May 09, 2011

Do you know what apps you have in the cloud?

I think most people have come to the realization that the cloud is secure; well, as secure as anything can be. Sure there is the occasional story in the press that we all hear about, but as many of those are internal breaches as cloud breaches, and I doubt the smaller private breaches make the news.

My only real concern with cloud is that the bigger providers are a bigger target. I doubt that Google, Microsoft, or SalesForce.com security is anything less than good, but frankly every evil hacker in the world wants to break into them as opposed to a medium sized company.

Really, when we think about cloud security I think it’s less around data protection and more about identity management and access to service. If I forget to remove an account of a former employee, or they have a weak password, or get key logged, I’m cooked.

We just started using something called Okta. I don’t know if that stands for anything, but I do know that it lets me log-in seamlessly to what seems like dozens of applications. I get one click access to LinkedIn, Google, Twitter, Facebook, our Outlook Web Access, SalesForce, ADP, Coupa (purchasing), American Express and Cain Travel. Those are just the ones I have on my main page.

The cool thing is for the few systems that have local accounts, I don’t need to remember the passwords so I can choose a good one. So that helps with weak passwords.

It uses SAML2.0 among other things, so I can remove accounts simply by removing a user’s Okta access. Since we sync our active directory with them, and our HR system to AD, HR now can remove access without needing someone in IT do to it for them. Plus, since it’s automated, I don’t have to worry about someone getting busy and forgetting and leaving me exposed.

Okta is still fairly new and adding new features, so they are quickly getting better. They provide a “security image” so you can be pretty sure that you are at least going to the correct site. I expect them to add multi-factor authentication soon, much like Google is doing where it calls or emails you a PIN to get on a different machine than normal.

Access to the Internet is interesting. It used to be that network administrators would apply quality of service, typically by TCP/IP address and port. Access to the SAP server, for example, would have a higher precedence than email. Voice traffic would be treated better than file transfers, etc.

With many things now going to the Internet, it’s harder. Networks need to be smart enough to know more about the traffic than just what IP it is going to. They need to understand the difference between an HTTP GET request of an image versus a transactional process, like an order, being done over HTTP, and treat them differently.

It really takes a high-end flow based switch to be able to do that level of inspection, without impacting performance. Most traditional switches simply don’t have the intelligence. Enterasys S-Series, with CoreFlow2 in them, have the speed and smarts to do this.

About The Contributor:
Extreme Marketing Team

See My Other Posts

Leave a Reply

Your email address will not be published. Required fields are marked *