For years, IT departments have been focused on consolidating identify management technologies and processes. This approach forced professionals to contain security measures within the enterprise’s IT infrastructure. The use of the web through cloud computing have raised questions about this approach.
Cloud computing forces identity management to be extended outside of the in-house IT environment, which can lead in additional vulnerabilities in the authentication systems if the service provider;s systems are compromised. Another solution is to have a separate identify management system for each cloud computing solution, but that requires integration the multiple systems together.
Another concern is data storage and backups. The expectation using cloud solutions is that data will be on shared storage and therefore have a greater potential in risk. Techniques, such as fit to risk measures, can be used to ensure that highly sensitive is not placed on the cloud but on in-house storage. However, such separation between the web application and the storage requires knowing the standards used by the service provider and how those standards can be adapted to integrate the systems. Encryption abilities vary between service providers, so sufficient planning is required if this technique will be used to protect data. Backup abilities between service providers are also varied with some providing backups applications while others require customer or third party solutions.
With cloud computing solutions, the customer has no control over the actual patching and monitoring of vulnerabilities. Unfortunately, the customer is still responsible for the risk to data. This requires some effort to assess what data needs to be protected and the best method of protection. It’s not wise to expect that all cloud providers have the most secure platforms.
Using a utility-based solutions is not a hands off situation. Customers need to understand the technologies used by the solution and make up any gaps that exist for the business. Not taking this accountability can prove more costly than staying with traditional distributed IT.