To some extent, the state of cloud security depends on perspective. Doomsayers (the
glass-half-empty folks) see it as a dangerous “Wild West,” while cloud boosters believe those
concerns are greatly exaggerated.
Jeff Schmidt, Expert on Information Security and Principal of JAS Global Advisors, says from a security perspective that the cloud is not inherently more or less secure than a machine on your desk or run by your IT department. The problems are just different. “Where cloud typically argues to be more secure is your economy of scale where you have a professional administrative staff, theoretically with a high level of hygiene and a good maturity model with respect to their administrative practices,” he says. That means the cloud provider ought to be on top of all the basic security practices, such as updating patches and following policies, “which in many cases you don’t get if you do it yourself, unless you are a large, sophisticated firm,” he says. However, the tradeoff is that you lose control “and that includes technical and even sometimes business and legal control,” he says. And that’s where some of the cloud perils become evident.
In point of fact, notes Adrian Lane at Securosis, while there is general congruence between cloud services and “traditional” SOA in terms of things like how ID management services are handled, there are differences. For instance, notes Lane, in general, every cloud provider has architected its own approach. The
He says most customers end up using a hybrid approach, for example, where their traditional infrastructure communicates directly with the cloud. The goal is making sure an ID remains consistent across both. “The use of SAML seems to be getting the most traction; it allows organizations to create certification and make assertions across different Web services and use some of the same ID services,” he says. To do that requires managed ID and access controls. “It is mostly a matter of using technologies we have had for a long time, but which ones people will unilaterally adopt and which will get baked in is unclear,” he says.
There are exceptions. For example, he notes, with Azure, Microsoft’s approach to cloud, everything “is more encapsulated by various Microsoft technologies, at least compared to services like Rackspace and Amazon AWS where you are mostly building your own as a service environment,” he says.
Lane again stresses that APIs used for ID management with cloud security services aren’t that different from those used for SOA. In particular, he cites the existence of OpenStack, an open source project sponsored by Rackspace and other cloud organizations with the goal of having an open source cloud platform. “Within that there are some access controls and authorization software that are being built in,” he says. “All cloud providers will have a mechanism like that, already built in, but usually they fall short of what the applications will want or need, especially for federated identity,” he adds. And that means you may still need to “add something” in order to support your infrastructure in the cloud.
“How people choose to implement varies, but you will typically bake in something like SAML or OpenID,” he says. That means software architects may need to design differently for cloud security services. “When we teach classes about that we start by teaching about architecture and then what the individual vendors provide, but you still need to make decisions about what you actually want to put into place,” he explains.
The choices you make will also be driven by what kind of cloud you are implementing. For example, he notes, some organizations are content to adopt a private cloud approach. “That means they can put what they already have into the cloud and then get the benefit of more elastic resources and a pay-as-you-go approach without having to do an initial cloud build out,” he says. That usually means using the same software without a fundamental change to the architecture.
On the other hand, things can be more complicated if you migrate to a public cloud such as Amazon. “That can be set up almost any way, with many kinds of connectivity ranging from open to the public or closed with access to only your own data center,” he says.
Fundamentally, though, the SOA “start” has been good. “SAML and OpenID have been around for a long time,” he says. The industry has a collection of tools available to solve a lot of basic authorization problems. ”Which form we choose to use going forward, that is wide open, but it can still get complicated,” he adds.