Bridging the Gap in Cloud Security
How Merit Medical protects off-premise data while offering users a single sign-on.
Fri, August 27, 2010
CIO — When Merit Medical moved its training and office productivity applications to the cloud, it chose two vendors—Google (GOOG), whose Apps Premier suite was selected for its low cost and ease of use, and eLeap, which hosts a training application for sales agents. The company then wanted end users to be able to share content while keeping data protected, all with a single, secure log-in.
“That’s one of the major challenges of cloud. You don’t want all your software to be siloed,” says Lincoln Cannon, director of Web systems at Merit, a $258 million company that makes catheters and other devices.
Some CIOs hesitate to adopt cloud computing because of concerns about getting vendors to support internal security and compliance standards, says Robert Stroud, international vice president of ISACA, an IT professional group that publishes governance standards.
A March survey of more than 1,700 ISACA members revealed IT departments harbor mixed feelings about the security and compliance risks of cloud computing, with 45 percent saying the risks of cloud computing outweigh the benefits.
Like many companies that decide to move key applications to the cloud, Merit uses a combination of technology and contracts to ensure its cloud computing providers comply with its internal security and risk-management policies. And in order to provide desired functions—such as document sharing or a single log-in—between vendors, it seeks out customized security solutions.
At Merit, Cannon devised a plan that includes single sign-on technology customized for Google and eLeap from Symplified, an access-control vendor that specializes in cloud computing security. Employees log on to Merit’s network once, using one user name and password combination that is managed by Symplified’s technology. Then they have access to both the Google and eLeap applications, Cannon says. No separate log-ons are needed.
Although Google uses an authentication protocol based on XML, a common standard, eLeap doesn’t support it, Cannon says, so Symplified provides custom code to connect the two.
Employees can also share data between the two systems. For example, Merit staff can create content in Google Docs about a new stent or catheter in the company’s product line and then embed it in an eLeap training quiz, Cannon says.
Meanwhile, although Cannon believes the single sign-on and other security measures from eLeap and Google provide solid protection for Merit’s information, he wanted a way to show internal and external auditors that security policies are followed. He negotiated an agreement to have Symplified monitor who accesses Merit’s eLeap and Google applications and when, and regularly send log files.
That kind of arrangement is smart, says ISACA’s Stroud, who is also the IT service management and governance evangelist at CA Technologies. “It’s the same due diligence you’d do for any outsourcer,” he says.
Plus, a single sign-on helps insulate Merit from potential headaches if it ever decides to switch cloud providers, he says. Merit can redirect its user sign-ons to secured servers at a new service provider without changing employee passwords or procedures, he says. “You can be up at cloud vendor number two without any user implications.”