I think most people have come to the realization that the cloud is secure; well, as secure as anything can be. Sure there is the occasional story in the press that we all hear about, but as many of those are internal breaches as cloud breaches, and I doubt the smaller private breaches make the news.
Really, when we think about cloud security I think it’s less around data protection and more about identity management and access to service. If I forget to remove an account of a former employee, or they have a weak password, or get key logged, I’m cooked.
We just started using something called Okta. I don’t know if that stands for anything, but I do know that it lets me log-in seamlessly to what seems like dozens of applications. I get one click access to LinkedIn, Google, Twitter, Facebook, our Outlook Web Access, SalesForce, ADP, Coupa (purchasing), American Express and Cain Travel. Those are just the ones I have on my main page.
The cool thing is for the few systems that have local accounts, I don’t need to remember the passwords so I can choose a good one. So that helps with weak passwords.
It uses SAML2.0 among other things, so I can remove accounts simply by removing a user’s Okta access. Since we sync our active directory with them, and our HR system to AD, HR now can remove access without needing someone in IT do to it for them. Plus, since it’s automated, I don’t have to worry about someone getting busy and forgetting and leaving me exposed.
Okta is still fairly new and adding new features, so they are quickly getting better. They provide a “security image” so you can be pretty sure that you are at least going to the correct site. I expect them to add multi-factor authentication soon, much like Google is doing where it calls or emails you a PIN to get on a different machine than normal.
Access to the Internet is interesting. It used to be that network administrators would apply quality of service, typically by TCP/IP address and port. Access to the SAP server, for example, would have a higher precedence than email. Voice traffic would be treated better than file transfers, etc.
With many things now going to the Internet, it’s harder. Networks need to be smart enough to know more about the traffic than just what IP it is going to. They need to understand the difference between an HTTP GET request of an image versus a transactional process, like an order, being done over HTTP, and treat them differently.
It really takes a high-end flow based switch to be able to do that level of inspection, without impacting performance. Most traditional switches simply don’t have the intelligence. Enterasys S-Series, with CoreFlow2 in them, have the speed and smarts to do this.