Cloud Security: It’s All About (Extreme Elastic) Control

- Lori MacVittie, senior technical marketing manager at F5 Networks (www.f5.com), says:

The proliferation of mobile devices along with the adoption of hybrid cloud architectures that integrate black-box services from external providers is bringing back to the fore issues of control. Control over access to resources, control over flow of data into and out of resources, and the ability to exert that control consistently whether the infrastructure is “owned” or “rented”.

What mobile and BYOD illustrates is the extreme nature of computing today; of the challenges of managing the elasticity inherent in cloud computing . It is from the elasticity that the server side poses its greatest challenges – with mobile IP addresses and locations that can prevent security policies from being efficiently codified, let alone applied consistently.

With end-points (clients) we see similar impacts; the elasticity of users lies in their device mobility, in the reality that users move from smart phone to laptop to tablet with equal ease, expecting the same level of access to corporate applications – both on and off-premise. This is extreme elasticity – disrupting both client and server variables. Given the focus on mobile today it should be no surprise to see the declaration that “cloud security” is all about securing “mobile devices.”

"If you want to secure the cloud, you need to secure your mobile devices," he explained. "They are the access points to the cloud -- and from an end-user perspective, the difference between the cloud and the mobile phone is lost."

-- BYOD: if you can't beat 'em, secure 'em 

If this were to be taken literally, it would be impossible. Without standardization – which runs contrary to a BYOD policy – it is simply not feasible for IT to secure each and every mobile device, let alone all the possible combinations of operating systems and versions of operating systems. To do so is futile, and IT already knows this, having experienced the pain of trying to support just varying versions of one operating system on corporate-owned desktops and laptops. It knows the futility in attempting to do the same with mobile devices, and yet they are told that this is what they must do, if they are to secure the cloud.

Which brings us to solutions posited by experts and pundits alike: IAM (Identity and Access Management) automation and integration.

IAM + “Single Control Point” = Strategic Point of (Federated Access) Control 

IAM is not a new solution, nor is the federation of such services to provide a single control point through which access can be managed. In fact, combining the two beliefs – that control over access to cloud applications with the importance of a “single control point” – is exactly what is necessary to address the “great challenge” for the security industry described by Wendy Nather of the 451 Group. It is the elasticity that exists on both sides of the equation – the client and the server – that poses the greatest challenge for IT security (and operations in general, if truth be told). Such challenges can be effectively met through the implementation of a flexible intermediation tier, residing in the data center and taking advantage of infrastructure and application integration techniques through APIs and process orchestration.

Intermediation via the application delivery tier, residing in the data center to ensure the control demanded and required (as a strategic point of control), when combined with context-awareness offer the means by which organizations can meet head on the security challenge of internal and external elasticity. 

And if we had to give a name to this solution, this application delivery tier service that federates access control across on and off-premise applications, we’d call it … a broker. An identity and access broker, to be more precise. Because of the lack of options in cloud computing environments for services similar to those understood and employed by IT in the data center, organizations will naturally need to “fall back” to a known position that uses federation and the power of (infrastructure) integration to achieve the control – and through it security – necessary to meet consumerization demands without compromising on corporate policies regarding the security and compliance of systems and data regardless of where they may be deployed.

Cloud security, in the end, is about control. It’s about control in the face of extreme elasticity, the volatility and rapid rate of change on both sides of the equation – client and server.