Open standards are key for security in the cloud
by Nataraj Nagaratnam - IBM Distinguished Engineer; CTO for Security Solutions - Tuesday, 5 March 2013.
The current divide between proprietary and open approaches to enterprise cloud computing has implications beyond the obvious. More than just issues of cloud interoperability and data portability, open standards have benefits for user identity, authentication and security intelligence that closed or proprietary clouds threaten to compromise.

Our belief is that an open cloud is a more secure one and it begins with identity.

Online security has a very important element of authentically identifying users and recognizing patterns of behavior. Take enterprise travel planning for example. More and more business travelers, fiercely loyal to airline and hotel loyalty programs and wary of travel agency fees, are making their own travel arrangements through online booking tools.

These sites, hosted and managed by outside travel vendors, can be accessed via the company intranet and charged back to their corporate credit cards, and potentially directly to central billing.

Thanks to the fact that an employee’s authentication can be recognized across platforms, one login to the employee Intranet can identify that user as currently employed, authorized to book travel within preset travel policies, and able to complete a transaction all the way through to the airline, hotel or car rental company.

Without open standards for user identity and authentication, an employee would have to re-authenticate themselves at every step – the Intranet, the travel agency, the airline, etc. Open standards like OAuth, and SAML allows us to establish identities across platforms.

That’s why we’re seeing increased adoption of open standards around identity. Without interoperable means to authenticate and assert identities, employers carry the burden of creating, updating and validating a set of identities for every provider and notifying each every time someone leaves the company. If the administrator resigns and there is no mechanism to invalidate their password, they can still get into the system and access the data. A trusted source for federated identity can prevent that issue.

Without open standards, authentication data gets lost or becomes much more difficult to follow. When data must be made available across platforms, security and privacy may be compromised and the importance of established identities across applications becomes clear.

While from the user experience perspective entering your password once instead of three times is simply convenience, for the enterprise, identity is fundamental to security. Who's doing what, when and from where, revolves around identity. In the travel example, if an airline requests a $5K trip to Hawaii, the employer needs to verify for whom and why to determine whether the itinerary will be denied, or if it has already been charged, by whom.

Visibility into who did what enables the enterprise to determine what kind of activities went on in the past and identify compliance and regulatory issues. Beyond identity authentication, open standards are also key for enabling such visibility and security intelligence – analyzing big data to analyze user activities, recognize attacks and anomalies in real time.

However, identifying threats relies on log and event information – for example, which user is doing what, when and from where – which often spans across enterprise and cloud providers. When it comes to interoperability with hybrid clouds, every vendor or cloud provider has their own way to do logs and currently no standard to exchange log information exists.

Spotlight

USBdriveby: Compromising computers with a $20 microcontroller

Posted on 19 December 2014.  |  Security researcher Samy Kamkar has devised a fast and easy way to compromise an unlocked computer and open a backdoor on it: a simple and cheap ($20) pre-programmed Teensy microcontroller.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Fri, Dec 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //