By David Baker, CSO at Okta
The line between enterprise and consumer is fading as employees work from all manner of devices to access the on-premises, cloud and even consumer applications needed to get work done. But it’s important to not confuse enterprise and consumer services from a security standpoint. Enterprises are increasingly trusting cloud serviceproviders to secure private, often sensitive data. These services must be held to more rigorous standards—but what does it really take to be considered truly “enterprise grade”?
Cloud services today are ubiquitous and are quick to use terms like security, high availability and transparency. There are many features that define enterprise services, but the three that stand out for me areplatform security, service availability and multi-tenant architecture.
Whether you call it Layer 7 or application security, armorizing a cloud service is especially critical in the enterprise. These services are entrusted to handle sensitive corporate and customer data, and enterprises must be able to trust that their cloud vendors have rigorous security standards in place and that their customers’ data is behind lock and key.
The most basic step toward enterprise security is independent third-party certification. Yes, the c-word. I have seen any check-box attestations and certifications, buta certification alone does not mean that platform security is solid. There are many tiers of security validation, and programs such as FedRamp, ISO 27001, and SOC stand out as good benchmarks of operational security for cloud service providers. On top of operational security validation, enterprise cloud services should be able to demonstrate additional validation through recurring third-party application penetration testing. And the penetration tests should be shared with customers because transparency builds trust.
I have been pleasantly surprised by how many customers ask me to present my security controls according to the CSA Security, Trust & Assurance Registry (STAR) program. In fact, I’m working with my SOC auditors now to build additional narratives to our SOC 2 Type II report that map directly to STAR. A powerful way to demonstrate platform security is to not only provide the SOC 2 report, but to also provide every penetration report and STAR CCM as well.
Availability is a critical component of enterprise-ready services. Areliable cloud service does little good if customers are unable to access it. Remember, enterprise cloud services are either replacing a legacy service or providing something that the enterprise needs 24x7x365. “Four 9s availability” is a good industry benchmark for enterprise cloud services, but the number of 9s is only part of the equation.
Enterprise cloud vendors should guarantee availability with SLAs to ensure the service’s availability.Service providers are increasingly choosingcommodity IaaS providers, and customers are left to wonder whether the cloud service provides a better SLA than the IaaS providers to the vendor. If a cloud service is built on top of an IaaS, transparency is key.
Enterprise cloud vendors should be able to demonstrate (through at least two years of historical availability) that their cloud architecture is able to withstand. With today’s cloud infrastructures, it should be assumed that virtual instances will disappear because of hardware and network failures, natural disasters and power loss. Enterprise cloud services must be built for disaster avoidance, not disaster recovery!
The service must be built for resiliency, and it must be maintained. Maintenance windows are a thing of the past. Show me a cloud service with a “four 9s” SLA and a monthly service window, and I will show you a service provider with a “three 9s” SLA, no maintenance windows and higher availability.
Security and availability are essential components of any application that’s ready for the enterprise. But perhaps the most important characteristic of an enterprise-grade service is how it deals with the conundrum of multi-tenancy. The most common question prospective customers ask is, “How do you protect and secure my data from your other customers’ data?”Dedicated subnets and dedicated servers per each customerdon’t scale within a multi-tenant cloud infrastructure. It’s purpose is to be low-cost accommodate elastic scalability as needed.The solution to segmenting customer data is encryption, not subnets or dedicated instances. Yes, that means each customer’s data is uniquely encrypted while at rest within the service.
Making this work, however, is not always straightforward. The cloud service must assign a unique key to encrypt each customer’s data. This, in turn,requires a robust key management architecture that uses in-memory secrets that are never stored to a disk or written down to ensure the integrity of customers’ key stores and data. And the key management system should also be resilient to losing encrypted data structures and be able to quickly expire keys. Sure, it sounds obvious, but it’s scary how often developers focus on building the safe but forget to secure the key.
I’ve worked in corporate security for more than 15 years, and I’ve seen numerous instances of built-in encryption security gone terribly wrong. Encryption protocols that are either too easily cracked or encryption keys that arestored in the same database as the encrypted data they are used to protect.
Three Prongs of an Enterprise Cloud Service
Enterprise users should expect more rigorous security standards from the applications they use at work. The stakes are higher in business, with repercussions that extend beyond just the end-user and can affect the entire organization. There are many components that make a cloud service truly enterprise ready, but platform security, availability and multi-tenancy are, in my opinion, the three most important. How a cloud service measures up determines whether it’s truly enterprise-grade, or whether it’s merely pretending to be.
—-By David Baker, chief security officer of Okta, an enterprise-grade identity management service that addresses the challenges of a cloud, mobile and interconnected business world. Follow him on Twitter at@bazaker.