The meaning of Cloud Security is somewhat… foggy
There is much confusion about the definition of Cloud Security. It seems everyone in the industry has created his own interpretation. But most of the time it comes down to these possibilities:
- SaaS-solutions that contain security features
- Traditional security appliances in a virtual form factor
- Integrated security solutions within cloud environments (Iaas or PaaS to host own applications, like AWS or Azure)
In reality, few companies wish to move or have moved 100% to the cloud: today a hybrid solution – where some parts are on premise and others in the cloud – is most common.
Why would any company move to the cloud?
- Reduced cost of ownership: physical infrastructure doesn’t need to be hosted and managed by yourself
- High availability and disaster recovery: most cloud providers can offer more availability than you can yourself
- Scalability: future proof when your organization, the amount of data and applications grow. Need extra capacity? It can be arranged on short term.
- Flexibility: physical location is of no importance anymore; accessibility from multiple sites is. The new generation of mobile workers requires flexibility.
- Easy access: cloud-applications are very user-friendly; you create an account and you can get started.
- Manageability: company applications in the cloud (such as Office 365, AFAS, Salesforce,…) are easy to access and to manage.
There are barely any reasons for not moving to the cloud. Most of the security principles are completely equal, whether you want to improve your security on premise or in the cloud.
The SecureLink consultants can help with the design of a secure architecture, whether it is about securing a SaaS-application or securing specific workloads that are put in the cloud. Just keep in mind there’s no ‘one-size-fits-all’ solution!
Securing SaaS applications
Identity & Access Management (IAM)
One of the most important parts of a good security design for SaaS applications is the authentication of users.
In the press, we often read about web applications that have been hacked. If you look deeper into this, then you will notice that in many cases the user credentials have been stolen or compromised.
So, on the one hand you obviously want strong authentication. On the other hand you don’t want to overlook the user experience: it doesn’t make sense to authenticate for every single SaaS application over and over again. The answer is an IAM solution, providing a universal directory available for all applications in the cloud. The result is a multi-factor authentication without the necessity to authenticate per used application.
A proper IAM solution goes beyond password access and user management to a full identity management system that provides end-to-end user security:
- Employee access to applications: provide single sign-on to apps and support BYOD ,give IT an easy way to manage accounts and to secure access with automated provisioning of apps, device management and a flexible policy
- Secure mobile workforce: provision application accounts, enable SSO, and manage devices and native app in a single, integrated solution with enterprise mobility
- Multi-factor authentication:enable flexible verification options, including SMS, security question, or soft token
- HR-driven IT provisioning:faster, mistake-free on-boarding with automated provisioning and de-provisioning of users in cloud apps driven by the HR system (via Active Directory), Applications across multiple domains – newly acquired companies or subsidiaries come with their own domains to deliver SSO and security to all users
- External access to portals – collaborate with partners more efficiently with ability to scale a business and offer a truly extended enterprise
The platform enables organizations to manage all user logins from a single place as well as mobile devices with access to company data.
Monitoring and controlling cloud usage
Cloud Access Security Brokers (CASB) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to control and enforce enterprise security policies as the cloud-based resources are accessed.
Such security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention etc.
In short, CASB solutions monitor and control what users are doing in cloud applications through integration with a firewall or forward proxy solutions. Depending on the application, we can provide additional controls such as encryption.
Securing IaaS / PaaS
Most security vendors have solutions that can be implemented in Amazon Web Services (AWS) or Microsoft Azure. There is little difference in securing a cloud environment or a traditional environment.
Most organizations will opt for a combined cloud solution: they will be using SaaS applications and have a number of applications in the cloud.
Most CASB solutions also monitor access to IaaS/PaaS in order to detect hacking attempts to the platform itself.
At SecureLink, we provide:
- Secure and redundant connectivity between cloud and on-premise
- Security for SaaS applications via Identity and Access Management solutions often in combination with CASB (Cloud Access Security Broker) solutions
- Cloud versions of the more traditional security components in order to achieve almost the same security solutions within a virtual environment as on-premise
- Encryption solutions to encrypt data within cloud environments
- Security monitoring of the environment from our CDC; our managed security services can be delivered over the complete infrastructure
- the Security Maturity Assesment; in order to define the priorities of what you actually need
SecureLink is a member of the Cloud Security Alliance and is an Amazon consulting partner.