The missing piece of the cloud security jigsaw

Many applications are moving into the cloud but is security really keeping pace?

There is no doubt that organizations are moving to the cloud — whether driven by IT or by the business.

The sheer amount of business moving to cloud-based models and the advent of off-premises systems that require much less management (and fixed expense) to operate is impossible to ignore.

But I am concerned about the cloud for a number of reasons with security being high on my list of overall concerns.

It isn't so much a matter of whether anyone's cloud is secure or not, but rather the idea of information and data being available publically. Many will argue that my private infrastructure is as vulnerable as cloud systems — although I have direct control over the access to on-prem systems and architecture and more importantly I have total visibility into its design and access points.

In a cloud environment this is not so apparent which means many potential backdoors.

In addition, I now have no direct control, with respect to the vendor, about to whom and when access is provided.

The adoption of the cloud presents additional issues that are snowballing into the unmanageable, specifically, with respect to identity management.

It used to be that my active directory allowed for me to control access to most of my systems through domain and system credential access. However, the cloud doesn't necessarily conform to my existing network standards. In addition, with smaller cloud apps often IT isn't even really being consulted about user access or application operation or controls.

In general control audits we do assess if users are properly activated and deactivated, but there still exists a lack of visibility which makes me feel uncomfortable in terms of who has what access when. Standards such as SAML are good but are not necessarily always available. In addition, to fully configure a SAML-based authentication system you need the cloud app to conform and investments in your internal infrastructure to support a global login function and the supporting integration.

This is fine for one or two primary applications where the cost can absorbed into the implementation cost. However, it does not make sense with smaller HR or one-off applications that only a few users access.

I have also been reading recently about significant changes afoot with identity management brought forth by Yahoo! and Google, going to a device verification model rather than password model for authentication. This essentially brings two-factor to your personal device by requiring you to verify a login through your smartphone. It's early days for this, but it suggests to me the whole technology around identity management — given the obvious shortcomings of passwords that lead to high profile breaches — is changing and for that matter needs to.

That brings me back to primary issue. My application landscape is changing to the cloud. My access control capabilities are ill-equipped to manage access, authentication and user permissions in cloud off-prem applications. So at a time when I need to demonstrate more control and visibility over access I am being forced to accept changes that directly impact my ability to do so.

What is even worse is that my users now probably use the same password to access multiple public platforms without centralized control, meaning one breached account or application could expose my entire infrastructure. Nice! Happy New Year.

The Naked CIO is an anonymous technology executive.

More from the Naked CIO

Why Apple is the forbidden fruit of enterprise IT

What does the Ashley Madison hack mean for CIOs?

The CIO's real security headache

Naked CIO: Where's the innovation in IT?

It's time to tell the truth about bad data

Naked CIO: Why it pays to pick your battles

When it comes to tech budgets, it's time to make money matter

Editor's Picks

Free Newsletters, In your Inbox