Securing the cloud

* Service creates a single Web application portal that combines strong authentication and single sign-on for Web applications

Everyone these days seems to want to talk about "the cloud". Cloud computing is the latest buzz phrase that all vendors seem  to want to attach to their product. But, as I mentioned some weeks ago ("Identity management is key to the proper operation of cloud computing", proper identity management is often lacking in the rush to cloud-enable services and applications. While the Cloud Computing Manifesto (see that earlier newsletter) pays lip service to identity needs, what's actually happening in the marketplace?

Everyone these days seems to want to talk about "the cloud". Cloud computing is the latest buzz phrase that all vendors seem to want to attach to their product. But, as I mentioned some weeks ago ("Identity management is key to the proper operation of cloud computing", proper identity management is often lacking in the rush to cloud-enable services and applications. While the Cloud Computing Manifesto (see that earlier newsletter) pays lip service to identity needs, what's actually happening in the marketplace?

I spoke last week with Rob Ferrilli, the CEO of the Ferrilli Information Group, a small (in numbers) but influential consulting services organization providing services to the higher-education community. The company is decentralized with only a small number of consultants. But they have all the office productivity needs of any business, from the smallest one-man shop up to the largest enterprise. According to Ferrilli, cloud computing (aka software-as-a-service or SaaS) was a godsend. He recently decided to move to SaaS applications to run the company's business and support the employees working with college and university clients around the United States. Rob selected a dozen online applications to replace internal systems, including Salesforce for CRM and Google Apps for collaboration and e-mail.

The move brought lots of savings in terms of on-site hardware as well as the time and money needed to install and maintain the applications and services. But it also brought unexpected complexity: employees now had 12 different accounts and passwords to manage.

The Ferrilli Group's answer to this problem was myOneLogin.com, a service of Tricipher, a company featured in this space before (see "Seven strong authentication methods,"

 MyOneLogin creates a single Web application portal, combining strong authentication and single sign-on for Web applications. Using myOneLogin, you can log in once to access a whole set of Web applications. But this isn't another "user-centric" authentication service, such as OpenID. MyOneLogin brings all of the strong authentication methods of Tricipher to bear and is intimately familiar with the authentication steps needed for various cloud-based SaaS services.

In fact, when using myOneLogin, the user isn't even aware of the authentications (typically username/password) that gain him/her access to the cloud application. So there's no possibility of the user either accessing the services "on their own" (say, after they've been terminated or quit) or passing that information (wittingly or not) to a third party (i.e., no chance of phishing).

If you're into cloud computing, or even thinking about it, then myOneLogin.com could be the identity manager you need.

Upcoming events from the IdM Journal Events Calendar:

June 17 – Webinar: "Impact of HIPAA on Identity and Access Assurance"

The Health Insurance Portability and Accountability Act requires that Protected Health Information, which is defined as all "individually identifiable health information" held or transmitted by a covered entity or its business associate, must be protected against unauthorized disclosure. New provisions in the American Recovery and Reinvestment Act (ARRA) mean that now, more than ever, healthcare organizations are responsible for ensuring that only the right people have the right access to the right information and are doing the right things with it. Register here.  

June 25 – Webinar: "Get the Big Picture – Managing Access beyond SAP for Cross-Enterprise Identity Governance"

You'll learn how an integrated identity governance approach can more effectively improve your risk posture with enterprise-wide policy enforcement, access certifications and role management across all relevant systems. By having a single view into user access rights, you will greatly improve your visibility into risky or non-compliant areas and automate your processes for managing these risks. You'll be able to more effectively analyze risk, make more informed decisions and implement controls in an automated and more sustainable fashion. Ultimately, this will result in improved audit performance over time and less chance of non-compliance. Register here.  

Learn more about this topic

Cloud security stokes concerns at RSA

Who will check the security of cloud providers?

Cloud security guarantees?
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT