by: Matthew Gardiner
Generally in the world silos relate to things that are beneficial, such as silos for grain or corn. However in the world of IT security, silos are very bad. In many forensic investigations application silos turn up as a key culprit that enabled data leakage of one sort or another. It is not that any one application silo is inherently a problem – one can repair and manage a single silo much as a farmer would do – it is the existence of many silos, and silos of so many type, that is the core problem. Farmers generally don’t use thousands of grain silos to handle their harvest; they have a handful of large, sophisticated, and centralized ones.
The same approach has proven highly effective in the world of application security, particularly since the emergence of the Web and its explosion of applications and users. Managing security as a centralized service and applying it across large swaths of an organization’s infrastructure and applications is clearly a best practice. However with the emergence of the Cloud as the hot application development and deployment platform going forward, organizations are at significant risk of returning to the bad days of security silos. When speed overruns architecture, say hello to security silos and the weaknesses that they bring.
What do I mean by security silos? I think of silos as application “architectures” which cause security (as well as IT management in general) to be conducted in “bits-and-pieces”, thus uniquely within the specific platform or system. Applications are built this way because it feels faster in the short term. After all, the project needs to get done. But after this approach is executed multiple times the organization is left with many inconsistent, custom, and diverse implementations and related security systems. These systems are inevitably both complex to operate and expensive to maintain as well as easy to breach on purpose or by accident.
Perhaps this time it is different? Perhaps IT complexity will magically decline with the Cloud? Do you really think that the move to the Cloud is going to make the enterprise IT environment homogeneous and thus inherently easier to manage and secure? Not a chance. In fact, just the opposite is most likely. How many organizations will move all of their applications and data to public clouds? And for that matter to a single public cloud provider. Very few. Given this, it is imperative that security architects put in place security systems that are designed to operate in a highly heterogeneous, hybrid (mixed public cloud and on-premise) world. The cloud-connected world is one where applications and data will on one day be inside the organization on a traditional platform, the next day hosted within the organizations private cloud, the next day migrated to live within a public cloud service, and then back again, based on what is best for the organization at that time.
Are security silos inevitable with the move to the Cloud? In the short term, unfortunately, probably yes. With every new IT architecture the security approach has to do some catch-up. It is the security professionals’ job to make this catch-up period as short as possible.
How should we shorten the catch-up period?
- First update your knowledge base around the Cloud and security. There are a lot of good sources out there; one in particular that I like is from the Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing.
- Second rethink your existing people, processes, and technology (sorry for the classic IT management cliché) in terms of the cloud. You will find the control objectives don’t change, but how you will accomplish them will.
- Third start making the necessary investments to prepare your organization for the transition to the cloud that is likely already underway.
While there are many areas covered in the above CSA document, let me focus on one area that in particular highlights some cloud specific security challenges, specifically around Identity and Access Management.
The CSA document says it well, “While an enterprise may be able to leverage several Cloud Computing services without a good identity and access management strategy, in the long run extending an organization’s identity services into the cloud is a necessary precursor towards strategic use of on-demand computing services.” Issues such as user provisioning, authentication, session management, and authorization are not new issues to security professionals. However, accomplishing them in the context of the cloud requires that the identity management systems that are on-premise in the enterprise automatically “dance” with the equivalent systems at the various cloud service providers. This dance is best choreographed through the use of standards, such as SAML, XACML, and others. In fact the rise of the cloud also raises the possibility of outsourcing even some of your identity management services, such as multi-factor authentication, access management, and other capabilities to specialized cloud security providers.
While in the short term it would seem that the emergence of some security silos is inevitable with organizations’ aggressive move to the cloud, it doesn’t have be this way forever. We know security silos are bad, we know how to avoid them, and we have much of the necessary technology already available to eliminate them. Our necessary action is to take action.
Matthew Gardiner is a Director working in the Security business unit at CA Technologies. He is a recognized industry leader in the security & Identity and Access Management (IAM) markets worldwide. He is published, blogs, and is interviewed regularly in leading industry media on a wide range of IAM, cloud security, and other security-related topics. He is a member of the Kantara Initiative Board of Trustees. Matthew has a BSEE from the University of Pennsylvania and an SM in Management from MIT’s Sloan School of Management. He blogs regularly at: http://community.ca.com/members/Matthew-Gardiner.aspx and also tweets @jmatthewg1234. More information about CA Technologies can be found at www.ca.com.