This action might not be possible to undo. Are you sure you want to continue?
com) and appears here with permission from the publisher, WIS Publishing.
Will Your Move to the Cloud Open Up Your Company to
Tips and Tools to Secure Your Cloud Solutions
by Gerlinde Zibulski and Regine Schimmer, SAP When companies consider cloud computing, they often think of its numerous benefits: no more costly infrastructures and administration tasks, and instant gratification in terms of availability. Small and midsize businesses in particular can benefit from this easy-to-use software that comes without the burden of ongoing administration and system maintenance (see sidebar on the next page for a cloud computing refresher). But what about the potential risks? Unfortunately, too few companies make security a priority when it comes to their cloud explorations. While solutions outsourced to the cloud are convenient (because your staff will not have to deal with the applications and the data that passes through them), it’s important to remember that someone else will. Cloud computing means letting external administrators access, manage, and, to a certain extent, control your business data. It also means moving your information out of the relatively secure perimeter of your own company, into the cloudy environs of the Internet. It’s a jungle out there, and you need to ensure that appropriate security measures are in place to protect your vital assets and interests — from both a business perspective and a legal one. But note: Securing the cloud isn’t rocket science. With proper planning and the right tools, companies can take advantage of the benefits of a cloud environment and mitigate potential risks. outset of any cloud project.
questions your company should ask itself at the
1. What Kind of Cloud Offering Should We Use?
Depending on the degree of privacy they offer, clouds can be categorized into four subtypes, each of which offers a different level of security: A private cloud offering is a hosted offering for just one business and a selection of its suppliers — here, a company can “privately” access its applications and data. You would choose a private cloud for data that you consider highly security-critical, such as business or financial data that would give someone insider knowledge. A public cloud offering is a hosted solution available for multiple tenants and open to anyone who would like to participate in the offering. This is a cloud you would choose for sharing open information geared toward your own customers, such as help portals and product descriptions. A hybrid cloud offering consists of multiple internal and external providers and is geared toward specific business-to-business applications with a focus on commercial usage. Less critical applications can be run in a public cloud, whereas the more sensitive, business-critical applications can be run in a private cloud. This offering is for those looking to set up restricted marketplaces or with public invitations to tender. A community cloud offering consists of hosted offerings for Internet communities (usually organized around a specific topic), thus easing
Regine Schimmer (regine. firstname.lastname@example.org) is a Solution Manager for SAP NetWeaver Identity Management. She has several years of experience with SAP security solutions and has worked on SAP Security Product Management teams at SAP AG and SAP Labs. Gerlinde Zibulski (gerlinde. email@example.com) has been with SAP for over 11 years. Gerlinde is the Head of the Product Management Team for Security and Identity Management. Gerlinde holds a master’s degree in economics from the Private University Witten/Herdecke.
Exploring the Cloud? 3 Key Questions You Should Get Answered First
There are many considerations for companies looking into cloud computing. Here are three
Subscribe today. Visit sapinsider.wispubs.com.
In regards to security. in which businesses. * See “Cloud Computing and SAP: Where We Are and Where We’re Going” by Kaj van de Loo and Roland Wartenberg in the July-September 2010 issue of SAPinsider (sapinsider. there’s still an element of risk in this scenario. Of course. How Will the Provider Ensure Privacy? Cloud providers are responsible for ensuring that companies and users see only their own portion of the data hosted in the cloud. On-demand access requires high availability of the software. 2.the information exchange. The software can be accessed on-demand. cost-saving way of extending computing power without having to buy technology to do so.wispubs.com. is based on the concept of shared resources. or to encrypt data at rest (that is. Really? The term “cloud” describes the complex system of connected devices and services that make up the Internet. This might give someone the opportunity to compare the internal costs and profit margins of the two. Or they might leverage applications on top of hosted servers. Visit sapinsider. Cloud software runs on servers that are hosted by an external outsourcer or by the company’s IT department as a separate corporate entity. An additional benefit of this multitenant architecture is that it allows tenants to configure the user interface according to their corporate branding and configure their own business processes and rules without changing the code. then. Data privacy issues could also arise due to the aggregation of data. that your controlling application and its data were hosted on a server 2. To reduce costs. and software vendors cooperate to ensure ease of implementation and interoperability. Cloud computing. development platforms. And. pay special attention to security management and secure configuration. Ask the outsourcer where the encryption keys will be stored and who has access to them. these providers use a concept called multi-tenancy — meaning that a single instance of a hosted What Is Cloud Computing. for example. enabling optimal resource use. since users expect to be able to execute cloud offerings anytime and anywhere and have a very limited tolerance for system downtime. for instance. alongside your fiercest competitor’s data. Consider.com). and security developed by entities such as the World Wide Web Consortium (W3C) or the Liberty Alliance. To do so. only the businesses themselves or the end users should be able to see the keys. Ideally. data in computer storage that is never changed or is changed in regular intervals) and data in transit (that is. Internet-based access allows providers to leverage various standards for web services. 3. businesses will usually choose a cloud offering where the IT administration is outsourced. data that is being transferred over a network or that is temporarily stored in memory to be used or updated) to ensure confidentiality. The IT administration is outsourced. which is shared by all tenants. strong authentication mechanisms are a must. ask: What are the provider’s encryption offerings for credit card payments? Are they compliant with the Payment Card Industry Data Security Standard (PCI-DSS)? How often do servers receive security patches? What are the guarantees for high availability? When are the scheduled downtimes? Subscribe today. There are three key characteristics of cloud computing: 1. which means that someone external to the business’s workforce has administrative rights on the servers and access to the application data — this outsourced administration is what makes security so pressing. As a business or an end user. In a hosting scenario. This is an offering for information sharing and decision making that enables all participants to comment on information and share additional data — by uploading files or inserting links. interoperability. you should carefully read and make sure you understand these terms. or services) that can be dynamically reconfigured to adjust to a variable load. academia. companies might run their own systems and applications on hosted servers and transfer formerly on-premise software onto servers hosted by a provider. For example. of course. application is provided for multiple clients (tenants).* Instead of relying solely on in-house computing power. This is why a company might require that its solutions never get deployed along with those of its competitors. A good workaround for this situation is to deploy your solution in a private cloud. companies outsource their solutions. It’s a large pool of easily usable and accessible virtualized resources (such as hardware. Companies access cloud solutions via the Internet (browser-based) or via web services (SOA-based). Companies rent software and pay as they go so they can vary their resources in accordance with their requirements. 3. . Administrators can still access the servers and data — and potentially abuse their access privileges for industrial espionage. having them hosted in the cloud. It is also highly crucial to understand the outsourcer’s key management policy. What Should I Look for in a Provider’s SLA? Service-level agreements (SLAs) regulate the conditions and define the contract for a cloud offering. It’s a convenient.wispubs. The software is hosted.
com). Identity federation can be combined with an identity and access management (IAM) infrastructure to create a strong authentication and to link access management with the administration of the repositories where the identities reside. and it will only become more so as the cloud evolves. and what are the mitigation measures? Who owns the data? How is retention handled? When considering a cloud offering. and with a car rental company to offer Regular members a discount. businesses have offered Internet-based access to their systems for a long time. while on-demand solutions often thrive on their users’ anonymity. Luckily. The key here is identity federation. Identity Federation in Action: Securing a Business Process in the Cloud Consider an airline that wants to offer special services for its members. many dards needed to enable this identity federation are now available to SAP customers. Consider this: In the future. the airline company acts as the identity provider (IdP) in the process — this means that the airline is responsible for handling the authentication and identification of a user. on-premise solutions generally call for stronger authentication procedures. . will have to open their on-premise applications to make them accessible from cloud applications. Of course. the airline wants to work with a hotel agency to offer its Platinum members a free room upgrade. Why? To attract younger customers. The evolving security tools that enable all this will also help authenticate user credentials at registration. and which access rights are mandatory? What happens when a back-up does not run smoothly or if data gets lost? How do you transfer security policies when moving data from an on-premise installation to a cloud application? What are the procedures if there is a data breach or if data is lost or accessed by an unauthorized entity? Who will investigate such a breach. the business won’t want to outsource all of its critical data to a cloud solution. the airline members — and all the federation information for the participating target systems — here. regardless of size. In this case. Business applications will then be run as connections in the form of networked applications or networked solutions. the car rental company and the hotel agency’s systems.1 The standard was developed to enable the new kind of trust relationships that cloud computing requires. Subscribe today. The IdP stores the central ID of all users — here. companies need a solid identity management strategy and tools.wispubs. and the security of web services. such as Twitter or Second Life. you also want to ensure that the outsourcer can enforce what it states in its SLA. software vendors will have to ensure that their solutions are both interoperable and secure. And the key to securing that information exchange is identity federation (see Figure 1 on the next page). This cooperation between different companies requires a cloud-based business process to exchange information about the customer. Of course.com. and it will only become more so as the cloud evolves. customers. and they also have the appropriate security measures to ensure authentication. Visit sapinsider. Let’s take a look at the identity federation concept in practice. the stan- Identity management is an important part of cloud computing. For example. but will instead complement its on-premise software with on-demand extensions. encryption of communication paths.0” by Yonko Yonchev and Dimitar Mihaylov in the July-September 2010 issue SAPinsider (sapinsider. To meet both of these needs. These target systems act as the 1 See “Taking SSO to the Next Level: SAP Supports Identity Federation with SAML 2. And with the latest release of SAP NetWeaver Identity Management. a new industry standard that allows a business to establish cross-domain single sign-on within heterogeneous landscapes. Where are the servers located? How is the staff at that location trained? What are the provider’s back-up and recovery offerings. For example. That’s why it’s also a good idea to pay the provider of your choice a site visit and ask for a demonstration. To bridge the gap between these on-premise and on-demand solutions. Adapt Existing Identity Management Tools and Strategies for the Cloud Identity management is another important part of cloud computing.wispubs. while still ensuring privacy — thus allowing a secure connection between on-premise and on-demand solutions. many companies already have some kind of identity management functionality and strategy for the cloud. businesses need to expand access to their software via community cloud applications.
SAPpro. com/irj/sdn/security. companies can use virtually any information to identify the user: cost center and company code combinations or a social security number. Named user-based identity federation: The car rental company requires named users in its systems. SAML can be leveraged to establish trusted single sign-on between businesses and a variety of SP back-end systems. for example. To establish identity federation. com/irj/sdn/virtualization and www. Volume 12. For more information. there are many considerations to keep in mind and several tools you’ll want at your fingertips. The required information about the airline company is included in the authentication information from that company. Visit sapinsider. In this example. Hosting solutions in the cloud and linking on-premise solutions and on-demand cloud offerings provide a bevy of benefits. n Special Report on Cloud Computing (SAPinsider. With its 2. but instead uses the attribute “member status” to process the user. As more and more companies explore the possibilities of cloud computing.wispubs. . The SP does not need to sanitize or cleanse the user IDs.sdn. the companies go about this requirement in different ways: Attribute-based identity federation: The only information the hotel agency requires is the airline’s name and the member’s status.com. It does not need a named user.sap. but also involve making your business’s information accessible to more outside forces. but does not want to share the user names over the Internet because of security and data privacy reasons. the issue of security should be top-of-mind. Summary and Outlook As more and more companies explore the possibilities of cloud computing. n Additional Resources. For both authentication mechanisms.wispubs..sap. but still be properly and strongly authenticated. With attributebased identity federation. the airline and the administrators from each SP company need to set up agreements about how to exchange the user ID information. July-September 2010.. To mitigate the potential risks that come with this.Figure 1 u Using SAP NetWeaver Identity Management’s identity federation standards to securely send information between different companies Airline Offers its members discounts for booking hotel rooms and car rentals (member status depends on flight miles) Service provider Hotel Agency Airline members get an automatic room upgrade Required federation information: Member status + company name Attribute Identity provider Named user Car Rental Company Service provider Airline members get a 10% discount Required federation information: email address service providers (SPs) in this scenario. It uses the customer’s email address as federation data and maps it to the car rental user account.com) Subscribe today.0 version.sdn. visit www. the issue of security should be top-of-mind.com) n Started with Cloud Computing and SAP “Get Today” by Scott Wall (SAP Professional Journal. Update 5. the IdP issues a standardized Security Assertion Markup Language (SAML) token. sapinsider. And the users can keep their various back-end IDs to ensure their privacy. www.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.