Simply Security - News, Views, and Opinions from Trend Micro

Posted on April 3rd, 2012 in Cloud Security by Simply Security | Be the first to comment | Tags: cloud computing security

Cloud computing has made it more difficult for network managers to understand exactly who is accessing their resources.

Reliable identity and access management tools are the basis of any effective IT security strategy, but traditional rules may no longer apply in virtual environments. As organizations migrate increasingly sensitive data and applications to the cloud, it is essential that they retain a clear perspective of how their network resources are being used.

"Identity access management is a market in transition. Corporation[s] are opening up more and more of their data to be accessed by employees, business partners, customers and people outside the organization. This is particularly true in financial institutions, healthcare and retail," Courion executive Dave Fowler explained in a recent interview with Network World. "But in conjunction with opening up more and more of their data to be used by business partners, they're facing more and more regulations on securing this information."

These concerns are even more pronounced in the public sector as agencies are tasked with managing massive archives of sensitive consumer information. For instance, Sallie Mae chief security officer Jerry Archer told Network World that his team's access management controls were audited 28 times in 2011.

However, the provisioning and deprovisioning of applications in the cloud continues to be a manual process for most organizations, adding to the administrative burden of IT staff and leaving the door opening to potentially costly loopholes.

For instance, a demoted employee could take out their frustrations by abusing their network privileges before their access credentials are fully revoked. To remedy this issue, cloud security researchers have turned their attention to automated identity and access management protocols. The Internet Engineering Task Force (IETF) will be looking into setting a common standard for managing user identity in the cloud during it's annual conference later this month.

The Simple Cloud Identity Management (SCIM) protocol has already gained support from several major vendors including Cisco, Salesforce.com and VMware, according to Computerworld, but the framework has yet to win the approval of IETF working groups. The primary advantage is SCIM's ability to move identity data between applications seamlessly with one standard method.

"I think we'll see much more adoption of SCIM in 2012," Ping Identity chief technology officer Patrick Harding told Computerworld. "That will now allow people to much more cost-effectively manager user in SaaS and cloud applications than building connectors to individual APIs or doing it manually."

Cloud Security News from SimplySecurity.com by Trend Micro