Académique Documents
Professionnel Documents
Culture Documents
Sponsored by: CA Christian A. Christiansen Sally Hudson May 2010 Charles J. Kolodgy Gerry Pintal
IDC OPINION
Cloud computing is in the process of changing the enterprise IT landscape. Formal and informal surveys of IT management professionals provide strong evidence that cloud computing not only is here to stay but also, within the next several years, will permanently change the way enterprises deploy IT infrastructures. Successful early-adopter results are being discussed and promoted with promises of significant operational cost reductions, ease of deployment, scalability, flexibility, and elasticity. If a fraction of these claims and predictions become reality for enterprises, the overall market potential for cloud services will indeed be a proverbial gold mine. Recent IDC research involving IT executives and professionals shows huge potential for both enterprise IT and cloud service providers. In IDC's 2009 Enterprise Panel survey, 263 IT executives and their line-of-business (LOB) colleagues were asked if they were going to pursue the cloud model for a variety of IT applications, workloads, and services, and almost 50% of the responses ranged from "neutral" to "very likely." Although there is no guarantee that the excitement and enthusiasm will eventually play out, early user response strongly suggests that the door is open for future cloud services adoption. However, IDC's Enterprise Panel IT Cloud Services survey also noted that 87.5% of panel members indicated that cloud security is their number 1 challenge. It is clear from this striking response that before cloud computing is able to "cross the chasm," a significant amount of confidence building and successful use case results is needed to allay the security concerns of IT. A related IT concern is the current lack of adoption of security standards for public, private, and hybrid cloud-deployed systems. This results in protracted contract negotiations that may take months, which is costly for both cloud consumers and cloud service providers. To create some common ground between customers and cloud service providers, the Cloud Security Alliance (CSA) is very active in promoting cloud security best practices. The CSA has recently released a second edition of its Security Guidance for Critical Areas of Focus in Cloud Computing. The CSA is also collaborating with the IEEE to formally establish cloud security standards. As cloud security standards become formalized and are adopted by cloud services vendors and security market vendors, IDC forecasts significant corresponding growth in the cloud security market segment. Some formal security standards do exist today, but the current issue revolves around the slow rate of standards adoption. As in the past, de facto standards will arise from vendor and customer interactions.
Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com
METHODOLOGY
IDC wrote this paper in May 2010. Its premises and opinions are based on leveraging a combination of research sources, including: IDC primary research on cloud computing and security Historical and current research through IDC customer and vendor surveys Monitoring information on the subject of cloud security reported in blogs, the press, and other online information sources In addition, IDC was briefed by CA to better understand CA's cloud computing experiences, security products, and customer implementation strategies.
SITUATION OVERVIEW
Following the successful launch of cloud-based software-as-a-service (SaaS) applications, the IT community and services vendors have kept a watchful eye out for clear evidence of the sustainability of the approach. Over the course of the past several years, in-the-cloud application computing offerings have clearly demonstrated a solid track record of early-adopter successes.
#223280
2010 IDC
2010 IDC
#223280
With over 80% of the survey participants expressing concerns in these five areas, cloud computing service providers have their work cut out to successfully address and mitigate these IT cloud computing concerns.
#223280
2010 IDC
PCI/DSS (Payment Card Industry Data Security Standard) EU Data Privacy Legislation SOX (Sarbanes-Oxley Act) HIPAA (Health Insurance Portability and Accountability Act) USA PATRIOT Act
2010 IDC
#223280
conducted and accounted for in each established SLA and for each type of cloud deployment. Failure to do so may result in critical gaps in application security. For enterprises to avoid exposure risks from potential security gaps, close collaboration and interoperability issues must be considered and incorporated in any formal agreement between the enterprise and the cloud provider.
#223280
2010 IDC
Public IaaS. In the public IaaS deployment model, enterprise IT controls, manages, and is responsible for security of the data and applications. The service provider controls, manages, and is responsible for securing the servers, storage, and the network. Responsibility for controlling, managing, and securing VMs is shared by the enterprise and service provider. Public PaaS. In this model, enterprise IT is responsible for controlling, managing, and securing the data. Responsibility for controlling, managing, and protecting the applications and related services is shared between enterprise IT and the service provider. The service provider is responsible for controlling, managing, and securing the servers, storage, and network. Public SaaS. In the public SaaS model, enterprise IT and the service provider share responsibility for controlling, managing, and securing the data. The service provider is responsible for the control, management, and securing of the applications and related services, servers, storage, and network. As can be seen from the above discussion, security management control in the various deployment scenarios can range from singular and clear to shared and interdependent, especially in the shared control and management situations. When security and control processes are mapped into these scenarios, establishing uniform, consistent, and effective security approaches across the various on-premise and cloud-deployed options can become complex. Managing this process requires careful analysis and coordination with selected cloud service partners and enterprise teams that consist of enterprise IT, LOB stakeholders, and most importantly, security professionals. It is important to note that past experiences have shown that omitting the involvement of security professionals early on in the cloud planning and deployment phases could very well result in an elevated level of business and security risk for the enterprise. Although some or all of the security protection may be performed by the service provider, the ultimate responsibility for the enterprise's security remains with the enterprise. This is the crux of the interdependency that must be addressed with SLAs, reporting and monitoring, interoperability through standards, and other forms of collaboration.
2010 IDC
#223280
Our discussions in this paper will primarily focus on the "up" frame of reference where security, identity, and authentication practices extend outward from the enterprise to the cloud service provider. But it is also important to consider security systems and processes from the cloud service provider's point of view.
#223280
2010 IDC
To comply with regulatory mandates, all sufficiently sensitive IT operations must implement user and root user control policies, with conforming management and control functions in place to secure systems and mitigate external and insider threats. From an enterprise perspective, when deploying any private and/or public cloudbased computing system(s), the same data access policies and regulatory conformance requirements need to extend into the private and/or cloud-based operations. In publicly deployed cloud systems, privileged IT users may come from both the enterprise and the cloud service provider. To maintain conformance with regulatory requirements, privileged user access and entitlements for cloud services must be managed to conform to established enterprise data access policies. It is critical that the agreed-upon internally or externally established SLAs between the enterprise and the cloud provider meet or exceed the enterprise's general requirements.
Access Management/SSO
Access to on-premise systems, applications, and cloud-based applications requires an accurate and effective access management system to manage, control, and monitor the application access of employees, customers, partners, consultants, and others. These functions are necessary to consistently conform to established enterprise policies and government mandates. SSO provides users with preestablished permission access to applications through a single log-in while preserving application security. This results in increased employee productivity, improved responsiveness to customers, reduced help desk workload, and elevated protection for sensitive applications or data addressing compliance and security best practices. SSO systems remove the need for users to understand where and how applications are deployed; they just receive access to systems for which they are authorized. SSO services are equally critical in on-premise as well as cloudbased application deployments. Cloud-deployed systems must also consistently address access controls to remain in compliance with mandates and established enterprise policies. The access control system needs to apply its enforcement to applications residing both in the enterprise IT infrastructure and/or in the cloud. End users should have no knowledge of where they have been directed or how they got there. To avoid any enforcement inconsistencies, an optimally effective access management and SSO system should also be centrally managed and controlled, extend out to cloud-deployed systems, and consistently apply established enterprise on-premise access policies across the entire IT infrastructure.
2010 IDC
#223280
Federated authentication increases security by enabling organizations to identify and authenticate a user once and use that established authentication across multiple systems, including external partner and cloud-based systems. Federated authentication improves privacy compliance by allowing a user's home site to control what information is shared or by limiting the amount of information shared. It also improves the end-user experience by eliminating the need to redundantly log in via cross-domain single sign-on. Publicly deployed cloud-based systems and applications that require access by users and groups of users from inside the enterprise as well as by external partners, customers, and others must authenticate prior to being granted access to the cloud resources. In cloud-deployed systems, just as in on-premisedeployed systems, strong user authentication is a critical component of IAM security. Federated authentication of users to cloud-deployed systems further increases overall security of the clouddeployed system(s) while simplifying the access process for authenticated users.
Identity Management and Role Management
Combining identity management and role management provides IT with a powerful and flexible way to specify what resources and applications groups of users are allowed to access. As systems and applications are deployed into the cloud, controlled access to these systems must be treated in the same way that access to on-premise systems and applications is managed and controlled. Organizations that currently have role-based identity management systems in place will be optimally equipped to extend the management and control of role-based system and applications access to encompass cloud-based applications.
Data Loss Protection/Prevention
Data loss protection/prevention has been largely driven by a growing number of personal information data leaks and numerous information-intensive government and industry regulations requiring organizations to protect the integrity of customer and employee personal information. Businesses have also recognized the need to protect their corporate digital assets from deliberate and accidental disclosure as well. As enterprises launch cloud computing deployments of systems containing sensitive data and information, effective DLP that extends out to cloud-deployed systems to prevent deliberate and accidental leakages of customer, partner, business, and employee personal information is an absolute requirement.
Log Management
Log management systems provide IT with an efficient way of simplifying collection, normalization, archiving, and forensic analysis and searches through IT activity logs produced from multiple IT sources. It has been demonstrated that efficient log management significantly reduces the complexity and effort in proving compliance and becomes a crucial tool when performing any internal and/or external audits.
10
#223280
2010 IDC
Cloud-deployed systems will most likely be required to produce their own system activity logs for compliance-proving purposes. To be optimally effective, they will need to be seamlessly integrated (ideally through standards) with existing enterprise IT logging methodology and procedures.
FIGURE 1
CA's IAM Cloud Security Solution
Control Identities
CA's products that control identities provide complete management of employees, customers, and partners from initial provisioning to deprovisioning. CA Role & Compliance Manager, CA Identity Manager, and CA Enterprise Log Manager products function together to provide the following critical business functions:
2010 IDC
#223280
11
CA Role & Compliance Manager certifies user roles and entitlements, establishes a specific role model that fits the organization, defines what roles exist in the organization and supports ongoing analysis and maintenance of roles as the organization evolves, performs real-time identity policy checks, detects security violations relating to specified segregation of duties, and provides dashboard views and compliance reporting. CA Identity Manager assigns users to organizational roles, applies role-based user controls, provisions users with approved accounts and privileges, facilitates change requests and approvals over time, and offers user self-service for password, registration, and entitlement management. CA Enterprise Log Manager captures and collects log data, aggregates and analyzes the logs, facilitates visualizing compliance and security postures, and provides proof of compliance for internal and external audits.
Control Access
CA's products that control access to physical, virtual, and Web-based systems through the centralized management and enforcement of security policies include the following: CA Access Control provides for the management of privileged users to protect servers both physical and virtual and applications across platforms and operating systems. It provides an approach to securing sensitive information and critical systems without impacting normal business and IT activities. CA Access Control helps mitigate both internal and external risks by controlling how regular or privileged users access enterprise data. The result is a higher level of security, a lower level of administrative costs, easier audit/compliance processes, and a better user experience. CA SiteMinder is a centralized Web access management system that enables user authentication, single sign-on, authentication management, policy-based authorization, identity federation, and auditing of access to Web applications and portals. CA Federation Manager provides standards-based identity federation capabilities, enabling users of one organization to easily and securely access the data and applications of other organizations and cloud services. This is done without the need for redundant user stores or user administration processes. CA Federation Manager provides the ability to act as an identity provider (home site of the user) or a service provider (owner of the target application), or both, thus securely connecting organizations that are part of the same ecosystem. CA SOA Security Manager is a service-oriented architecture/Web Services security software product that secures access to services by inspecting the security information contained in XML documents submitted by service consumers. CA SOA Security Manager offers a centralized, policy-based authorization service; flexible authentication services; XML threat prevention; synchronized session management; identity federation; and standards conformance with standards such as WS-Security. It can be deployed standalone or in conjunction with CA SiteMinder.
12
#223280
2010 IDC
Control Information
Ensuring compliance with regulatory and corporate security mandates requires the management, control, and protection of sensitive data located and used across an enterprise. CA offers the following solution to control information: CA Data Loss Prevention (DLP) is an identity-centric DLP solution that decreases data loss and misuse while ensuring compliance with regulatory and corporate security mandates. CA DLP discovers and protects data at rest (stored data), controls data in motion (email, Web, etc.), controls data in use (saving, printing, etc.), and supervises and reviews data (review, tag, etc.). CA DLP can analyze and control sensitive data in many locations, including on endpoints, message servers, and the network and in databases and file repositories.
Company Profile
With global headquarters in Islandia, New York, CA provides IT management software worldwide. Founded in 1974, the company employs 13,000+ people and offers hundreds of software products in its portfolio. CA has been a leader in the identity and access management market since 2003. CA products are available on a wide range of platforms and operating systems from PCs to Unix to mainframes. The company also provides customer technical support and professional services, including consulting and education. CA has long been a market leader in IAM for the enterprise and continues to expand its security products and services in the area of cloud-based solutions to help enterprises as well as cloud providers achieve their changing business and IT goals and objectives. CA is uniquely positioned and equipped to address today's complex and continually evolving enterprise security environment and to provide end-to-end security products and services in the evolving security marketplace.
2010 IDC
#223280
13
standards. To meet the standards and adoption challenges, CA has joined the Cloud Security Alliance as a corporate member, the Kantara Initiative, OIX, and OASIS and is a founding member of the TM Forum. To continue meeting these challenges, CA will need to continue its comprehensive programs in order to help accelerate cloud services adoption.
CONCLUSION
Cloud security currently remains an ill-defined subject. The OASIS Web security standards, including SAML, SPML, WS-Security and WS-Trust, if and when adopted by cloud service providers and enterprises, will help the cloud services industry move in the right direction toward eased interoperability and enhanced security for cloud deployments. Enterprise customers can also develop solid procedures for negotiating with service providers by focusing on a few major elements. First, customers should define the risk of a cloud-based implementation based on regulatory compliance, other external requirements, and internal policies. Second, service providers and their customers must understand that different cloud models have different security impacts, roles, and responsibilities. The key to success is carefully understanding and thoroughly defining these responsibilities within the contract and associated SLAs. Third, many security technologies (IAM, DLP, SIM) can help ensure contractual compliance and provide mutual assurance of adherence to contractual terms and conditions. Looking at the three cloud security perspective definitions (up, down, inside) discussed earlier, we note that CA's IAM products currently map most directly to the "up" and "inside" cloud security perspectives. With its continuing leadership, knowledge, and experience in providing very large enterprises with these security solutions, CA, working with the emerging cloud services providers, is also well equipped and positioned to influence and strengthen its IAM security solutions by extending their product reach into the "down" cloud security perspectives as well. In summary, given CA's enterprise security expertise and its deep understanding of enterprise processes and needs, we believe CA deserves strong consideration when building/partnering/contracting for public and/or private clouds deployments, no matter the perspective of your organization.
Copyright Notice
External Publication of IDC Information and Data Any IDC information that is to be used in advertising, press releases, or promotional materials requires prior written approval from the appropriate IDC Vice President or Country Manager. A draft of the proposed document should accompany any such request. IDC reserves the right to deny approval of external usage for any reason. Copyright 2010 IDC. Reproduction without written permission is completely forbidden.
14
#223280
2010 IDC