Cloud security leading practices and technologies

April 19, 2018

A blog post by David Linthicum, managing director, chief cloud strategy officer, Deloitte Consulting LLP

The rise of cloud computing led us to rethink approaches to security for cloud and non-cloud systems. Because of the complex and distributed nature of cloud-based platforms, security approaches that leverage identity seem to be the best fit. This is a fundamental shift in both security planning and technology. Enterprises will likely need to ‘feel the pain’ before they can ‘understand the gain.’

Enterprises typically fall down by not understanding their own security requirements and issues before they create an approach, a design, and then select the right identity and access management (IAM) technology solution. IAM technologies, as listed below, all have their own approach to IAM. This includes those that are focused on cloud computing and those that focus on more traditional enterprise approaches.

The trick is to pick an IAM solution that can meet most requirements. In many cases, enterprises that deploy cloud-based platforms may leverage two or perhaps three IAM solutions. For instance, one might manage identity, while another manages the single sign-on.

Leading practices are still emerging around the use of identity-based security with cloud computing. Some of the more notable patterns include the following:

• The integration of cloud-based identity management solutions with enterprise security from the outset. While many are okay with creating “security silos” that leverage different approaches and technologies, these have a tendency to be counter-productive over time. You’ll eventually need to consolidate around a single security model.
• The IAM solutions out there seem to focus either on cloud computing or on the enterprise. Don’t be afraid to focus on the design and architecture of your identity-based security solution, and then select the technology. While your solution will be more complex, the architecture should endure through many technological changes. Never let technology lead your requirements or design. Albeit, that seems to be an emerging practice. It’s certainly not a leading practice…yet.
• Splurge on testing, including “white hat” security tests. These can lead to an understanding of where the vulnerabilities exist and thus can lead to better approaches and use of security technology. So far, IAM systems that focus on cloud computing have a great track record. However, this could be due to the fact that many on-premises enterprise systems are much less secure and thus provide better pickings.
• Make sure to consider things such as performance in your design. While most IAM systems don’t slow things down, they can. These are typically issues that are hard to fix after deployment, and they cause issues with security systems because users quickly figure out ways around the security, and thus raise the performance issues.
• Make sure to consider your industry and all required regulations for compliance. These are typically managed by the identity governance system within the IAM, and they need to be understood in the beginning. It’s tough to retrofit these policies after implementation.

As the enterprise cloud footprint expands, IAM systems will likely continue to gain momentum to address security concerns. Many organizations may discover the need for two or three different IAM systems to cover all security requirements. The leading practice, for now, is to fit the technology to your requirements vs. fit your requirements to a single security technology.