Conspiracy theorists and other concerned citizens will insist the government is watching every keystroke, keeping a record of every website, transaction, text and email. Shades of 1984’s Big Brother, right? These last few weeks, the news has been brimming with revelations of data surveillance and monitoring by the government (not to mention data harvesting corporations like Google, Yahoo, Facebook etc…). Everyone, including the security buffs at CloudAccess, is sensitive as to what is being looked at, stored, and analyzed for hazily defined purposes. Privacy is no longer as private as you think; and hasn’t been for many years.
Politics, ethics and debates over 4th amendment interpretation aside (as they serve no useful purpose in this analysis), a question was asked on one the security forums that in light of these alleged breaches of trust, whether cloud security-and more specifically, identity-as-a-service (IDaaS) is still a feasible and trustworthy option?
Short answer: of course it is. In fact, I will contend it is more important than ever.
Privacy and identity protection, in this case, are like apples and oranges. The concept that confidential corporate information or trade secrets could be at risk may be valid, but not because cloud-based security functions are either in collusion with data collectors or of less veracity than an on-premise deployment. Security, especially surrounding identity, is about context through correlation. IDaaS provides this in a more egalitarian way than the on-premise variety. If privacy advocates are yelling that the sky is falling, identities serviced from the cloud have little to do with the current state of distrust. Why? Because it’s about process and not where a server with identity data happens to reside. If you are interested in experiencing IDasS, try a Free 30 Day trial of CloudAccess‘ platform here.
Identity as a service is component of a larger layered security strategy. Its primary responsibility is administrative in terms of creating user credentials and assigning them to certain buckets of permission. This provisioning is based on the role of user serves within an organization. Departments or divisions see one sliver, partners see another, customers another—each only is permitted to access just what they need. IDaaS also manages password and their synchronization across the enterprise as well as coordinates the federated connections between certain applications. It is Access Management (SaaS and web single sign on, multi-factor authorization) that enforces the rules set forth in identity management.
In terms of infrastructure, all the collection and correlation happens in the cloud. But so does so much of any company’s business process and activities. Insulating all the functions within a network firewall is no longer a feasible. Not only is it expensive, complex and requires a certain degree of expertise resources, but in the grander scheme, based on the habits and needs of a variable and interactive workforce, this bunker approach is unsustainable and counter-productive towards a modern commercial model. This is true even for larger organizations with considerable capital resources. But think of it like a person with a cache of gold. There are two options…he can hide it under his bed, hire armed guards at his door, and deploy an army of laser-wielding dachshunds…or he can make a deposit at the bank. Yes, the money is out of his sight, but he still retains control and gets the added value of the bank’s steel vault.
But you say, how can you personally assure the security of data (and by extension, privacy) if its custody lie in the cloud? First, don’t mistake cloud security for security in the cloud. Major difference…one is a solution set whose sole purpose is to make certain enterprise class security is actively protecting assets based on a client’s business needs (this is the slot IDaaS falls into). The other is an application that happens to use the cloud to collect and apply data. And it is the former that takes great strides to ensure the latter does not leak data and denies access to those who are not supposed to see such things.
As I mentioned, it starts and ends with context and correlation. For example, a partner company wants to place an order for 1000 of your eWidgets. They of course could call your rep and give their order over the phone (hello 1991!). The rep can walk the order over to S/R and then Accounting to put the invoice in the mail. Or they could log onto your website with a unique user name and password to an order form off the ERP. This of course integrates with automated shipping and payment options…etc. But let’s stick to Identity. First, using IDaaS the partner password opens the door to only a sliver of the information/functionality they need. This is based off authorizations which are created when their account is created (or modified by a trusted administrator). Their role is provisioned based on your decision of their need. But how do you know the intent of that partner…they are outside your network control. Are their firewalls secure? Do they take security as seriously as you? For this example, let’s say not. Someone has stolen their username. If they don’t have the password; simple, no access. If after 3 failed log ins, your escalated security locks them out and sends an alert to IT. But this is a fired employee or a good hacker…they have a password. However based on several multi-authentications or other tell-tale intrusion signs you can tell its not a valid login–wrong IP address; orders coming in the middle of the night; user is located in Beijing. Each element on its own might not be alarming, but correlated together, provides context (situational awareness based on adaptive risk). The point is, privacy of data is not relevant based on whether your “walls” are made of cloud or otherwise—they work based on your process and how well it is unified and layered. IDaaS is simply a tool within a layer of other tools. If they don’t share information, risk escalates.
Risk is endemic in every industry. And no system is foolproof; cloud or otherwise. To those who still believe cloud security and security from the cloud are still mired in the Wild West—proceed at your own risk—are misinformed. If you want to build that bunker, I hope you have the cash and resources to do so, and I wish you well…especially if it helps you sleep better at night. However, the use of IDaaS or any other cloud security tool to manage the credentialing and authorization is not only feasible in terms of easy manageability and affordability, but creates the necessary hurdle to prevent identity leakage. And it is more important than ever because it is a solution set available to wider group of organizations that either could not afford an enterprise solution or have the manpower to deploy and consistently sustain an initiative. Identity Management, in and of itself, is not the answer to thwart issues about privacy, but it is a needed and important piece of the puzzle to lessen the vulnerability gap…especially if Big Brother (or certain countries with questionable agendas) are watching.