WHITE P APER Identity and Access Management for Approaching Clouds

Sponsored by: CA Christian A. Christiansen Sally Hudson May 2010 Charles J. Kolodgy Gerry Pintal

IDC OPINION
Cloud computing is in the process of changing the enterprise IT landscape. Formal and informal surveys of IT management professionals provide strong evidence that cloud computing not only is here to stay but also, within the next several years, will permanently change the way enterprises deploy IT infrastructures. Successful early-adopter results are being discussed and promoted with promises of significant operational cost reductions, ease of deployment, scalability, flexibility, and elasticity. If a fraction of these claims and predictions become reality for enterprises, the overall market potential for cloud services will indeed be a proverbial gold mine. Recent IDC research involving IT executives and professionals shows huge potential for both enterprise IT and cloud service providers. In IDC's 2009 Enterprise Panel survey, 263 IT executives and their line-of-business (LOB) colleagues were asked if they were going to pursue the cloud model for a variety of IT applications, workloads, and services, and almost 50% of the responses ranged from "neutral" to "very likely." Although there is no guarantee that the excitement and enthusiasm will eventually play out, early user response strongly suggests that the door is open for future cloud services adoption. However, IDC's Enterprise Panel IT Cloud Services survey also noted that 87.5% of panel members indicated that cloud security is their number 1 challenge. It is clear from this striking response that before cloud computing is able to "cross the chasm," a significant amount of confidence building and successful use case results is needed to allay the security concerns of IT. A related IT concern is the current lack of adoption of security standards for public, private, and hybrid cloud-deployed systems. This results in protracted contract negotiations that may take months, which is costly for both cloud consumers and cloud service providers. To create some common ground between customers and cloud service providers, the Cloud Security Alliance (CSA) is very active in promoting cloud security best practices. The CSA has recently released a second edition of its Security Guidance for Critical Areas of Focus in Cloud Computing. The CSA is also collaborating with the IEEE to formally establish cloud security standards. As cloud security standards become formalized and are adopted by cloud services vendors and security market vendors, IDC forecasts significant corresponding growth in the cloud security market segment. Some formal security standards do exist today, but the current issue revolves around the slow rate of standards adoption. As in the past, de facto standards will arise from vendor and customer interactions.

Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com

METHODOLOGY
IDC wrote this paper in May 2010. Its premises and opinions are based on leveraging a combination of research sources, including: IDC primary research on cloud computing and security Historical and current research through IDC customer and vendor surveys Monitoring information on the subject of cloud security reported in blogs, the press, and other online information sources In addition, IDC was briefed by CA to better understand CA's cloud computing experiences, security products, and customer implementation strategies.

IN THIS WHITE P APER

This white paper provides an overview of cloud computing, its current status in enterprise adoption, and its impact on enterprise IT. The paper also discusses cloud security issues and challenges and describes CA's answer to helping enterprise IT organizations and cloud providers improve their cloud-related security. This includes centralized control, visibility, and monitoring of security management of heterogeneous IT infrastructures that already contain or will contain cloud computing elements.

SITUATION OVERVIEW
Following the successful launch of cloud-based software-as-a-service (SaaS) applications, the IT community and services vendors have kept a watchful eye out for clear evidence of the sustainability of the approach. Over the course of the past several years, in-the-cloud application computing offerings have clearly demonstrated a solid track record of early-adopter successes.

Now and Looking Forward

IDC believes that 2009 worldwide cloud computing services spending was $17.4 billion and predicts that the market will grow to $44.2 billion by 2013. The five-year compound annual growth rate (CAGR) is 26%. This is six times the rate of traditional on-premise IT spending! Within the security markets, IDC estimates that the total worldwide revenue for the security SaaS market component of the total cloud security market was $1.4 billion in 2008. With a CAGR similar to that of the overall cloud computing market, the security SaaS market should generate $4.3 billion by 2013. IDC defines the security SaaS market as a security offering provided by an offsite, third-party provider and not via software deployed internally by the customer.

#223280

2010 IDC

Key Factors Driving Cloud Computing

The phenomenal success of SaaS deployments has created an increased level of interest and enthusiasm among mature and new cloud computing companies. While SaaS applications capture most of the attention, cloud computing includes three distinct classes of public and private cloud computing service offerings: Software as a service (SaaS) is a business model in which a cloud services company (or private cloud service within the enterprise) provides full applications to customers. Applications are accessed via the Web. SaaS does not require the capital purchase of any software or hardware. Pricing (or chargeback) is subscription based by user. Platform as a service (PaaS) is a business model in which a cloud services company (or private cloud service within the enterprise) provides its customers with a cloud-based infrastructure to develop and configure customer-developed applications using programming languages and tools supported by the services provider. Similar to SaaS and IaaS, PaaS requires that customers pay (get charged back) only for the resources they use. Infrastructure as a service (IaaS) is a business model in which a cloud services company (or private cloud service within the enterprise) provides its customers with computing equipment located and accessible in the cloud and is used to support customer operations via the cloud. Infrastructure components may include storage, servers, networking components, and general infrastructure hardware. Like SaaS and PaaS, IaaS requires that customers pay (receives internal charges) only for the IT resources actually used. For example, they may "rent" servers by performance level, network bandwidth, or amount of storage/backup. In addition to the above public cloud service classes, IDC envisions that hybrid cloud infrastructure architectures, where private cloud services are developed, deployed, and maintained by enterprise IT, will logically coexist with and support strategic and tactical deployments of public SaaS, PaaS, and IaaS cloud computing services.

The Cloud Computing Market Today

What are the highest potential applications for cloud computing for the enterprise? In an IDC cloud computing services survey of 244 IT executives/CIOs and their LOB colleagues who were asked to characterize the current and potential future IT usage of cloud services within their organizations, the following were among the top 5 anticipated enterprise cloud computing business applications to be pursued and adopted in 2010: Enterprise collaboration applications Web applications/Web serving Cloud data backup or archival services Business productivity applications (CRM, HR, ERP) Personal productivity applications

2010 IDC

#223280

Cloud Adoption Concerns

Although much enthusiasm and excitement exists over the potential benefits of cloud computing, survey results clearly indicate that there is a strong reluctance on the part of enterprise IT to aggressively adopt cloud computing in future system deployments. Participants in IDC's Cloud Services survey provided the following top 5 IT cloud computing concerns: Security Availability Performance On-demand model costs more Lack of interoperability standards 87.5% 83.3% 82.9% 81.0% 80.2%

With over 80% of the survey participants expressing concerns in these five areas, cloud computing service providers have their work cut out to successfully address and mitigate these IT cloud computing concerns.

Cloud Computing: Security Implications

With all of the enthusiasm, excitement, and hype that exists on the overall benefits of cloud-based IT deployments, it is clear that enterprise IT professionals are acutely aware of and focused on the potential risks associated with cloud computing deployments. Because cloud computing security tops the list of IT concerns at 87.5%, it is critical that IT with its private cloud deployments and public cloud service providers take aggressive steps to address and allay cloud deployment security concerns. Although cloud computing promises to provide enterprises and IT with relief from numerous pain points, using cloud deployment alternatives, either individually or in combination, significantly alters a business' security risk profile. Moving any portion of, or all, IT applications, software, and/or hardware into the cloud does not alter or negate the potential security risks to the business, nor does it imply that the service provider's security solution will address all of the general and specific threats facing the enterprise. For any enterprise, the security requirements for cloud-deployed systems, applications, and infrastructures, at the most fundamental level, are not significantly different from those of internal deployments. However, because portions of the solution now reside in virtual space, with IT system elements existing outside direct enterprise control, overall enterprise security, compliance, and auditing solutions must extend outward to cloud-deployed systems. Organizations making use of cloud deployments must ensure that their cloud deployments adhere to applicable internal policies, industry standards, and government mandates, including: State-level data breach notification laws

#223280

2010 IDC

PCI/DSS (Payment Card Industry Data Security Standard) EU Data Privacy Legislation SOX (Sarbanes-Oxley Act) HIPAA (Health Insurance Portability and Accountability Act) USA PATRIOT Act

Industry's Critical Need for Security Standards

A recent study conducted by the Cloud Security Alliance and the IEEE found that 82% of respondents believe that the need for cloud computing security standards is urgent. It is clear from this survey data point that for those organizations considering deployment of any cloud-based computing, security standards will play a significant role in helping IT achieve optimal results in extending security into cloud-deployed operations.

Current Status of Cloud Security Standards

As previously indicated in IDC's survey results, more formalized cloud security standards are needed before enterprise IT organizations will confidently adopt cloud computing for their future business needs. The Cloud Security Alliance is providing important leadership in the pursuit of establishing cloud security standards. The CSA, led by a coalition of industry practitioners, corporations, associations and other key stakeholders, has formally published the second edition of its Security Guidance for Critical Areas of Focus in Cloud Computing. Although Web security standards such as SAML and SPML exist and apply very well to cloud security, formal cloud security standards from internationally recognized standards organizations are only now being developed.

Cloud Security Management Implications and Challenges

Security Management
Managing on-premise enterprise security in itself can be a daunting task for IT. Public or private cloud-based deployments leveraging SaaS, PaaS, or IaaS may potentially achieve significant business and operational gains for the enterprise. However, unless a comprehensive (enterprise + cloud) view of security is adopted, including secure interoperability across the enterprise/cloud boundary, any such deployment significantly increases the enterprise IT security management challenge and may significantly increase the enterprise's risk profile. Many of the complexities in establishing a totally consistent and secure enterprise environment arise from the fact that security related to cloud-deployed IT services will be jointly shared and managed. This creates a need for a careful gap analysis to be

2010 IDC

#223280

conducted and accounted for in each established SLA and for each type of cloud deployment. Failure to do so may result in critical gaps in application security. For enterprises to avoid exposure risks from potential security gaps, close collaboration and interoperability issues must be considered and incorporated in any formal agreement between the enterprise and the cloud provider.

Deployment Choices and Complexities

Today's deployment choices for IT can be viewed as consisting of five primary deployment models: Dedicated IT (including private cloud deployments) Provider hosted Public IaaS Public PaaS Public SaaS Included within each of the five deployment models are the following IT infrastructure building blocks: networks, storage, servers, virtual machines (VMs), applications, and data. The control, management, and security issues required for each deployment model and its IT infrastructure building block components change in a continuum from dedicated IT to the cloud deployment models. Depending on the deployment model of choice, the responsibility for management and control of each building block will range from complete enterprise IT control to complete service provider control to shared control between enterprise IT and the service provider. Using this control model, we can also gain some insight into the complexities of establishing secure environments, by individual infrastructure building block, for each of the five deployment models: Dedicated IT. This infrastructure stack represents the components of a traditional enterprise model, including private cloud deployments, where enterprise IT is responsible for management and control of all on-premise and private cloud system components. This includes establishing, monitoring, and managing security for enterprise data, applications, VMs, servers, and storage systems. Responsibility for network security, in most cases, may be shared with a service provider. Provider hosted. With a deployment involving a hosting provider (traditional managed service provider or MSP), the enterprise bears shared responsibility for the management and security of the deployment. In this model, enterprise IT maintains control of and security for the data, applications, and VMs, while the service provider maintains control of and responsibility for security of the servers, storage, and network.

#223280

2010 IDC

Public IaaS. In the public IaaS deployment model, enterprise IT controls, manages, and is responsible for security of the data and applications. The service provider controls, manages, and is responsible for securing the servers, storage, and the network. Responsibility for controlling, managing, and securing VMs is shared by the enterprise and service provider. Public PaaS. In this model, enterprise IT is responsible for controlling, managing, and securing the data. Responsibility for controlling, managing, and protecting the applications and related services is shared between enterprise IT and the service provider. The service provider is responsible for controlling, managing, and securing the servers, storage, and network. Public SaaS. In the public SaaS model, enterprise IT and the service provider share responsibility for controlling, managing, and securing the data. The service provider is responsible for the control, management, and securing of the applications and related services, servers, storage, and network. As can be seen from the above discussion, security management control in the various deployment scenarios can range from singular and clear to shared and interdependent, especially in the shared control and management situations. When security and control processes are mapped into these scenarios, establishing uniform, consistent, and effective security approaches across the various on-premise and cloud-deployed options can become complex. Managing this process requires careful analysis and coordination with selected cloud service partners and enterprise teams that consist of enterprise IT, LOB stakeholders, and most importantly, security professionals. It is important to note that past experiences have shown that omitting the involvement of security professionals early on in the cloud planning and deployment phases could very well result in an elevated level of business and security risk for the enterprise. Although some or all of the security protection may be performed by the service provider, the ultimate responsibility for the enterprise's security remains with the enterprise. This is the crux of the interdependency that must be addressed with SLAs, reporting and monitoring, interoperability through standards, and other forms of collaboration.

Cloud Security Implications

A helpful way to view security requirements that involve aspects of public cloud-based systems is to view them from three perspectives: Up: Where the perspective extends security, identity, and authentication practices outward from the enterprise to encompass cloud services Down: Where the perspective extends security, identity, and authentication practices from the cloud service provider down to the enterprise Inside: Where the perspective is security, identity, and authentication practices conducted within the cloud service provider

2010 IDC

#223280

Our discussions in this paper will primarily focus on the "up" frame of reference where security, identity, and authentication practices extend outward from the enterprise to the cloud service provider. But it is also important to consider security systems and processes from the cloud service provider's point of view.

Cloud Service Provider

Accommodating and/or providing an optimally secure computing environment for enterprise customers and their cloud-deployed systems is a key success factor for cloud service providers. Whether the cloud deployment is in the "up, "down," or "inside" perspective, traditional on-premise enterprise security functions, including comprehensive identity and access management (IAM) and authentication, must be incorporated into agreed-upon SLAs.

Enterprise Cloud Deployments

Cloud-based deployments of systems and applications for use by enterprises must adhere to the same policies and security requirements as when they are deployed in traditional on-premise IT infrastructures. Cloud-based deployments do not release enterprises from ultimate responsibility. Consequently, with specific limited exceptions, traditional enterprise security policies should map to cloud security requirements. Protecting and securing all cloud-deployed enterprise data and access to that data is not an optional requirement. In private IT cloud deployments, IT organizations, just as with their traditional onpremise deployments, remain responsible for establishing, deploying, and maintaining overall security, IAM, and authentication for deployed systems, as required by enterprise policies, industry standards, and government mandates. In fact, organizations with mature IAM deployments have often positioned their identity capabilities as being provided as shared enterprise services, which is akin to providing identity services as part of a private cloud.

IAM for Fast-Approaching Clouds

IAM and authentication have proven, over the years, to be core components in achieving maximized security in enterprise systems. IAM systems and authentication processes will also prove to be equally important between the enterprise and the cloud as well. Access management policies for cloud-deployed systems must be consistent with existing enterprise IAM and authentication implementations. To be maximally effective, IAM services must extend out to incorporate cloud-deployed systems, must be seamlessly implemented, and must be centrally monitored and controlled through an enterprise security system. At a minimum, the following IAM functions must also apply and extend to cloud-deployed systems: Privileged user management/root user control Access management/single sign-on (SSO) User authentication/federation Identity management and role management

#223280

2010 IDC

Data loss protection/prevention (DLP) Log management

Privileged User Management/Root User Control

To comply with regulatory mandates, all sufficiently sensitive IT operations must implement user and root user control policies, with conforming management and control functions in place to secure systems and mitigate external and insider threats. From an enterprise perspective, when deploying any private and/or public cloudbased computing system(s), the same data access policies and regulatory conformance requirements need to extend into the private and/or cloud-based operations. In publicly deployed cloud systems, privileged IT users may come from both the enterprise and the cloud service provider. To maintain conformance with regulatory requirements, privileged user access and entitlements for cloud services must be managed to conform to established enterprise data access policies. It is critical that the agreed-upon internally or externally established SLAs between the enterprise and the cloud provider meet or exceed the enterprise's general requirements.
Access Management/SSO

Access to on-premise systems, applications, and cloud-based applications requires an accurate and effective access management system to manage, control, and monitor the application access of employees, customers, partners, consultants, and others. These functions are necessary to consistently conform to established enterprise policies and government mandates. SSO provides users with preestablished permission access to applications through a single log-in while preserving application security. This results in increased employee productivity, improved responsiveness to customers, reduced help desk workload, and elevated protection for sensitive applications or data addressing compliance and security best practices. SSO systems remove the need for users to understand where and how applications are deployed; they just receive access to systems for which they are authorized. SSO services are equally critical in on-premise as well as cloudbased application deployments. Cloud-deployed systems must also consistently address access controls to remain in compliance with mandates and established enterprise policies. The access control system needs to apply its enforcement to applications residing both in the enterprise IT infrastructure and/or in the cloud. End users should have no knowledge of where they have been directed or how they got there. To avoid any enforcement inconsistencies, an optimally effective access management and SSO system should also be centrally managed and controlled, extend out to cloud-deployed systems, and consistently apply established enterprise on-premise access policies across the entire IT infrastructure.

2010 IDC

#223280

Strong User Authentication/Federation

Federated authentication increases security by enabling organizations to identify and authenticate a user once and use that established authentication across multiple systems, including external partner and cloud-based systems. Federated authentication improves privacy compliance by allowing a user's home site to control what information is shared or by limiting the amount of information shared. It also improves the end-user experience by eliminating the need to redundantly log in via cross-domain single sign-on. Publicly deployed cloud-based systems and applications that require access by users and groups of users from inside the enterprise as well as by external partners, customers, and others must authenticate prior to being granted access to the cloud resources. In cloud-deployed systems, just as in on-premisedeployed systems, strong user authentication is a critical component of IAM security. Federated authentication of users to cloud-deployed systems further increases overall security of the clouddeployed system(s) while simplifying the access process for authenticated users.
Identity Management and Role Management

Combining identity management and role management provides IT with a powerful and flexible way to specify what resources and applications groups of users are allowed to access. As systems and applications are deployed into the cloud, controlled access to these systems must be treated in the same way that access to on-premise systems and applications is managed and controlled. Organizations that currently have role-based identity management systems in place will be optimally equipped to extend the management and control of role-based system and applications access to encompass cloud-based applications.
Data Loss Protection/Prevention

Data loss protection/prevention has been largely driven by a growing number of personal information data leaks and numerous information-intensive government and industry regulations requiring organizations to protect the integrity of customer and employee personal information. Businesses have also recognized the need to protect their corporate digital assets from deliberate and accidental disclosure as well. As enterprises launch cloud computing deployments of systems containing sensitive data and information, effective DLP that extends out to cloud-deployed systems to prevent deliberate and accidental leakages of customer, partner, business, and employee personal information is an absolute requirement.
Log Management

Log management systems provide IT with an efficient way of simplifying collection, normalization, archiving, and forensic analysis and searches through IT activity logs produced from multiple IT sources. It has been demonstrated that efficient log management significantly reduces the complexity and effort in proving compliance and becomes a crucial tool when performing any internal and/or external audits.

10

#223280

2010 IDC

Cloud-deployed systems will most likely be required to produce their own system activity logs for compliance-proving purposes. To be optimally effective, they will need to be seamlessly integrated (ideally through standards) with existing enterprise IT logging methodology and procedures.

CA'S CLOUD SECURITY SOLUTION

CA delivers an end-to-end view of cloud services for the enterprise regardless of whether the services make use of private, public, or hybrid cloud architectures. CA provides software designed to address specific IT cloud management challenges with the integration needed to get optimal value from the cloud infrastructure as a whole. In addition, CA provides these same security solutions for cloud providers, both private and public, to control and manage security within their environments. Figure 1 provides a high-level graphical view of CA's IAM Cloud Security Solution, which is used by enterprises that consume cloud services as well as by cloud providers.

FIGURE 1
CA's IAM Cloud Security Solution

Source: CA, 2010

Control Identities
CA's products that control identities provide complete management of employees, customers, and partners from initial provisioning to deprovisioning. CA Role & Compliance Manager, CA Identity Manager, and CA Enterprise Log Manager products function together to provide the following critical business functions:

2010 IDC

#223280

11

CA Role & Compliance Manager certifies user roles and entitlements, establishes a specific role model that fits the organization, defines what roles exist in the organization and supports ongoing analysis and maintenance of roles as the organization evolves, performs real-time identity policy checks, detects security violations relating to specified segregation of duties, and provides dashboard views and compliance reporting. CA Identity Manager assigns users to organizational roles, applies role-based user controls, provisions users with approved accounts and privileges, facilitates change requests and approvals over time, and offers user self-service for password, registration, and entitlement management. CA Enterprise Log Manager captures and collects log data, aggregates and analyzes the logs, facilitates visualizing compliance and security postures, and provides proof of compliance for internal and external audits.

Control Access
CA's products that control access to physical, virtual, and Web-based systems through the centralized management and enforcement of security policies include the following: CA Access Control provides for the management of privileged users to protect servers both physical and virtual and applications across platforms and operating systems. It provides an approach to securing sensitive information and critical systems without impacting normal business and IT activities. CA Access Control helps mitigate both internal and external risks by controlling how regular or privileged users access enterprise data. The result is a higher level of security, a lower level of administrative costs, easier audit/compliance processes, and a better user experience. CA SiteMinder is a centralized Web access management system that enables user authentication, single sign-on, authentication management, policy-based authorization, identity federation, and auditing of access to Web applications and portals. CA Federation Manager provides standards-based identity federation capabilities, enabling users of one organization to easily and securely access the data and applications of other organizations and cloud services. This is done without the need for redundant user stores or user administration processes. CA Federation Manager provides the ability to act as an identity provider (home site of the user) or a service provider (owner of the target application), or both, thus securely connecting organizations that are part of the same ecosystem. CA SOA Security Manager is a service-oriented architecture/Web Services security software product that secures access to services by inspecting the security information contained in XML documents submitted by service consumers. CA SOA Security Manager offers a centralized, policy-based authorization service; flexible authentication services; XML threat prevention; synchronized session management; identity federation; and standards conformance with standards such as WS-Security. It can be deployed standalone or in conjunction with CA SiteMinder.

12

#223280

2010 IDC

Control Information
Ensuring compliance with regulatory and corporate security mandates requires the management, control, and protection of sensitive data located and used across an enterprise. CA offers the following solution to control information: CA Data Loss Prevention (DLP) is an identity-centric DLP solution that decreases data loss and misuse while ensuring compliance with regulatory and corporate security mandates. CA DLP discovers and protects data at rest (stored data), controls data in motion (email, Web, etc.), controls data in use (saving, printing, etc.), and supervises and reviews data (review, tag, etc.). CA DLP can analyze and control sensitive data in many locations, including on endpoints, message servers, and the network and in databases and file repositories.

Company Profile
With global headquarters in Islandia, New York, CA provides IT management software worldwide. Founded in 1974, the company employs 13,000+ people and offers hundreds of software products in its portfolio. CA has been a leader in the identity and access management market since 2003. CA products are available on a wide range of platforms and operating systems from PCs to Unix to mainframes. The company also provides customer technical support and professional services, including consulting and education. CA has long been a market leader in IAM for the enterprise and continues to expand its security products and services in the area of cloud-based solutions to help enterprises as well as cloud providers achieve their changing business and IT goals and objectives. CA is uniquely positioned and equipped to address today's complex and continually evolving enterprise security environment and to provide end-to-end security products and services in the evolving security marketplace.

MAINT AINING MOMENTUM

Private and public cloud deployments are clearly in the early stages of adoption by enterprises and cloud service providers. IDC is forecasting the worldwide cloud services market to grow at a 26% CAGR from 2009 through 2013. It is expected that security products and services focused on the cloud will track these forecasts, creating significant market opportunities for CA. As a market leader in providing end-to-end enterprise IAM solutions, CA is well positioned to extend its security market reach into the cloud computing space. A main challenge for CA will be to present compelling arguments and real-world solutions that support the concept that IAM security solutions cost-effectively and naturally map into public, private, and hybrid cloud deployments. As discussed earlier, the lack of adoption and creation of cloud security standards is presenting a major barrier for IT and in general for vendors that want to play leadership roles in this market space. CA has recognized the challenge and has become an active force in promoting adoption and development of cloud security

2010 IDC

#223280

13

standards. To meet the standards and adoption challenges, CA has joined the Cloud Security Alliance as a corporate member, the Kantara Initiative, OIX, and OASIS and is a founding member of the TM Forum. To continue meeting these challenges, CA will need to continue its comprehensive programs in order to help accelerate cloud services adoption.

CONCLUSION
Cloud security currently remains an ill-defined subject. The OASIS Web security standards, including SAML, SPML, WS-Security and WS-Trust, if and when adopted by cloud service providers and enterprises, will help the cloud services industry move in the right direction toward eased interoperability and enhanced security for cloud deployments. Enterprise customers can also develop solid procedures for negotiating with service providers by focusing on a few major elements. First, customers should define the risk of a cloud-based implementation based on regulatory compliance, other external requirements, and internal policies. Second, service providers and their customers must understand that different cloud models have different security impacts, roles, and responsibilities. The key to success is carefully understanding and thoroughly defining these responsibilities within the contract and associated SLAs. Third, many security technologies (IAM, DLP, SIM) can help ensure contractual compliance and provide mutual assurance of adherence to contractual terms and conditions. Looking at the three cloud security perspective definitions (up, down, inside) discussed earlier, we note that CA's IAM products currently map most directly to the "up" and "inside" cloud security perspectives. With its continuing leadership, knowledge, and experience in providing very large enterprises with these security solutions, CA, working with the emerging cloud services providers, is also well equipped and positioned to influence and strengthen its IAM security solutions by extending their product reach into the "down" cloud security perspectives as well. In summary, given CA's enterprise security expertise and its deep understanding of enterprise processes and needs, we believe CA deserves strong consideration when building/partnering/contracting for public and/or private clouds deployments, no matter the perspective of your organization.

Copyright Notice
External Publication of IDC Information and Data Any IDC information that is to be used in advertising, press releases, or promotional materials requires prior written approval from the appropriate IDC Vice President or Country Manager. A draft of the proposed document should accompany any such request. IDC reserves the right to deny approval of external usage for any reason. Copyright 2010 IDC. Reproduction without written permission is completely forbidden.

14

#223280

2010 IDC