does not want to share the user names over the Internet because of security and data privacy reasons. It uses the customer’s email address as federation data and maps it to the car rental user account.
For both authentication mechanisms, the IdP issues a standardized Security Assertion Markup Language (SAML) token. With its 2.0 version, SAML can be leveraged to establish trusted single sign-on between businesses and a variety of SP back-end systems. The SP does not need to sanitize or cleanse the user IDs. And the users can keep their various back-end IDs to ensure their privacy, but still be properly and strongly authenticated.
Summary and Outlook
As more and more companies explore the possibilities of cloud computing, the issue of security should be top-of-mind. Hosting solutions in the cloud and linking on-premise solutions and on-demand cloud offerings provide a bevy of benefits, but also involve making your business’s information accessible to more outside forces. To mitigate the potential risks that come with this, there are many considerations to keep in mind and several tools you’ll want at your fingertips.
For more information, visit www.sdn.sap.com/irj/sdn/virtualization and www.sdn.sap.com/irj/sdn/security.
Gerlinde Zibulski (firstname.lastname@example.org) has been with SAP for over 11 years. Gerlinde is the Head of the Product Management Team for Security and Identity Management. Gerlinde holds a master’s degree in economics from the Private University Witten/Herdecke.
Regine Schimmer (email@example.com) is a Solution Manager for SAP NetWeaver Identity Management. She has several years of experience with SAP security solutions and has worked on SAP Security Product Management teams at SAP AG and SAP Labs.
1 See “Taking SSO to the Next Level: SAP Supports Identity Federation with SAML 2.0” by Yonko Yonchev and Dimitar Mihaylov in the July-September 2010 issue SAPinsider. [back]
2 See “Cloud Computing and SAP: Where We Are and Where We’re Going” by Kaj van de Loo and Roland Wartenberg in the July-September 2010 issue of SAPinsider. [back]