You are on page 1of 4

Security Strategies

COlumn
This article appeared in the Oct Nov Dec 2010 issue of
n n

SAPinsider (http://sapinsider.wispubs.com) and appears
here with permission from the publisher, WIS Publishing.

Will Your Move to the Cloud
Open Up Your Company to
Security Threats?
Tips and Tools to Secure Your Cloud Solutions
by Gerlinde Zibulski and Regine Schimmer, SAP

When companies consider cloud computing, they questions your company should ask itself at the
often think of its numerous benefits: no more outset of any cloud project.
costly infrastructures and administration tasks,
and instant gratification in terms of availability. 1. What Kind of Cloud Offering Should We Use?
Small and midsize businesses in particular can Depending on the degree of privacy they offer,
benefit from this easy-to-use software that comes clouds can be categorized into four subtypes,
without the burden of ongoing administration each of which offers a different level of security:
and system maintenance (see sidebar on the next  A private cloud offering is a hosted offering
page for a cloud computing refresher). for just one business and a selection of its
But what about the potential risks? Unfortu- suppliers — here, a company can “privately”
nately, too few companies make security a priority access its applications and data. You would Gerlinde Zibulski (gerlinde.
when it comes to their cloud explorations. While choose a private cloud for data that you zibulski@sap.com) has been with
solutions outsourced to the cloud are convenient SAP for over 11 years. Gerlinde is
consider highly security-critical, such as busi- the Head of the Product
(because your staff will not have to deal with the ness or financial data that would give someone Management Team for Security
applications and the data that passes through insider knowledge. and Identity Management.
Gerlinde holds a master’s degree
them), it’s important to remember that someone
 A public cloud offering is a hosted solution in economics from the Private
else will. Cloud computing means letting external University Witten/Herdecke.
available for multiple tenants and open to
administrators access, manage, and, to a certain
anyone who would like to participate in the
extent, control your business data. It also means
offering. This is a cloud you would choose for
moving your information out of the relatively
sharing open information geared toward your
secure perimeter of your own company, into the
own customers, such as help portals and
cloudy environs of the Internet. It’s a jungle out
product descriptions.
there, and you need to ensure that appropriate
security measures are in place to protect your  A hybrid cloud offering consists of multiple
vital assets and interests — from both a business internal and external providers and is geared
perspective and a legal one. toward specific business-to-business applications
But note: Securing the cloud isn’t rocket science. with a focus on commercial usage. Less critical
With proper planning and the right tools, compa- applications can be run in a public cloud, whereas
Regine Schimmer (regine.
nies can take advantage of the benefits of a cloud the more sensitive, business-critical applications schimmer@sap.com) is a Solution
environment and mitigate potential risks. can be run in a private cloud. This offering is for Manager for SAP NetWeaver
Identity Management. She has
those looking to set up restricted marketplaces
several years of experience with
Exploring the Cloud? 3 Key Questions or with public invitations to tender. SAP security solutions and has
worked on SAP Security Product
You Should Get Answered First  A community cloud offering consists of hosted
Management teams at SAP AG
There are many considerations for companies offerings for Internet communities (usually and SAP Labs.
looking into cloud computing. Here are three organized around a specific topic), thus easing

Subscribe today. Visit sapinsider.wispubs.com.

these ers and data — and potentially abuse their access providers use a concept called multi-tenancy — privileges for industrial espionage. It’s a convenient. In regards to security. or to encrypt data at rest (that is. Companies access cloud solu.* tion is to deploy your solution in a private cloud. should be able to see the keys. Cloud computing. pay special es. is based on the internal costs and profit margins of the two. data technology to do so. Instead of relying solely on in-house computing power. Standard (PCI-DSS)? * See “Cloud Computing and SAP: Where We Are and Where We’re Going” by Kaj van de Loo and  How often do servers receive security patches? Roland Wartenberg in the July-September 2010 issue of SAPinsider (sapinsider. and security developed by entities such as the World carefully read and make sure you understand Wide Web Consortium (W3C) or the Liberty Alliance. businesses will usu- ally choose a cloud offering where the IT administration is outsourced. This is an offering for application is provided for multiple clients information sharing and decision making that (tenants).wispubs. you should teroperability. On-demand access requires high availability of the software. Consider. Visit sapinsider. in. To do so. Cloud software runs on servers that are hosted strong authentication mechanisms are a must. which is shared by all tenants. companies out. for instance. What Should I Look for in a Provider’s SLA? expect to be able to execute cloud offerings anytime and anywhere and Service-level agreements (SLAs) regulate the have a very limited tolerance for system downtime. Or they might stored and who has access to them. How Will the Provider Ensure Privacy? the code. The IT administration is outsourced. Internet-based ac. of course. The software can be accessed on-demand. tions via the Internet (browser-based) or via web services (SOA-based). And. 1. data in computer source their solutions. It is also highly crucial to understand the rate corporate entity. ask: 3. then. Data privacy meaning that a single instance of a hosted issues could also arise due to the aggregation of data. development platforms. companies might run their outsourcer’s key management policy. by an external outsourcer or by the company’s IT department as a sepa. solutions never get deployed along with those of or services) that can be dynamically reconfigured to adjust to a variable its competitors. the information exchange. corporate branding and configure their own business processes and rules without changing 2. academia. The software is hosted. having them hosted in the cloud. tenant architecture is that it allows tenants to mation and share additional data — by configure the user interface according to their uploading files or inserting links. Companies rent software and pay as they go so they that is being transferred over a network or that is can vary their resources in accordance with their requirements. for example. To reduce costs.wispubs. A good workaround for this situa- load.  What are the provider’s encryption offerings which means that someone external to the business’s workforce has for credit card payments? Are they compliant administrative rights on the servers and access to the application data with the Payment Card Industry Data Security — this outsourced administration is what makes security so pressing.com). leverage applications on top of hosted servers. Cloud providers are responsible for ensuring that Of course. It’s a large pool of easily usable and This is why a company might require that its accessible virtualized resources (such as hardware. An additional benefit of this multi- enables all participants to comment on infor. What are the guarantees for high availability? When are the scheduled downtimes? Subscribe today. that your controlling application and its data were hosted on a server What Is Cloud Computing. conditions and define the contract for a cloud cess allows providers to leverage various standards for web services. storage that is never changed or is changed in cost-saving way of extending computing power without having to buy regular intervals) and data in transit (that is.com. For example. . in which business- these terms. there’s still an element of risk in this companies and users see only their own portion scenario. In a hosting scenario. configuration. Administrators can still access the serv- of the data hosted in the cloud. Ideally. This might give someone the opportunity to compare The term “cloud” describes the complex system of connected devices and services that make up the Internet. only the businesses themselves or the end users 2. offering. As a business or an end user. the concept of shared resources. Really? alongside your fiercest competitor’s data. temporarily stored in memory to be used or There are three key characteristics of cloud computing: updated) to ensure confidentiality. since users 3. and software vendors cooperate to ensure ease of imple- attention to security management and secure mentation and interoperability. Ask the own systems and applications on hosted servers and transfer formerly outsourcer where the encryption keys will be on-premise software onto servers hosted by a provider. enabling optimal resource use.

These target systems act as the identity management strategy and tools. . And with the latest release of SAP NetWeaver Identity Management. businesses need to expand wants to work with a hotel agency to offer its access to their software via community cloud Platinum members a free room upgrade. will have to Business Process in the Cloud open their on-premise applications to make them Consider an airline that wants to offer special the cloud evolves. the business to exchange information about the customer. and they also have the appropriate security measures to ensure  What are the provider’s back-up and recovery authentication. the identities reside. and what are the mitigation measures? landscapes. To meet — here. The tory? What happens when a back-up does not evolving security tools that enable all this will run smoothly or if data gets lost? also help authenticate user credentials at registra-  How do you transfer security policies when tion. That’s why it’s also a authentication and to link access management good idea to pay the provider of your choice a with the administration of the repositories where site visit and ask for a demonstration. Let’s take a look Identity management is another important part at the identity federation concept in practice. of cloud computing.wispubs. software vendors will means that the airline is responsible for handling have to ensure that their solutions are both the authentication and identification of a user. and it will only become more and it will only so as the cloud evolves. and the security of web services.1 The standard was developed to enable the new kind of trust relationships that cloud  Who owns the data? How is retention handled? computing requires. encryption of communication offerings. And won’t want to outsource all of its critical data to a the key to securing that information exchange is cloud solution.com). Subscribe today. Identity management Adapt Existing Identity Management dards needed to enable this identity federation are is an important part Tools and Strategies for the Cloud now available to SAP customers. Where are the servers located? How is the staff businesses have offered Internet-based access to at that location trained? their systems for a long time. a car rental company to offer Regular members Business applications will then be run as a discount. while on-demand solutions information for the participating target systems often thrive on their users’ anonymity. a new indus- breach or if data is lost or accessed by an unau. on-premise software with on-demand extensions. the airline members — and all the federation tion procedures.0” by Yonko Yonchev and kind of identity management functionality Dimitar Mihaylov in the July-September 2010 issue and strategy for the cloud. the stan. the car rental company and the hotel both of these needs. accessible from cloud applications. For example. and with applications. customers. This cooperation between different connections in the form of networked applications companies requires a cloud-based business process or networked solutions. Identity federation can be When considering a cloud offering.  What are the procedures if there is a data The key here is identity federation. you also combined with an identity and access manage- want to ensure that the outsourcer can enforce ment (IAM) infrastructure to create a strong what it states in its SLA. such as Twitter or Second Life. In this case. interoperable and secure. companies need a solid agency’s systems. Luckily. many companies already have some 1 See “Taking SSO to the Next Level: SAP Supports Identity Federation with SAML 2. solutions generally call for stronger authentica. of cloud computing.wispubs. on-premise The IdP stores the central ID of all users — here. try standard that allows a business to establish thorized entity? Who will investigate such a cross-domain single sign-on within heterogeneous breach. Consider this: In the Identity Federation in Action: Securing a become more so as future. Of course. For example. and which access rights are manda- paths.com. the airline younger customers. the airline company acts as the To bridge the gap between these on-premise identity provider (IdP) in the process — this and on-demand solutions. Why? To attract services for its members. many SAPinsider (sapinsider. regardless of size. Visit sapinsider. but will instead complement its identity federation (see Figure 1 on the next page). while still ensuring privacy — thus allowing moving data from an on-premise installation a secure connection between on-premise and to a cloud application? on-demand solutions. Of course.

the issue airline’s name and the member’s status.sdn.com) SAML can be leveraged to establish trusted single Subscribe today.sap.SAPpro. In this example. July-September 2010. for example. Visit sapinsider. visit www. but also involve making your business’s The required information about the airline company is included in the authentication information accessible to more outside forces. cost center and company code combinations For more information. With attribute.sdn. com/irj/sdn/security. based identity federation. The SP does not need to sanitize the administrators from each SP company need or cleanse the user IDs. It does should be top-of-mind. but does not want to share the user names over the Internet because of security Additional Resources. With its 2. benefits. n  Named user-based identity federation: The car rental company requires named users in its systems.com. Volume 12. the IdP n “Get Started with Cloud Computing and SAP issues a standardized Security Assertion Markup Today” by Scott Wall (SAP Professional Journal. the airline and back-end systems. companies can use there are many considerations to keep in mind virtually any information to identify the user: and several tools you’ll want at your fingertips. but instead uses the attribute “member status” to process the user.. It uses the customer’s n Special Report on Cloud Computing email address as federation data and maps it (SAPinsider. sapinsider.com) For both authentication mechanisms. Hosting solutions in the cloud and linking on-premise solutions and of security should be not need a named user. com/irj/sdn/virtualization and www. or a social security number.Figure 1 u Using SAP NetWeaver Identity Management’s identity Airline Hotel Agency federation standards to securely send information between Service different companies „ Offers its members „ Airline members get provider discounts for booking Attribute an automatic room hotel rooms and car upgrade rentals (member status „ Required federation depends on flight information: Member miles) status + company name Identity Car Rental provider Named Company user Service provider „ Airline members get a 10% discount „ Required federation information: email address service providers (SPs) in this scenario. on-demand cloud offerings provide a bevy of top-of-mind. the user ID information. And the users can keep to set up agreements about how to exchange their various back-end IDs to ensure their privacy.sap.. mitigate the potential risks that come with this.wispubs. and data privacy reasons. the issue of security information the hotel agency requires is the computing. To sign-on between businesses and a variety of SP establish identity federation. To information from that company. As more and more companies go about this requirement in companies explore the different ways: Summary and Outlook  Attribute-based identity federation: The only As more and more companies explore the possi- possibilities of cloud bilities of cloud computing. to the car rental user account. Update 5. www.0 version. . the but still be properly and strongly authenticated.wispubs. Language (SAML) token.