144 Cloud Computing
the identity management system you already have in place. Theses vendors
should proactively go beyond the standards to address loopholes associated
with underlying technologies such as XML digital signatures and provide
centralizing management and monitoring of security credentials and iden-
tity traffic. Without a standards-based identity federation server, imple-
menting SSO that works over the Internet can take 6 to 9 months. A
properly configured standards-based identity federation server as provided
by current SaaS cloud providers should facilitate an implementation in less
than 30 to 45 days.
5.3.9 Claims-Based Solutions
Traditional means of authentication and authorization will eventually give
way to an identity system where users will present claims that answer who
they are or what they can do in order to access systems and content or com-
plete transactions. Microsoft has developed a flexible claims architecture
5
based on standard protocols such as WS-Federation, WS-Trust, and the
Security Assertion Markup Language (SAML), which should replace today’s
more rigid systems based on a single point of truth, typically a directory of
user information. The claims model can grow out of the infrastructure users
have today, including Public Key Infrastructure (PKI), directory services,
and provisioning systems. This approach supports the shared industry
vision of an identity metasystem that creates a single-user access model for
any application or service and enables security-enhanced collaboration.
Microsoft Geneva,mentioned at the beginning of the chapter, allows devel-
opers to use prebuilt identity logic and enables seamless interoperability
between claims-based and non-claims-based systems.
5.3.10 Identity-as-a-Service (IaaS)
Identity-as-a-Service essentially leverages the SaaS model to solve the iden-
tity problem and provides for single sign-on for web applications, strong
authentication, federation across boundaries, integration with internal
identities and identity monitoring, compliance and management tools and
services as appropriate. The more services you use in the cloud, the more
you need IaaS, which should also includes elements of governance, risk
management, and compliance (GRC) as part of the service. GRC is an
increasingly recognized term that reflects a new way in which organizations
can adopt an integrated approach to these three areas. However, this term
5. http://msdn.microsoft.com/en-us/security/aa570351.aspx.
Chap5.fm Page 144 Friday, May 22, 2009 11:25 AM
Presence in the Cloud 145
is often positioned as a single business activity, when in fact it includes
multiple overlapping and related activities, e.g., internal audit, compliance
programs such as Sarbanes-Oxley, enterprise risk management, operational
risk, and incident management.
IaaS is a prerequisite for most other aspects of cloud computing
because you cannot become compliant if you cannot manage your identi-
ties and their access rights consistently in the cloud. That goes well beyond
authentication. Approaches for consistent policy management across dif-
ferent cloud services will again require new standards, going beyond what
federation standards such as SAML, authorization standards such as eXten-
sible Access Control Markup Language (XACML), and other standards
such as the Identity Governance Framework (IGF) provide today. Some of
the current IaaS vendors include Ping Identity, Symplified, TriCipher and
Arcot Systems.
The biggest threat in cloud computing is manageability. The biggest
threat to business by far is managing identities, authentication, authoriza-
tion, and all of the regulatory auditing requirements. Within any cloud
environment, an identity access strategy is a vital component and a prereq-
uisite. GRC services are moving to the cloud as well, and these are the topic
of the next section.
5.3.11 Compliance-as-a-Service (CaaS)
6
Managed services providers historically have faced contractual difficulties
with their customers in negotiating information assurance requirements,
particularly regarding regulatory compliance verification. This problem
becomes even more complex in a cloud computing environment, where
physical resources can be geographically diverse, the regulatory landscape is
vast and international in nature, and no single one-to-one relationship can
determine the outcome of anything in the cloud.
Although this complexity may seem untenable at first glance, cloud
computing potentially furnishes an exciting and cost-effective layer of
opportunity in the creation of a “Compliance-as-a-Service” (CaaS) offering.
CaaS could solve a number of problems that have been viewed as difficult or
impossible, both by service providers and by their customers:
6. This section is based on email exchanges and input from Eddie Schwartz, CSO of Netwit-
ness (www.netwitness.com), 12 Mar 2009.
Chap5.fm Page 145 Friday, May 22, 2009 11:25 AM
146 Cloud Computing
Cost-effective multiregulation compliance verification:
A domi-
nant percentage of all security and privacy regulations utilize a
common base of security controls and best practices. These regula-
tions, which have developed over many years, have been built on
an identical, common body of knowledge augmented by a small
percentage of nuance associated with industry-specific require-
ments. In a CaaS environment, next-generation network security
monitoring technology could be deployed in the cloud to perform
automated, rules-based data mining of cloud traffic flows. Compli-
ance-oriented security services could be created to support verifica-
tion of specific regulatory controls, from the network to the
application layers, with commensurate alerting and reporting
mechanisms.
Continuous audit:
A CaaS offering could provide continuous
audit of security controls associated with the compliance domains
within its scope. This approach would provide a higher level of
information assurance than daily scans, quarterly spot audits, or
statistical sampling methodologies. Additionally, the classic prob-
lem of third-party assurance and verification of a service provider’s
security would be resolved because of the transparency thatCaaS
would provide into the service provider’s security controls.
Threat intelligence:
Any CaaS offering would benefit from the
aggregate threat intelligence and distributed security analytics asso-
ciated with multiple cloud customers. This situational visibility
would be invaluable in understanding and defending against cur-
rent and emerging threats to the cloud computer environment.
5.3.12 The Future of Identity in the Cloud
As more business applications are delivered as cloud-based services, more
identities are being created for use in the cloud. The challenges of manag-
ing identity in the cloud are far-reaching and include ensuring that multi-
ple identities are kept secure. There must be coordination of identity
information among various cloud services and among enterprise identity
data stores and other cloud services. A flexible, user-centric identity man-
agement system is needed. It needs to support all of the identity mecha-
nisms and protocols that exist and those that are emerging. It should be
capable of operating on various platforms, applications, and service-ori-
ented architectural patterns. Users must be empowered to execute effective
Chap5.fm Page 146 Friday, May 22, 2009 11:25 AM
Privacy and Its Relation to Cloud-Based Information Systems 147
controls over their personal information. In the future, they will have con-
trol over who has their personal data and how it is used, minimizing the
risk of identity theft and fraud. Their identity and reputation will be trans-
ferable. If they establish a good reputation on one site, they will be able to
use that fact on other sites as well.
5.4 Privacy and Its Relation to Cloud-Based
Information Systems
Information privacy
7
or data privacy is the relationship between collection
and dissemination of data, technology, the public expectation of privacy,
and the legal issues surrounding them. The challenge in data privacy is to
share data while protecting personally identifiable information. The fields of
data security and information security design and utilize software, hardware,
and human resources to address this issue. The ability to control what infor-
mation one reveals about oneself over the Internet, and who can access that
information, has become a growing concern. These concerns include
whether email can be stored or read by third parties without consent, or
whether third parties can track the web sites someone has visited. Another
concern is whether web sites which are visited collect, store, and possibly
share personally identifiable information about users.
Personally identifiable
information
(PII), as used in information security, refers to information that
can be used to uniquely identify, contact, or locate a single person or can be
used with other sources to uniquely identify a single individual.
8
Privacy is an important business issue focused on ensuring that per-
sonal data is protected from unauthorized and inappropriate collection, use,
and disclosure, ultimately preventing the loss of customer trust and inap-
propriate fraudulent activity such as identity theft, email spamming, and
phishing. According to the results of the Ponemon Institute and TRUSTe’s
2008 Most Trusted Companies for Privacy Survey, privacy is a key market
differentiator in today’s cyberworld. “Consumer perceptions are not superfi-
cial, but are in fact the result of diligent and successful execution of
thoughtful privacy strategies,” said Dr. Larry Ponemon, chairman and
founder of the Ponemon Institute. “Consumers want to do business with
brands they believe they can trust.”
9
7. http://en.wikipedia.org/wiki/Information_privacy, retrieved 28 Feb 2009.
8. http://en.wikipedia.org/wiki/Personally_identifiable_information, retrieved 28 Feb 2009.
9. http://www.truste.org/about/press_release/12_15_08.php, retrieved 28 Feb 2009.
Chap5.fm Page 147 Friday, May 22, 2009 11:25 AM
148 Cloud Computing
Adhering to privacy best practices is simply good business but is typi-
cally ensured by legal requirements. Many countries have enacted laws to
protect individuals’ right to have their privacy respected, such as Canada’s
Personal Information Protection and Electronic Documents Act
(PIPEDA), the European Commission’s directive on data privacy, the Swiss
Federal Data Protection Act (DPA), and the Swiss Federal Data Protection
Ordinance. In the United States, individuals’ right to privacy is also pro-
tected by business-sector regulatory requirements such as the Health Insur-
ance Portability and Accountability Act (HIPAA), The Gramm-Leach-
Bliley Act (GLBA), and the FCC Customer Proprietary Network Informa-
tion (CPNI) rules.
Customer information may be “user data” and/or “personal data.” User
data is information collected from a customer, including:
Any data that is collected directly from a customer (e.g., entered by
the customer via an application’s user interface)
Any data about a customer that is gathered indirectly (e.g., meta-
data in documents)
Any data about a customer’s usage behavior (e.g., logs or history)
Any data relating to a customer’s system (e.g., system configura-
tion, IP address)
Personal data (sometimes also called personally identifiable informa-
tion) is any piece of data which can potentially be used to uniquely identify,
contact, or locate a single person or can be used with other sources to
uniquely identify a single individual. Not all customer/user data collected
by a company is personal data. Examples of personal data include:
Contact information (name, email address, phone, postal address)
Forms of identification (Social Security number, driver’s license,
passport, fingerprints)
Demographic information (age, gender, ethnicity, religious affilia-
tion, sexual orientation, criminal record)
Occupational information (job title, company name, industry)
Health care information (plans, providers, history, insurance,
genetic information)
Chap5.fm Page 148 Friday, May 22, 2009 11:25 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.