Moving ToThe Cloud: Navigating The Security Challenges While Avoiding The Pitfalls

By Matt Ramsay.

Are you thinking about moving to Google Apps or Office 365? Or are you already using the likes of Dropbox, Box, Webex, Salesforce or one of the many Cloud services now on offer? Or do you want to know why you should even care?

Cloud providers can offer more flexible services at a cheaper price than most enterprises can achieve because they amortise their equipment and maintenance costs over a large number of customers.

Users or business units can have their required capabilities ‘now’ rather than wait months for IT to design the answer to their wishes.

You also receive fault-tolerance, disaster recovery and uniform access from many device types – all productivity contributors that help your staff get their jobs done, whenever and wherever they are.

Cloud services can also improve productivity in the IT Department by freeing up IT staff to focus on solving company-specific problems rather than looking after consumerised infrastructure such as mail servers, file repositories, CRM systems and the like.

Few companies gain significant competitive advantage by having a “really well set up mail server” – they are a dime a dozen, yet expensive to maintain internally.

So why burden your IT staff with mundane tasks when they could be designing business-specific process improvements and extracting business intelligence that will help your bottom line?

Current Problems With On-Premise Enterprise Security

Yet a principal argument against moving to the Cloud is that it is less secure than current on-premise infrastructure models. To answer this we should first take a fresh look at the core problems bedevilling on-premise enterprise security.

Do we only need to guard against the bad guys trying to hack our infrastructure? Or do we need to defend ourselves from the bad habits of the good guys who manage that infrastructure?

The answer is: Both.

The bad guys are a given: Their hack attempts are driven by every motivation from greed to ego. Moving to the Cloud does not change this. It may arguablyimprove your security as now your Cloud provider employs and updates the necessary security and network infrastructure. As they do this for many other clients, they deploy state-of-the-art firewall and other security equipment.

As part of their core service offering, you would rightfully expect their network administrators to be better than your own.

But the bad habits of the good guys – your beloved systems administrators – are another matter.

One example arises from the difficulty that many Windows administrators face: To allocate and maintain finely grained user privileges with standard tools such as Group Policies. As a result, admins get into the bad habit of only deploying coarse-grained privileges in practice.

This creates the situation where sites are either overly permissive, and thus insecure, or so restrictive that users are annoyed by the need to petition IT to make even a tiny change. Although a permissive setup means that while your users are by and large happy, any ‘unhappy’ user now likely has Domain Admin rights – thus creating another problem.

The same problem exists in Unix-like environments. Unix administrators employ the same bad habit of coarse-grained privilege allocation.

In addition, Unix sites frequently resort to the unsecure practice of shared accounts to deal with the lack of sophistication of enterprise-grade Unix privilege management.

The Problem Of Managing Privileges

Now map this all to the Cloud. What has changed?

Bad guys need to find only one flaw. A permissive setup gives them a huge opportunity for phishing. These problems are compounded when an over-privileged user leaves your organisation and the over-worked IT department has no idea what to turn off – they may not even know that a risk exists.

On the other hand, the restrictive access scenario is onerous and expensive for administrators – who are forced to deal with many petty requests – and annoying for the user.

There is also a real chance that it will encourage users to find alternate ways of getting things done –such as a SaaS portal to sidestep IT altogether.

The compromise between restrictive and permissive access is called ‘Least Privilege’ – created by easy-to-use tools that can quickly configure and maintain fine-grained security policies.

Rather than rely on guru-like admins or super-awareness, we need tools that can grant and manage fine-grained rights that are as simple to use as making computers and users members of appropriate groups.

Thus a move to the Cloud could be the catalyst you need to address the Least Privilege problem once and for all while giving you an opportunity to leverage your existing identity infrastructure for your Cloud. In this sense, your identity infrastructure should be your ‘on-premise secret sauce’.

Everything else can go to the Cloud.

Enterprise Pitfalls Of Moving To The Cloud

While moving to the Cloud offers clear productivity benefits, there are also pitfalls to avoid in order to fully reap the benefits. As we demand access to information, no matter what device, location or time, our on-demand mentality, epitomised by Cloud services, exposes the enterprise to new challenges that are more often overlooked than understood.

The additional convenience of anytime anywhere access could create risk associated with Australian privacy legislation or risk via government-mandated access such as the USA Patriot Act. Other risks are associated with questions of data ownership and short- and long-term service disruption.

While these legal dimensions are important, the bottom line is that the Cloud is here to stay. Not embracing these on-demand services could prove fatal from a motivation and productivity standpoint, so the legal risks need to be understood and mitigated.

Of greater concern is the technology risk that arises from password and identity store proliferation, which can present a real productivity problem for the enterprise.

Password Proliferation And Productivity

In the age of the Cloud, the big question is: How do you meet the significant challenge of managing and maintaining logins for all of your users on all of their services? Using a range of Cloud services – including email, online apps, CRM and accounting services – requires users to remember many passwords. While password protection is essential, their proliferation is bad for both productivity and for security.

The productivity problem posed by password proliferation is that people may avoid using an app due to complex login logistics – or even worse, they may ‘build’ a simpler, less secure alternative to do the job. In addition, complex passwords generate many ‘forgotten password’ calls to the Help Desk, wasting time all round.

Security flaws abound when many users write down their passwords or choose the same bad password for everything. There is also the problem of entering passwords on mobile devices, which is both tricky and annoying – and a security hazard if your member of staff enters their password in a public place.

The answer to both these productivity and security questions is having Single Sign On (SSO) authentication, which means your staff no longer need to remember usernames and passwords.

SSO is not just a big productivity win for the people who use your IT infrastructure. It also boosts the productivity of your IT Administrators.

For instance, de-provisioning Cloud apps is greatly simplified with an SSO solution that ties all logons back to a single identity store such as Active Directory. With a good SSO solution, de-provisioning becomes a straightforward ‘disable user’ operation for staff on the Help Desk: Trivial, quick and almost impossible to screw up.

This avoids IT staff needing to track down all accounts for manual disabling, a tedious, time-consuming and error-prone task that requires a highly privileged – that is, expensive – operator.

After initial SSO roles are set up, day-to-day maintenance is trivial, requiring virtually no extra training. This eliminates the need to train or retain application specialists to: ‘add, move, change, delete’, etc.

The Bottom Line

It is time to recognise that data breaches are a matter of when, not if. This has nothing to do with Cloud or on-premise. Boundaries do not matter anymore. The border is already eroded.

If for no other reason, moving to the Cloud is good for your business because it ensures that your security processes are up to scratch.

Enterprises can embrace the productivity benefits of moving to the Cloud by using it as an opportunity to free up internal resources, solve problems of lax privilege practices and address the legal challenges arising from this new age of Cloud services.


Matt Ramsay is Regional Director APAC for Centrify Corporation, which delivers integrated software solutions that centrally control, secure and audit access to cross-platform systems and applications by leveraging an infrastructure you already own — Active Directory.