By Sramana Mitra and guest authors Shaloo Shalini and Bhavana Sharma
SM: How concerned are you about securing and controlling your IT assets in the cloud?
DH: As in regard to what kind of assets do you to think will be in the cloud?
SM: Whatever is part of your cloud architecture. Let’s say you have all these analytics that are going to come on the cloud in short order. How do you secure data access when you have distributed users of analytics accessing from multiple touch points? Again, it’s a distributed security challenge right?
DH: Right. Well, that is where one of the keys we have for the cloud providers or the providers of a service – their security model. Security is one of the places [ripe] for standardization – that would probably be very applicable, say security standards for access. Some are willing to have federation with your active directory domain so that you can have a single sign-on. I like that idea, but I am concerned about it as well.
If someone broke into that, they would have access to a lot more than just that one system. Signing on to each individual environment isn’t a big issue. I would say it has proven to be not big a challenge for people because people access so many systems now even on a personal level that they expect to have a separate ID and password. So, I don’t think that’s as big an issue as say back in 1990s when single sign-on was the big buzzword because of the explosion of the number of systems. But I haven’t seen that technically come to fruition, nor have I seen the desire for single sign-on to be overwhelming.
SM: So, are you not implementing single sign-on for your cloud strategy?
DH: No, not yet. I haven’t seen anybody with a good methodology for that yet.
SM: What are your thoughts on using managed security as a service versus, say, in-house traditional security methods? My observation as I am listening to you is that the security challenges are really-really complex. You don’t have a large IT workforce, and your strategy is to reduce it. Well, is not it a good strategy to used specialized cloud vendors for managing your security challenge?
SM: That is something that you would do over time?
DH: Yes, I mean we do it at the end points now. Our ERP provider is made up of good security people. Our network has been turned over completely to a company called Virtela that provides our wide area network circuits. They provide the entire management over the wide area networks. They also provide the firewalls and our intrusion detection. They are a managed security service provider for anything that is network related, Web related, filtering, everything.
SM: So, they taking care of vulnerability management issues for you.
SM: Your expectation is that the data security is going to be handled by the cloud vendors themselves, right?
SM: These are the two key security issues as far as you are concerned?
DH: That’s right. If one makes the assumption that the end points are malicious and build your network access and end point access and then guard it, you are covered.