From The Expert Feature Article
March 01, 2013

In Cloud We Trust

By TMCnet Special Guest
Shahin Pirooz, chief security officer and chief technology officer of CenterBeam Inc.

Information Security Pros Can Retain Control While Extending Corporate Security Policy and SSO to the Cloud

Moving IT infrastructure and applications to the cloud is becoming more commonplace as businesses realize the benefits – from lower capex to the flexibility and scalability – and become more comfortable with the technology. Yet, despite the positives that cloud solutions can bring to a business, information security professionals are trained to focus on the risks – loss of control over user access to cloud resources, greater risk of hacking, viruses and unintended data loss, and the integration of disparate systems –  all while maintaining compliance with corporate security policies. Looking into the future, they worry about the security holes that could open up when the comfort level with cloud solutions increase and everyone’s guard goes down.

But enterprise IT professionals do not have to compromise their corporate security posture when moving to the cloud.  The same security policy that applies to in-house infrastructure and processes can be extended into the cloud and applied to all types of end user devices – from traditional desktop computers to the smartphones and tablets now being used in greater numbers by their employees. And, the addition of true single-sign-on (SSO) technology can simplify – and secure – access to a full suite of cloud assets, regardless of the provider.

Raising the Red Flags

When faced with the choice to move some or all of a company’s infrastructure and applications to the cloud, red flags go up for IT security professionals almost immediately. Having hardware or software residing outside the enterprise – particularly in the public cloud – requires open APIs. While these are great for use in integrating applications to achieve an effective, seamless cloud offering, they also could result in holes that could be exploited by hackers or malicious or careless employees, exposing valuable and confidential customer or corporate data. 

The move to the cloud enables greater mobility and further fuels the consumerization of IT, which is resulting in employees using their personal smartphones and tablets for work purposes. Employees are increasingly relying on their own devices to access corporate applications and resources anytime from anywhere. Because these devices are personally owned, rather than supplied by the enterprise, the IT department faces additional challenges in controlling when devices are updated, what software resides on them, or how to protect any corporate data that may be stored or accessed on them.

Regaining Control

Limitations on security inherent in some cloud offerings require enterprises to compromise on their in-house security policies when moving to a hosted solution, or face additional expenses to fully implement it across the cloud.  While these issues are clearly valid concerns, there are strategies for addressing the perceived loss of control. By working with a provider that enables corporate security policies to be extended equally across all IT systems, whether on-premise or in the cloud, one of the primary concerns about moving to the cloud can be eliminated.

To control employee access to all their mission-critical applications in the cloud, and simplify the process, many IT departments are turning to single sign-on solutions, the most popular of which is Microsoft (News - Alert) Active Directory Federation Services (ADFS). Single sign-on enables employees to log on once, and use that authentication across all their services. With ADFS, an enterprise’s Active Directory is used to create a federation with the cloud service provider to authorize users. While ADFS is one viable option for single-sign-on, it is a complex system with many intricacies and is not for the faint of heart. There are many single-sign-on solutions on the market and a discerning IT organization should explore how their prospective cloud provider handles single-sign-on and what it may take to deploy it across an enterprise. Use of a unified single-sign-on solution provides information security professionals with added assurance that employees are only able to access the applications they need and are prevented from unauthorized use of others.

The ability to support all types of devices is another important feature to look for in a cloud provider because employees are increasingly demanding to use their own personal devices. Enterprise IT staff must be able to manage, support and secure all types of devices – from iPhone, Android (News - Alert) and Blackberry to tablet and laptop – irrespective of the underlying operating system. When seeking a cloud provider, it is important that the solution not only supports a wide range of devices, but that it offers a single dashboard from which every type of endpoint can be monitored and managed. This single pane of glass should extend across the cloud, as well as to the on-premise systems being managed by your service provider. Additionally, the cloud solution should proactively deliver updates and critical patches to ensure security holes in the endpoints cannot be exploited, and offer continuous management of mobile endpoint configuration to ensure devices are in compliance with corporate security policies.

By considering the need to extend security policy, control access to cloud applications and effectively manage the additional devices employees are using to do business, IT security professionals can safely maintain control and visibility into all their IT systems, and become more comfortable with the inevitable move to the cloud.

About the Author
Shahin Pirooz, chief security officer and chief technology officer of CenterBeam Inc. (, has a wealth of experience in operations management, account leadership, project management and customer relationship management. Shahin has deep technology expertise covering areas such as IT architecture (development, design, planning and implementation), as well as core tools, operating systems and programming languages. He’s an active blogger for IBM (News - Alert) and Computer Technology Review, and has contributed to Forbes, Virtual Strategy Magazine, Baseline and Enterprise Systems Journal, among others.

Edited by Brooke Neuman