For everyone involved in trying to protect their organizations' network users and data, a move to cloud computing will present a huge change and challenge. Compliance regulations will most likely prevent an enterprise from moving all its data and operations to the cloud, so the transition is in fact an additional security challenge on top of protecting existing network infrastructures. Moving to the cloud requires data and applications to be placed outside the comfort zone of well-established perimeter defenses and physical access controls. An increasing number of users who don't come under the controls of HR, such as suppliers, clients and partners, will access your data via Web-based collaboration tools. IT administrators already struggle with the task of securing mobile users who access corporate networks, but cloud computing is on a different scale altogether.
For me, one of the key security challenges is how to efficiently manage and enforce access control for employees, customers and partners beyond the enterprise firewall. Cloud computing turns us all into remote workers, and cloud applications and data, by definition, are outside the enterprise. This means that you can no longer rely on multiple layers of authentication, firewalls and other perimeter defenses to do the job for you.
Strategically, managing these challenges requires a number of actions. HR security policies must be reviewed and tightened up so they enforce robust lifecycle management of users. A detailed identity and access management strategy must also be put in place, one that makes full use of federated identity management, an arrangement that enables users to securely access data or systems across autonomous security domains. I recommend enabling single sign-on (SSO) within your own enterprise applications and leveraging this architecture to simplify cloud provider integration and implementation.
In the near future, cloud-based services and cloud computing technology will come under increased and prolonged attack because they're attractive targets for hackers and cyberterrorists. Building a data encryption strategy and implementing technology to support it, therefore, is the best proactive defense. Encrypted data is intrinsically protected, which is why so many laws and regulations mandate the practice. All data and communications should be encrypted, even if other services protect them. Encryption also allows you to separate roles and data as encryption keys control access to your data.
2010 will certainly see many new cloud-based services coming online, many offering substantial economic benefits for enterprises. Some will no doubt change long-established risk-reward relationships, and you will need to review your organization's business strategy and appetite for risk when assessing the ROI of a switch to a cloud-based service. Cloud computing is changing IT so will it also change Physical Security be sure to consider any new business processes so that infrastructure, data and users remain protected.
