Skip to main content

Head in the cloud?

Make sure you have a firm software foundation security

If you’re thinking about moving some of your IT services to the cloud, or if you are a cloud services provider, you’re probably thinking about security. According to a recent IBM survey of IT managers, business stakeholders in IT and CIOs, respondents said that cloud computing was a risky to extremely risky proposition. Seventy-seven percent of respondents believe that adopting cloud computing makes protecting privacy more difficult. Fifty percent are concerned about a data breach or loss. 1

And yet cloud adoption is on the rise. According to analyst IDC, worldwide revenue from public IT cloud services exceeded US$16 billion in 2009 and is forecast to reach US$55.5 billion in 2014.2 A Frost & Sullivan 2010 Enterprise Cloud Computing Survey discovered that cloud adopters are aware of the risks, but they may be perceived as acceptable in light of cloud benefits such as implementing software in less time, lowering costs, and reducing complexity for projects like software migrations. In fact, the survey found that cloud adopters are satisfied and plan to expand cloud adoption.3

An evolving security challenge

“What’s interesting about today’s cloud security challenge” said Brian Matthiesen, who manages the development of several IBM Tivoli® identity management software products, “is that the cloud scenario may be a more extensively shared resource environment, but it’s not entirely new.”

“Enterprises have been opening up computing resources for collaboration and efficiency for a while now,” explained Matthiesen. “Service-Oriented Architecture (SOA) is a good, recent example. You have services or applications being made available across departments, even outside of enterprises to supply chains, even customers -- and with that you have increased exposure. The cloud is an evolution of this kind of IT innovation, and it requires tools to ensure the right people have the right access to applications and data. IBM software has been providing this type of user provisioning and role-based access control for a long time. And we can extend those robust capabilities to the cloud fairly painlessly and easily. We’ve done that for dozens of customers already.”

Who are you and what do you want?

As Matthiesen points out, identity and access management are key to cloud security. Essentially, this is software that helps understand who users are and what type of access they should have to data and applications. IBM Tivoli Identity Manager and IBM Tivoli Access Manager provide critical capabilities in this area and have done so in large shared and remote environments before the arrival of cloud computing.

In fact, IBM is securing its own cloud deployments with these software technologies. When its IT department in Hursley in the United Kingdom was looking to increase its hardware utilization, reduce spending and better manage rising power and cooling costs, they developed a cloud solution that enabled development teams to access services from the cloud wherever and whenever they are needed. To do that – secure identity and access management is a must. "All of this would not be possible without Tivoli software,” said Jon Tilt, a chief IBM software testing architect. “With the ability to pool our resources, we can operate as efficiently as possible, reducing hardware requirements, energy consumption and operating costs while responding to customer needs more quickly." 4

Comply and adapt

According to the Frost & Sullivan survey, one of the major concerns about security in the cloud is ensuring regulatory compliance. “Compliance is a big issue,” agreed Joe Anthony, Director, IBM Software Security, Risk and Compliance Product Management. “Data protection and reporting laws such as HIPAA and Sarbanes-Oxley demand that business controls are in place and that you can audit and demonstrate who has access to what and why. Tivoli Identity Manager provides these benefits and those capabilities can be extended to the cloud to perform as they would in the traditional data center.”

“Another important aspect about Tivoli Identity Manager is pre-built adapters for third-party applications,” continued Anthony. “Lots of cloud users will take an application like their e-mail and move that to the cloud. Adapters help them do that quickly and cost-effectively because they are pre-built to provide security for services that are being moved to the cloud such as storage, development and testing, sales force automation and customer relationship management. The adapters support a wide range of third-party applications.”

Federated access and secure data

“When you move services to the cloud, part of the benefit you’re looking for is to securely share the services and information with customers, other departments, business partners and other parts of your overall business ecosystem,” said Ravi Srinivasan, Program Director, IBM Data and Application Security Manager. “But you’re also opening the identity and access management challenges to a much broader range of users. You can’t manage all of those individual IDs – they would quickly add up to millions. What clients can do with IBM Tivoli Security Policy Manager and Tivoli Federated Identity Manager is federate and centrally manage fine-grained access policies and enforce them with runtime security services in the cloud. This not only helps them secure the cloud, it helps them reduce administration costs and collaborate more productively across their business environment.”

Cloud ready

There are many other IBM software products and offerings that are ready to deliver security for the cloud. For example, IBM Rational® AppScan® can help build cloud security capabilities into the application development process through scanning and testing capabilities. IBM Security Virtual Server Protection for VMWare provides security for every layer of a virtual infrastructure. Tivoli zSecure Audit identifies and prevents problems in mainframe systems before they become a threat to security and compliance. Tivoli Security Information and Event Manager provides visibility into a cloud provider's logs and records to help manage a heterogeneous IT infrastructure. Coupled with IBM cloud security services, these and other IBM software products can provide a cloud security solution for virtually any need or organization.

“Clients are looking for ways to make the cloud more secure and advance its use,” concluded Anthony. “We believe that IBM already has the security foundation and proven solutions to help clients take advantage of the flexibility, scalability, reliability and cost control the cloud can provide.”

Matthiesen agrees. ““Essentially, a shared resource is a shared resource -- whether it’s the cloud or a large enterprise data center with lots of distributed resources and a wide range of different user roles and needs. IBM security software has a proven track record in these types of environments.”

  1. The evolving role of IT managers and CIOs, Findings from the 2010 IBM Global IT Risk Study
  2. IBM Press Release, IBM Introduces New Software and Cloud Services to Help Companies Improve Processes, Automate Decisions, October 12, 2010
  3. Frost & Sullivan 2010 Enterprise Cloud Computing Survey (link resides outside of
  4. IBM Case Study, IBM IT group to reduce costs and conserve energy with a secure cloud environment, November 30, 2009

More resources