The Challenges of Cloud Security
Some IT execs dismiss public cloud services as being too insecure to trust with critical or sensitive application workloads and data. But not Doug Menefee, CIO of Schumacher Group, an emergency management firm in Lafayette, La.
Sun, July 11, 2010
Network World — Some IT execs dismiss public cloud services as being too insecure to trust with critical or sensitive application workloads and data. But not Doug Menefee, CIO of Schumacher Group, an emergency management firm in Lafayette, La.
"Of course there's risk associated with using cloud services – there's risk associated with everything you do, whether you're walking down the street or deploying an e-mail solution out there. You have to weigh business benefits against those risks," he says.
Menefee practices what he preaches. Today 85% of Schumacher Group's business processes live inside the public cloud, he says.
The company uses cloud services from providers such as Eloqua, for e-mail marketing; Google (GOOG) Apps for e-mail and calendaring; Salesforce.com, for CRM software; Skillsoft, for learning management systems; and Workday, for human resources management software. "The list continues to go on for us," he says.
Yet Menefee says he doesn't consider himself a cloud advocate. Rather, he says he's simply open to the idea of cloud services and willing to do the cost-benefit and risk analysis.
To be sure, the heavy reliance on cloud services hasn't come without a security rethink, Menefee says. For one, the company needed to revamp its identity management processes. "We needed to think about how to navigate identity management and security between one application and another living out in the cloud," he says.
Identity as a start
Indeed, rethinking identity management often is the starting point for enterprises assessing cloud security, says Charles Kolodgy, research vice president of security products at IDC. They've got to consider authentication, administrative controls, where the data resides and who might have access to it, for example.
"These are similar to what enterprises do now, of course, but the difference that it no longer owns the infrastructure and doesn't have complete access to the backend so it needs strong assurances," he adds.
Start-ups ServiceMesh and Symplified have addressed the need for strong cloud security assurances with offerings aimed at unifying access management. ServiceMesh offers the Agility Access, for use with its Agility Platform, which comprises cloud management, governance and security tools and modules, as well as the services managed under the platform.
Symplified offers Trust Cloud. Built on the Amazon Elastic Compute Cloud (EC2), Trust Cloud is a unified access management and federation platform that integrates and secures software and infrastructure cloud services, EC2 and Web 2.0 applications.