Avoiding pitfalls on the path to the cloud

Cloud providers can offer more flexible services at a cheaper price than most enterprises can achieve because they amortise their equipment and maintenance costs over a large number of customers.

Users or business units can have their required capabilities ‘now’ rather than wait for months for IT to design the answer to their wishes. You also receive fault tolerance, disaster recovery and uniform access from many device types - all productivity contributors that help your staff get their jobs done, whenever and wherever they are.

Cloud services can also improve productivity in the IT department by freeing up IT staff to focus on solving company-specific problems rather than looking after consumerised infrastructure such as mail servers, file repositories, CRM systems and the like. Few companies gain significant competitive advantage by having a “really well set up mail server” - they’re a dime a dozen, yet expensive to maintain internally. So why burden your IT staff with mundane tasks when they could be designing business-specific process improvements and extracting business intelligence that will help your bottom line?

Security

Yet a principal argument against moving to the cloud is that it is less secure than current on-premise infrastructure models. To answer this, we should first take a fresh look at the core problems bedevilling on-premise enterprise security. Do we only need to guard against the bad guys trying to hack our infrastructure? Or do we need to defend ourselves from the bad habits of the good guys who manage that infrastructure?

The answer is: both.

The bad guys are a given: their hack attempts are driven by every motivation from greed to ego. Moving to the cloud doesn’t change this. It may arguably improve your security as now your cloud provider employs and updates the necessary security and network infrastructure. As they do this for many other clients, they deploy state-of-the-art firewall and other security equipment. As part of their core service offering, you would rightfully expect their network administrators to be better than your own!

But the bad habits of the good guys - your beloved systems administrators - are another matter. One example arises from the difficulty that many Windows administrators face: to allocate and maintain finely grained user privileges with standard tools such as group policies. As a result, admins get into the bad habit of only deploying coarse-grained privileges in practice.

This creates the situation where sites are either overly permissive, and thus insecure, or so restrictive that users are annoyed by the need to petition IT to make even a tiny change. Although a permissive set-up means that, while your users are by and large happy, any ‘unhappy’ user now likely has domain admin rights - thus creating another problem.

The same problem exists in Unix-like environments. Unix administrators employ the same bad habit of coarse-grained privilege allocation. In addition, Unix sites frequently resort to the unsecure practice of shared accounts to deal with the lack of sophistication of enterprise-grade Unix privilege management.

Managing privileges

Now map this all to the cloud. What has changed?

Bad guys need to find only one flaw. A permissive set-up gives them a huge opportunity for phishing. These problems are compounded when an over-privileged user leaves your organisation and the over-worked IT department has no idea what to turn off - they may not even know that a risk exists.

On the other hand, the restrictive access scenario is onerous and expensive for administrators - who are forced to deal with many petty requests - and annoying for the user. There’s also a real chance that it will encourage users to find alternate ways of getting things done - such as a SaaS portal to sidestep IT altogether.

The compromise between restrictive and permissive access is called ‘least privilege’ - created by easy-to-use tools that can quickly configure and maintain fine-grained security policies. Rather than rely on guru-like admins or super-awareness, we need tools that can grant and manage fine-grained rights that are as simple to use as making computers and users members of appropriate groups.

Thus a move to the cloud could be the catalyst you need to address the ‘least privilege’ problem once and for all while giving you an opportunity to leverage your existing identity infrastructure for your cloud. In this sense, your identity infrastructure should be your ‘on-premise secret sauce’. Everything else can go to the cloud.

Cloud pitfalls

While moving to the cloud offers clear productivity benefits, there are also pitfalls to avoid in order to fully reap the benefits.

As we demand access to information no matter what device, location or time, our on-demand mentality, epitomised by cloud services, exposes the enterprise to new challenges that are more often overlooked than understood.

The additional convenience of anytime-anywhere access could create risk associated with Australian privacy legislation or risk via government-mandated access such as the US PATRIOT Act. Other risks are associated with questions of data ownership and short- and long-term service disruption.

While these legal dimensions are important, the bottom line is that the cloud is here to stay. Not embracing these on-demand services could prove fatal from a motivation and productivity standpoint, so the legal risks need to be understood and mitigated. Of greater concern is the technology risk that arises from password and identity store proliferation, which can present a real productivity problem for the enterprise.

Password proliferation

In the age of the cloud, one big question is: how do you meet the significant challenge of managing and maintaining logins for all of your users on all of their services?

Using a range of cloud services - including email, online apps, CRM and accounting services - requires users to remember many passwords. While password protection is essential, their proliferation is bad for both productivity and for security.

The productivity problem posed by password proliferation is that people may avoid using an app due to complex login logistics - or even worse, they may ‘build’ a simpler, less-secure alternative to do the job.

In addition, complex passwords generate many ‘forgotten password’ calls to the help desk, wasting time all round. Security flaws abound when many users write down their passwords or choose the same bad password for everything.

There’s also the problem of entering passwords on mobile devices, which is both tricky and annoying - and a security hazard if your member of staff enters their password in a public place.

One answer to both these productivity and security questions is having single sign-on (SSO) authentication, which means your staff no longer need to remember usernames and passwords.

SSO is not just a productivity win for the people who use your IT infrastructure. It can also boost the productivity of your IT administrators.

For instance, de-provisioning cloud apps is simplified with an SSO solution that ties all logons back to a single identity store such as Active Directory. With a good SSO solution, de-provisioning becomes a straightforward ‘disable-user’ operation for staff on the help desk: trivial, quick and almost impossible to screw up.

This avoids IT staff needing to track down all accounts for manual disabling, a tedious, time-consuming and error-prone task that requires a highly privileged - that is, expensive - operator.

After initial SSO roles are set up, day-to-day maintenance is eased, requiring virtually no extra training. This eliminates the need to train or retain application specialists to: “add, move, change, delete,” etc.

It’s time to recognise that data breaches are a matter of when, not if. This has nothing to do with cloud or on-premise. Boundaries don’t matter anymore. The border is already eroded.

*Matt Ramsay is Regional Director APAC for Centrify Corporation, which delivers integrated software solutions that centrally control, secure and audit access to cross-platform systems and applications by leveraging Active Directory