Showing posts with label Reed. Show all posts
Showing posts with label Reed. Show all posts

Monday, August 31, 2009

Cloud Adoption: Security is Key as Enterprises Contemplate Moves to Cloud Computing Models

Transcript of a sponsored BriefingsDirect podcast on the state of security in cloud computing and what companies need to do to overcome fear, reduce risk and still enjoy new-found productivity.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: Hewlett-Packard.

Free Offer: Get a complimentary copy of the new book Cloud Computing For Dummies courtesy of Hewlett-Packard at www.hp.com/go/cloudpodcastoffer.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on caution, overcoming fear, and the need for risk reduction on the road to successful cloud computing.

In order to ramp up cloud-computing use and practices, a number of potential security pitfalls need to be identified and mastered. Security, in general, takes on a different emphasis, as services are mixed and matched and come from a variety of internal and external sources.

So, will applying conventional security approaches and best practices be enough for low risk, high-reward cloud computing adoption? Is there such a significant cost and productivity benefit to cloud computing that being late or being unable to manage the risk means being overtaken by competitors that can do cloud successfully? More importantly, how do companies know whether they are prepared to begin adopting cloud practices without undo risks?

To help us better understand the perils and promises of adopting cloud approaches securely, we're joined by three security experts from Hewlett-Packard (HP). Please join me in welcoming Archie Reed, HP Distinguished Technologist and Chief Technologist for Cloud Security. Welcome, Archie.

Archie Reed: Hello, Dana. Thanks.

Gardner: We're also joined by Tim Van Ash, director of software-as-a-service (SaaS) products at HP Software and Solutions. Welcome, Tim.

Tim Van Ash: Good morning, Dana.

Gardner: Also, David Spinks, security support expert at HP IT Outsourcing. Welcome, David.

David Spinks: Good morning.

Gardner: Of course, any discussion nowadays that involve cloud computing really deserves a definition. It's a very amorphous subject these days. We're talking about cloud computing in terms of security and HP. How do you put a box around this? What are the boundaries?

Van Ash: It's a great question, Dana, because anything associated with the Internet today tends to be described as cloud in an interchangeable way. There's huge confusion in the marketplace, in general, as to what cloud computing is, what benefits it represents, and how to unlock those benefits.

Over the last two years, we've really seen three key categories of services emerge that we would define as cloud services. The first one is infrastructure as a service (IaaS). Amazon's EC2 or S3 services are probably some of the best known. They're there to provide an infrastructure utility that you can access across the Internet, and run your applications or store your data in the cloud, and do it on a utility-based model. So, it's a pay-per-use type model.

If we look at platform as a service (PaaS), this is an area that is still emerging. It's all about building applications in the cloud and providing those application-development platforms in the cloud that are multi-tenant and designed to support multiple customers on the same platform, delivering cost efficiencies around development, but also reducing the amount of development required. Many of the traditional tiers from data persistency and other things are already taken care of by the platform.

The last area, which is actually the most mature area, which started to emerge about 10 years ago, is SaaS. Great examples of this are Salesforce.com, HP's partner NetSuite, and, obviously, HP's own Software-as-a-Service Group, which delivers IT management as a service.

Gardner: When we're talking about applying security to these definitions, are we talking about something very specific in terms of crossing the wire? Are we talking about best practices? Are we talking about taking a different approach in terms of a holistic and methodological understanding of security vis-à-vis a variety of different sources? Help us better understand what we mean when we apply security to cloud.

Different characteristics

Van Ash: Once again, it's a great question, because you see very different characteristics, depending on the category of the service. If it's IaaS, where it's really a compute fabric being provided to you, you're responsible for the security from the operating system, all the way out.

You're responsible for your network security, the basic operating system security, application security, and the data security. All of those aspects are within your domain and your control, and there really is a large difference between the responsibility of the consumer and the responsibility of the provider. The provider is really committing to providing a compute fabric, but they're not committing, for the most part, to provide security, although there are IaaS offerings emerging today that do wrap aspects of security in there.

For PaaS, the data persistency and all those elements, for the most part, are black box. You don't see that, but you're still responsible for the application-level security, and ensuring that you're not building vulnerabilities in your code that would allow things like SQL injection attacks to actually mine the data from the back-end. You see more responsibility put on the provider in that environment, but all the classic application security vulnerabilities, very much lie in the hands of the consumer or the customer who is building applications on the cloud platform.

With SaaS, more of the responsibility lies with the provider, because SaaS is really delivering capabilities or business processes from the cloud. But, there are a number of areas that you're still responsible for, i.e., user management in ensuring that there are perfect security models in place, and that you're managing entry and exit of users, as they may enter a business or leave a business.

You're responsible for all the integration points that could introduce security vulnerabilities, and you're also responsible for the actual testing of those business processes to ensure that the configurations that you're using don't introduce potential vulnerabilities as well.

Gardner: Archie Reed, it sounds as if there is a bigger task here. We had to evaluate whether the provider has instituted sufficient security on their end. We have to be concerned about what we do internally. It sounds like there is a larger security wall to deal with here. Is that the case when we look at cloud?

Reed: Absolutely. One of the key things here is, if you take the traditional IT department perspective of whether it's appropriate and valuable to use the cloud, and then you take the cloud security's perspective -- which is, "Are we trusting our provider as much as we need to? Are they able to provide within the scope of whatever service they're providing enough security?" -- then we start to see the comparisons between what a traditional IT department puts in play and what the provider offers.

For a small company, you generally find that the service providers who offer cloud services can generally offer -- not always, but generally -- a much more secure platform for small companies, because they staff up on IT security and they staff up on being able to respond to the customer requirements. They also stay ahead, because they see the trends on a much broader scale than a single company. So there are huge benefits for a small company.

But, if you're a large company, where you've got a very large IT department and a very large security practice inside, then you start to think about whether you can enforce firewalls and get down into very specific security implementations that perhaps the provider, the cloud provider, isn't able to do or won't be able to do, because of the model that they've chosen.

That's part of the decision process as to whether it's appropriate to put things into the cloud. Can the provider meet enough or the level of security that you're expecting from them?

Suitable for cloud?

The flip side of that is from the business side. Are you able to define whether the service value that's being provided is appropriate, and is the data going into the cloud suitable for that cloud service?

By that, I mean, have we classified our data that is going to be used in this cloud service regardless of whether it's sitting in a PaaS or SaaS? Is it adequately protected when it goes into the cloud, such that we can meet our compliance objectives, our governance, and the risk objectives? That ultimately is the crux of the decision about whether the cloud is secure enough.

Gardner: Let's go to David Spinks. It sounds as if we almost fundamentally need to rethink security, because we have these different abstractions now of sourcing. We have to look at access and management control, what should be permeable and perhaps governed at a policy level across the boundaries.

I suppose there are also going to be issues around dynamic shifting, when processes and suppliers change or you want to move from a certain cloud provider to another over time. Do you think it's fair that we have to take on something as dramatic as rethinking security?

Spinks: That's absolutely right. We've just been reviewing a large energy client's policies and procedures. While those policies, procedures, and controls that they apply on their own systems are relevant to their own systems, as you move out into an outsourcing model, where we're managing their technology for them, there are some changes required in the policies and procedures. When you get to a cloud services model, some of those policies, procedures, and controls need to change quite radically.

Areas such as audit compliance, security assurance, forensic investigations, the whole concept of service-level agreements (SLAs) in terms of specifying how long things take have to change. Companies have to understand that they're buying a very standard service with standard terms and conditions.

Before they were saying, "Our systems have to comply with this policy, and you have to roll out patches." In a cloud services environment, those requirements no longer apply. They have very standard terms and conditions imposed on them by the cloud providers.

Gardner: So, while we need to think out how we approach cloud, particularly when we want a high level of security and a low level of risk, the rewards for doing this correctly can be rather substantial.

Tim Van Ash, what are the balances here? Who is in the role of doing the cost-benefit analysis that can justify moving to the cloud, and therefore recognize the proper degree of security required?

Pressure to adopt

Van Ash: It's a very interesting question, because it talks to where the pressures to the adoption of cloud are really coming from. Obviously, the current economic environment is putting a lot of pressure on budgets, and people are looking at ways in which they can continue to move their projects forward on investments that are substantially reduced from what they were previously doing.

But, the other reason that people are looking at it is just agility, and both these aspects – cost and agility -- are being driven by the business. Going back to the earlier point, these two factors coming from the business are forcing IT to rethink how they look at security and how they approach security when it comes to cloud, because you're now in a position where many of your intellectual property and your physical data and information assets are no longer within your direct control.

So what are the capabilities that you need to mature in terms of governance, visibility, and audit controls that we were talking about, how do you ramp those up? How do you assess partners in those situations to be able to sit down and say that you can actually put trust into the cloud, so that you've got confidence that the assets you're putting in the cloud are safeguarded, and that you're not potentially threatening the overall organization to achieve quick wins?

The challenge is that the quick wins that the business is driving for could put the business at much longer-term risk, until we work out how to evolve our security practices across the board.

Gardner: We've been dealing with security issues for many years. Most people have been doing

When we start to look at what the cloud providers offer in terms of security, and whether our traditional security approaches are going to meet the need, we find a lot of flaws.

wide area networking and using the Internet for decades. Archie Reed, are the current technologies sufficient? Is the conventional approach to security all right? Or, do we need to recognize that we, one, either need new types of technologies, or two, primarily need to look at this from a process, people, and methodology perspective?

Reed: That's a long question. Tying into that question, and what Tim was just alluding to, most customers identify cost and speed to market as being the primary drivers for going or looking at cloud solutions.

Just to clarify one other point, in this discussion so far, we've been primarily talking about cloud providers as being external to the company. We haven't specifically looked at whether IT inside a large organization may be a cloud provider themselves to the organization and partners.

So, sticking with that model, alongside the cost and speed to market, when customers are asked what their biggest concerns are, security is far and away the number one concern when they think about cloud services.

The challenge is that security, as a term, is arguably a very broad, all-encompassing thing that we need to consider. When we start to look at what the cloud providers offer in terms of security, and whether our traditional security approaches are going to meet the need, we find a lot of flaws.

What we need to do is take some of that traditional security-analysis approach, which ultimately we describe as just a basic risk analysis. We need to identify the value of this data -- what are the implications if it gets out and what's the value of the service -- and come back with a very simple risk equation that says, "Okay, this makes sense to go outside."

If it goes outside, are the processes in place to say who can have access to this system, who can perform actions on the service that's providing access to that data, and so on.

Traditional approaches

Our traditional approaches lead us to the point where we can then decide what the appropriate actions are that we need to put in play, whether they be training for people, which is very important and often forgotten when you're using cloud services. Then decide the right processes that need to be used, whether they be implemented by people or automated in any way. Then ultimately, down to the actual infrastructure that needs to be updated, modified, or added, in order to get to the level of security that we're looking for. Does that make sense?

Gardner: Yes. It sounds as if it's not so much a technological issue, as something for the architects and the operational management folks to consider, a fairly higher-level perspective is needed.

Reed: Arguably, yes. Again, it depends what you're putting into the cloud. There are certain things where you may say, "This data, in and of itself, is not important, should a breach occur. Therefore, I'm quite happy for it to go out into the cloud."

An example may be if you have a huge image database, for example, a real estate company. The images of the properties, in and of themselves, hold little value, but the amount of storage and bandwidth that you as a company have got to put into play to deliver that to your customers is actually quite costly and may not be something that your IT department has expertise in.

A cloud provider may be able to not only host those images and deliver those images on a

Generally, when we talk to people, we come back to the risk equation, which includes, how much is that data worth, what are the implications of a bridge, and what is the value of the services being provided.

worldwide basis, but also provide extra image editing tools, and so on, such that you can incorporate that into an application that you actually house internally, and you end up with this hybrid model. In that way, you get the best of both worlds.

Generally, when we talk to people, we come back to the risk equation, which includes, how much is that data worth, what are the implications of a bridge, and what is the value of the services being provided. That helps you understand what the security risk will be.

Gardner: So, if you start to "componentize" your workloads and understand more about what can be put on a scale of risk, you can probably reduce your costs dramatically, if you do it thoughtfully, and therefore gain quite a competitive advantage.

Reed: Absolutely. We have a vision at HP. It's generally recognized out there as "Everything-as-a-Service." An IT department can look at that and take things down to those componentized levels, be it based on a bit of data that needs to be accessed, or we need to provide this very broad service. In that way, they can also help define what is appropriate to go into the cloud and what security mechanisms are necessary around that. Does the provider offer those security mechanisms?

Gardner: Is it important to get started now, even for companies that may not be using cloud approaches very much, to fully engage on this? Is it important and beneficial for them to start thinking about the processes, the security, and the risk issues? Let me pass that to David Spinks.

Next big areas

Spinks: The big areas that I believe will be developed over the next few years, in terms of ensuring we take advantage of these cloud services, are twofold. First, more sophisticated means in data classification. That's not just the conventional, restricted, confidential-type markings, but really understanding, as Archie said, the value of assets.

But, we need to be more dynamic about that, because, if we take a simple piece of data associated with the company's annual accounts and annual performance, prior to release of those figures, that data is some of the most sensitive data in an organization. However, once that report is published, that data is moved into the public domain and then should be unclassified.

What we're finding is that many organizations, once they classify a piece of data as confidential or secret, it stays at that marking, and therefore is prohibited from moving into a more open environment.

We need not just management processes and data-classification processes, but these need to be much more responsive and proactive, rather than simply reacting to the latest security breach. As we move this forward, there will be an increased tension to more sophisticated risk management tools and risk-management methodologies and processes, in order to make sure that we take maximum advantage of cloud services.

Gardner: Tim Van Ash, as companies start to think about this and want that holistic perspective, does adopting SaaS and consuming those applications as services provide a stepping-stone? Is this a good validation point?

Van Ash: Going back to the point that David was just making, it comes down to which

The level of data being held within an organization like Salesforce is extremely sensitive. Salesforce has had to invest tremendous amounts of time and energy in protecting their systems over the years.

processes you're putting into the cloud and the value tied to those processes.

For example, Salesforce.com has been very successful in the SaaS market. Clearly, they're the leader in customer relationship management (CRM) in the cloud today. The interesting thing about that is, the information they store on behalf of customers are customer data and prospect data, things that organizations guard very carefully, because it represents revenue and bookings to the organization.

If you look at how the adoption has occurred, it started out with small to medium companies for whom speed was often more important than the financial security, but it has now very much moved into the enterprise. The level of data being held within an organization like Salesforce is extremely sensitive. Salesforce has had to invest tremendous amounts of time and energy in protecting their systems over the years.

Likewise, if we look at our own SaaS business within HP, not only do we go through external audit on a regular basis, but we're applying a level of security discipline. It could be SAS 70 Type II around the data centers and practices, or being certified to an ISO standard, whether it be 27001 or one of the earlier variations of that. Cloud providers are now having to adhere to a very rigorous set of guidelines that, arguably, customers don't apply to the same level around their information internally.

The big reason for that is that when you run element as a service, you have to build supporting elements around that service. It's not a generic capability that exists across the entire business. So, there's a lot more focus placed on security from the SaaS model than maybe would have been applied to some of those elements within smaller to medium organizations, and, certainly, in some of the non-core functions in the enterprise.

Gardner: I assume that the ways in which an organization starts to consume SaaS and the experiences they have there does set them up to become a bit more confident in how to move forward toward the larger type of cloud activity.

Fear, uncertainty, doubt

Van Ash: That's a great point, Dana. Typically, what we see is that organizations often have concerns. They go through the fear, uncertainty, and doubt. They'll often put data out there in the cloud in a small department or team. The comfort level grows, and they start to put more information out there.

At the same time, going back to the point that both Dave and Archie were making, you need to evolve your processes, and those processes need to include the evaluation of the risk and the value of the information and the intellectual property that you're placing out there.

Spinks: One of the observations I've had talking with a lot of customers about so far, some big customers and small, is they're experiencing this situation where the business units are pushing internally to get to use some cloud service that they've seen out there. A lot of companies are finding that their IT organizations are not responding fast enough such that business units are just going out there directly to a cloud services provider.

They're in a situation where the advice is either ride the wave or get dumped, if you want an analogy. The business wants to utilize these environments, the fast development testing and launch of new services, new software-related solutions, whatever they may be, and cloud offers them an opportunity to do that quickly, at low cost, unlike the traditional IT processes.

But, all of these security concerns often get lost, because these things that they want to work on

Many enterprises today looking for quick wins are leveraging elements like IaaS to reduce their costs around testing and development.

are very arguably entrepreneurial in nature and move very quickly to try to capture business opportunities. They also may require partners to engage quickly and easily, and getting holes through firewalls and getting approvals can take months, if not quarters, in the traditional model. So, there is a gap in the existing IT architectural processes to implement and support these solutions.

That's what IT has got to deal with, if we focus on their needs for a minute. If they don't have a policy, if they don't have a process and advertise that within an organization, they will find that the business units will get up on that wave and just ride away without them.

Van Ash: We do see enterprises are being somewhat cautious, when they're applying it. As Archie was saying right upfront, you see a different level of adoption, a different level of concern, depending on the nature of the business and the size of the business. Many enterprises today looking for quick wins are leveraging elements like IaaS to reduce their costs around testing and development. These are areas that allow them to get benefit, but doing it in a way that is managing their risk.

Gardner: It sounds as if we need to get this just right. If we drag our feet as an organization, some of the business units and developers will perhaps take this upon themselves and open up the larger organization to some risk. On the other hand, if we don't adopt at a significant pace, we risk a competitive downfall or downside. If we adopt too quickly and we don't put in the holistic processes and think it through, then we're faced with an unnecessary risk.

I wonder, is there a third-party, some sort of a neutral certification, someone or some place an organization can go to in order to try to get this just right and understand from lessons that have been learned elsewhere?

Efforts underway

Reed: We would hope so. There are efforts underway. There are things, such as the Jericho Forum, which is now part of The Open Group. A group of CIOs and the like got together and said, "We need to deal with this and we need to have a way of understanding, communicating, and describing this to our constituents."

They created their definition of what cloud is and what some of the best practices are, but they didn't provide full guidelines on how, why, and when to use the cloud, that I would really call a standard.

There are other efforts that are put out by or are being worked on today by The National Institute of Standards and Technology, primarily focused on the U.S. public sector, but are generally available once they publish. But, again, that's something that's in progress.

The closest thing we've got, if we want to think about the security aspects of the cloud, are coming from the Cloud Security Alliance, a group that was formed by interested parties. HP supported founding this, and actually contributed to their initial guidelines.

Essentially, it lays out 15 focus areas that need to be concentrated on in terms of ensuring a level

So, my suggestion for companies is to take a look at the things that are underway and start to draw out what works for them, but also get involved in these sorts of things.

of security, when you start to look at cloud solutions. They include things like information lifecycle management, governance, enterprise risk management, and so on. But, the guidelines today, knowing of course that these will evolve, primarily focus on, "Here is the best practice, but make sure you look at it under your own lens."

If we're looking for standards, they're still in the early days, they're still being worked on, and there are no, what I would call, formal standards that specifically address the cloud. So, my suggestion for companies is to take a look at the things that are under way and start to draw out what works for them, but also get involved in these sorts of things.

Gardner: I just want to make sure I understood the name. Was it Jericho, the project that's being done by The Open Group?

Reed: Jericho Forum was the group of CIOs who essentially put together their thoughts, and then they've moved it under The Open Group auspices.

The Jericho Forum and the Cloud Security Alliance, earlier this year, signed an agreement to work together. While the Jericho Forum focused more on the business and the policy side of things, the Cloud Security Alliance focused on the security aspects thereof.

Gardner: What is HP specifically doing to advance the safe and practical use of cloud services, working I would imagine in concert with some of these standards, but also looking to provide good commercial services?

HP's efforts

Reed: There are many things going on to try and help with this. As I said, we were involved in the formation of the CSA, and we were involved, and are still involved, in helping write the guidance for critical areas, a focus in cloud computing, and the next generation. We are, through our EDS folks, directly involved with the Jericho Forum, and bringing those together.

We also have a number of tools and processes based on standards initiatives, such as Information Security Service Management (ISSM) modeling tools, which incorporate inputs from standards such as the ISO 27001 and SAS 70 audit requirements -- things like the payment card industry (PCI), Sarbanes-Oxley (SOX), European Data Privacy, or any national or international data privacy requirements.

We put that into a model, which also takes inputs from the infrastructure that's being used, as well as input based on interviews with stakeholders to produce a current state and a desired or required state model. That will help our customers decide, from a security perspective at least, what do I need to move in what order, or what do I need to have in place?

That is all based on models, standards, and things that are out there, regardless of the fact that cloud security itself and the standards around it are still evolving as we speak.

Gardner: Tim Van Ash, did you have anything further to offer in terms of where HP fits into

Cloud Assure is really designed to deal with the top three concerns the enterprise has in moving into the cloud.

this at this early stage in the secure cloud approach?

Van Ash: Yeah. In addition to the standards and participation that Archie has talked about, we do provide a comprehensive set of consulting services to help organizations assess and model where they are, and build out roadmaps and plans to get them to where they want to be.

One of the offerings that we've launched recently is Cloud Assure. Cloud Assure is really designed to deal with the top three concerns the enterprise has in moving into the cloud.

Security, obviously, is the number one concern, but the number two and three concerns are performance and availability of the services that you're either consuming or putting into the cloud.

Cloud Assure is designed and delivered through the HP Software-as-a-Service Group, so that its a way that organizations can assess potential cloud services that they want to consume for those security issues, so that they know about it before they go in. This can help them to choose who is the right provider for them. Then, it's designed to provide ongoing assessment of the provider over the life of the contract, to ensure that they continue to be as secure as required for the type of information and the risk level associated with it.

The reason we do it through SaaS is to enable that agility and flexibility of those organizations, because speed is critical here. Often, the organizations aren't in a position to put up those sorts of capabilities in the timeframe the business is looking to adopt them. So, we're leveraging cloud to enable businesses to leverage cloud.

Gardner: David Spinks, are there areas where success is being meaningfully engaged now? Are there early adopters? Where are they? And, are they really getting quite a bit of productivity from moving certain aspects or maybe entire sets of IT functions or business functions to the cloud?

Moving toward cloud

Spinks: We're seeing some of the largest companies in the world move towards cloud services. You've got the likes of Glaxo and Coca-Cola, who are already adopting cloud services and, in effect, learning by actual practical experience. I think we'll see other large corporations in the world move towards the adoption of cloud, because obviously they spend the most on IT and, therefore, have got the most to gain from incremental savings.

The other key technology that we'll see emerge from one of the issues in cloud computing in the whole area of personal authentication, authorization, and federated access is this concept called Role-Based Access Control (RBAC).

There are a number of clients who are talking to us about how we might use our experiences with some of the largest corporations and government agencies in the world in terms of putting more robust authentication processes in place, allowing our largest clients to collaborate with their customers and their partners.

One of the key technologies there, and obviously one of the key technologies that Jericho have been pushing for years, is much more robust identity management and authentication, including technologies such as two-factor authentication and managed public key infrastructure (PKI). I would prophesize that we're going to see an explosion in the use of those technologies, as we move further and further into the cloud.

Gardner: Well, very good, I'm afraid we're about out of time. We've been having a discussion about overcoming fear -- caution and the need for risk reduction on the road to successful cloud computing. Our panelists have been Archie Reed, HP Distinguished Technologist and Chief Technologist for cloud security. I certainly appreciate your input Archie.

Reed: Thank you very much, Dana.

Gardner: Tim Van Ash, director of SaaS products at HP Software and Solutions. Thank you, Tim.

Van Ash: Thanks very much, Dana.

Gardner: And David Spinks, security support expert at HP IT Outsourcing. Thank you, David.

Spinks: You're very welcome.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You've been listening to a sponsored BriefingsDirect podcast. Thanks, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Learn more. Sponsor: Hewlett-Packard.

Free Offer: Get a complimentary copy of the new book Cloud Computing For Dummies courtesy of Hewlett-Packard at www.hp.com/go/cloudpodcastoffer.

Transcript of a sponsored BriefingsDirect podcast on the state of security in cloud computing and what companies need to do to overcome fear, reduce risk and still enjoy new-found productivity. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.

Tuesday, November 18, 2008

Identity and Access Management Key to Security Best Practices in Changing Business Landscape

Transcript of a BriefingsDirect podcast on the role of identity and IT access management in the dynamic enterprise.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Hewlett-Packard.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Today, a sponsored podcast discussion on the role of identity and access management (IAM), and its impact on security and risk reduction.

We live in an age when any of us, on a typical day, has access to hundreds of applications, and perhaps we have improper access to some of those applications or data inside of our companies. We may not even know it. What's worse, our IT department might not know it.

Managing who gets access to which resources for how long -- and under what circumstances -- has become a huge and thorny problem. The stakes are too high. Improper and overextended access to sensitive data and powerful applications can cause significant risk and even damage or loss.

Hewlett-Packard (HP) and Oracle have been teaming up to improve the solutions around IAM. Through products and services, a series of best practices and preventative measures has been established. To learn more about managing risk around IAM, we will be talking with executives from both HP and Oracle.

Here with us today, we are joined by Dan Rueckert. He is the worldwide practice director for security and risk management for HP’s Consulting and Integration (C&I) group. Welcome, Dan.

Dan Rueckert: Thanks, Dana, glad to be here.

Gardner: We are also joined by Archie Reed, distinguished technologist in HP’s security office in the Enterprise Storage and Server Group. Welcome, Archie.

Archie Reed: Hi, Dana.

Gardner: And we’re also joined by Mark Tice, vice president of identity management at Oracle. Thanks for joining, Mark.

Mark Tice: Hi, Dana, thank you very much.

Gardner: Now, let’s look at this historically -- and I guess I’ll take this to Dan Rueckert. How have things changed around IAM and general risk and security around access to assets and resources in the past couple of years? Is this another instance of data explosion, or are there other implications for organizations to consider?

Rueckert: Thanks, Dana. When we look at IAM, we are really saying that the speed of business is increasing, and with that the rate of change of organizations to support their business. You see it everyday in mergers and acquisitions that are going on right now. As a result of that, you see consolidation.

All these different factors are going on. We are also driving regulations and compliance to those regulations on an ongoing basis. When you start to go with these regulations, the ability to have people access their data, or have access to the tools, applications, and data that they need at the right time is key.

It’s the speed, and it’s continuing to go on as we see the convergence of both the traditional IT systems or applications, and then the merger with operational technology, as we know it, from real-time systems, or near real-time systems.

Gardner: Archie Reed, how do you see this impacting the business climate? How important is this for companies in terms of their exposure?

Reed: This is a critical area that folks have to look at. There's a difference that we’re seeing when we go out and talk to customers, and they’re saying that security is a big concern. It’s a big issue for them. It’s not simple and it’s often not cost-effective, or the return on investment (ROI) is difficult to define.

When you talk about security being a big concern, there is a disconnect between it being a priority, or a high priority, for a lot of companies. It’s dependent on the specific company to have security high on the priority list. It’s often placed low because of that ROI challenge.

The reality in the market is that many things impact that security posture, internally, every time a new system is installed, any product or service defined, or even when a new employee joins. Externally, we're impacted by new regulations, new partnerships, new business ventures, whatever form they may take. All those things can impact our ability, or our security posture.

Security is much like business. That is, it’s impacted by many, many factors, and the problem today is trying to manage that situation. When we get down to tools and requirements around such things as identity management, we are dealing with people who have access to systems. The criticality there is that there have been so many public breaches that we have become aware of recently that security again is a high concern.

People are not necessarily taking it into their priority list as being critical, but tools such as identity management and general system management can help you to mitigate the risks. If we start to talk about risk analysis, and ROI being one and the same discussions, then we may be able to help companies move forward and get to the right position.

Gardner: Clearly, this is not something that product alone can tackle, nor services alone either. So, it's certainly makes sense that Oracle and HP are teaming up with a solutions approach to this. What is the overall solution approach, is this 60 percent behavior, 40 percent product? Dan, give us a sense of how this gets solved, when it comes to products and/or services?

Rueckert: Dana, it's definitely people, process, and technology coming together. In some cases, it’s situational, as far as working with customers that have legacy systems, or more modern systems. That starts to dictate how much of that process, how much of that consulting they need, or how much technology?

When we talk about the HP-Oracle relationship, it’s about having that strong foundation as far as IAM, but also the ability to open up to the other areas that it's tied into, in this case enterprise architecture, the middleware pieces that we want for databases, and other applications that they have.

You start to put that thread with IAM, combined with an infrastructure and that opens this up as a whole, which is key. And, enablement, as far as depending on the size and complexity or localization or globalization, tends to play into those attributes, as far as people process and technology.

Gardner: And this also relates to the Secure Advantage Program, as well as the HP Adaptive Infrastructure, can you paint a picture for us as to how those relate? I guess we can go to Archie Reed on this.

Reed: The first thing would be to understand what Secure Advantage is. Fundamentally it’s an evolution of HP’s Security Strategy. One thing folks may not know is that HP has been in the security business for over 30 years across most industries and the geographies.

Secure Advantage is effectively the embodiment of all of HP security prowess or expertise, as services, products, and solutions, and as well as partners that we can offer organization to help them deal with security in business issues that we've been alluding to through this discussion.

The challenge that HP sees is that most folks worldwide may have developed a relationship with HP, perhaps for a server or a desktop businesses or a software and printing businesses. Many are unaware how wide and how deep HP's security expertise is, across the entire business spectrum.

HP has been developing this Secure Advantage Program over the last few years to essentially allow people to take a broader look at our security portfolio. I'll give you a specific example. I said we have been in the business for over 30 years now, and one thing that many folks aren't aware of is that HP has been engaged at the core of all the ATM networks around the world.

In fact, we’re directly involved in over 70 percent of ATM transactions. So, when you walk up to a bank, you put in your debit card or your credit card, you ask for $100 or 100 Euros, whatever it maybe anywhere around the world. Behind the scenes, HP technology, policies, and process have been worked on to ensure that the data is encrypted, that all of the banks and ATM network folks can talk to each other without necessarily knowing everything about them or who they are working with.

It’s secured through a set of processes. I am not going into the details obviously, but this is something that is an incredibly complex situation with a huge set of regulations on a worldwide basis about what can and can't be done, and what should be done. HP is right at the core of that, with encryption technology, with processes, with services and products that span the gamut. That is a really good example of where Secure Advantage comes into play.

We are engaged in the standards development behind the scenes. We have many patents and many processes that help these banks put together what they need to make it all work. That's the sort of expertise we bring, when we go talk to companies in situations where they need to implement tools such as identity management and access management tools. Does that make sense?

Gardner: Sure, it does. Mark Tice, tell us from Oracle's perspective, why is it important to have a complete solution approach to this? It seems like so many applications, so many different cracks, if you will, in the foundation. What’s the philosophy from Oracle in terms of getting a comprehensive control over identity and access management?

Tice: Well, one of the things that we really encourage, and this is where we get great alignment with the folks at HP.

One of the things that we really work hard to do is make sure that first off, before breaking ground on one of these projects, customers put in place a complete framework, or architecture for their security in identity management, so that they really have a complete design that addresses all of their needs. We then encourage them to take things on one piece at a time. We design for the big bang, but actually recommend implementing on a piece by piece basis.

Gardner: Let's get into a little more detail about how companies actually come to grips with this. You can't start solving the problem until you have a sense of what the problem is. How significant is this? How out of control are the access and identity solutions and safeguards in companies? Dan Rueckert, you want to take a step with that?

Rueckert: It depends, now that we start to think about each industry and those areas that have the regulations and compliance issues and standards of business. As Archie said, the financial services area is very sophisticated in a lot of things they do. Once again, it’s the speed of business and the changes from mergers and acquisitions that have started to occur.

When we get into more traditional business, maybe heavy process in certain aspects, you might see lesser controls. But now, as we start to get into access into certain areas of a process facility that tie together with the system, it starts to bring that together also. So, you have that different view.

Gardner: Let's look closely at the actual solutions. How do companies get started with this? Let's go to you, Archie. What are some of the first steps that you should take in order to gauge the problem and then start putting in the proper solution?

Reed: When we start thinking about security, one of the first things that people look at generally is some sort of risk analysis. As an example, HP has an analysis toolkit that we offer as a service to help folks decide what is critical to them. It takes all sorts of inputs, the regulations that are impacting your business, the internal drivers to ensure that your business not only is secured, but also moving in the right direction that you wanted to move.

Within this toolkit, called the Information Security Service Management (ISSM) reference model, is a set of tools where we can interview all of the participants, all of the stakeholders in that policy or process, and then look at the other inputs that are predefined, such as the regulations.

If you are in healthcare, you are looking at the Health Insurance Portability and Accountability Act (HIPAA). If you are dealing with credit cards, then you are looking at things such as the Payment Card Industry (PCI) standard, about how you have to handle the data, and whether you have to encrypt.

By having these things that are predefined, not only in terms of being more prescriptive for companies, which helps them a lot, but also being more accessible in terms of how quickly they can decide what's important, allows them to move on and decide in which order they’re going to implement their security strategy? They may already have pieces in place, and that's another part of the ISSM reference model that asks, “Where do you grade yourself on this, and where do you want to be?”

There is also in this gap analysis between what is and what should be or what is wanted. That allows the company to decide how they’re going to implement these sorts of things. That becomes a great way to then determine how to cost things out, and that's also an important factor for organizations.

Generally, beyond that, folks are looking at a triumvirate of focal points which shows this governance risk management and compliance (GRC), which essentially says, “Here are the drivers. What's the analysis that we are going to do, and what are the approaches we are going to take to deal with that?” And, they essentially align or deal with the contentions between business and security requirements.

Those sorts of things allow a company to get up to speed quickly and analyze where they’re at. You may have a security review every year, but a lot of companies need to do it more often in more isolated ways. Having the right tools come out of these sorts of things allows them to do ongoing assessments of where they’re at, as well.

Hopefully that's the bulk of the question, and we can go into a little bit more detail with Dan about how services help you do that.

Gardner: How about some examples? Do you have either companies we can talk about directly, or use-case descriptions, where you have gone in. What are some of the pay backs? What are some of the savings or risk-avoidance benefits?

Rueckert: Let me start. When you truly get at the basics and you have the right access at the right time, you start to look at whether you have someone waiting to have something done from a system perspective.

It takes time, it wastes time, and somebody not doing what they were hired to do as far as their general responsibilities. So, there are labor efficiencies that can be gained by having that type of access, and then you get into the number of incidents or request to a help desk to enable someone who says “I am having a problem, help me”.

You start to look at these labor efficiencies from just a pure IT perspective. If you don't have the things that you need to do your job, you then hit the bottom-line tremendously in the line of business in that value chain. So it can cascade out tremendously as far as that.

The other is access, as far as your partners in conducting business. If they don't have what they need from an external point, they can hold up payments or shipments that you might need. All different sorts of people rely on this. I need to validate, I need to know who you are, so then I can conduct my business as I need to.

Reed: Another way to look at this is, when you consider how companies today are not only trying to be more efficient, provide cost savings, analyze, and do more with less -- whichever way you want to phrase it -- there is also an approach that says, “Let's consolidate our datacenters. Let's bring everything together and minimize the amount of stuff on the network. Let's do whatever we can to try and resolve the sort of cost issues.”

Again, when you start to think about who can do what, who has access to what and how much can they do, regardless of how you do those consolidation efforts, you need to consider security.

So, I would also raise the HP Adaptive Infrastructure as an example of how we help customers deal with those challenges of reconciling between the two. Adaptive Infrastructure is essentially a portfolio that help customers at all their data centers, from the high-cost silos where everybody has their Internet on their own servers, and they all have their own hardware in place to low-cost pooled assets.

That allows an IT department to move to that service provider model that a lot are trying to get to, while meeting needs. We help customers evolve to the next-generation data center, 24/7, lights-out computing, blades in place, virtualization. You get that lower cost. You get the high quality of service, but you also cannot ignore the security as being a critical component to that.

I’ll give an example of some customers we’re helping with virtualization right now. Even in the virtualization space, where everybody is trying to get more from the same hardware, you cannot ignore things such as access control. When you bring up who has access to that core system, when you bring up who has access to the operating system within the virtual environment, all of those things need to be considered and maintained with the right business and access controls in place.

The only way to do that is by having the right IAM processes and tools that allow an organization to define who gets access to these things, because important processing is happening on the one box. You are no longer just securing the box physically. You're securing the various applications that are stacked on top of all of that.

Gardner: Of course if you get it right, it can be of great value as you move into other types of activities. Whether it’s taking advantage of application, modernization or virtualization, building out those next generation data centers, having your IAM act together so to speak, certainly there’s a strong foundation for doing these other activities better and with less cost and risk.

Tice: Dana, I’d like to jump in on that one. What we see when we first go into companies, when they don’t have this in place, is that most of their identity management work is done in silos. It's done in a department, or an app-by-app basis. The fact of the matter is that each department or each group has to make up their own security policies, implement them, and manage them. From a company perspective, it means that your security is only as good as your weakest department.

So, you've hit it dead on. Having the right policies in place, and then tools to manage and implement those, is critical. It means that you can act, instead of having to stop, think, and then act -- time, and time, and time again.

Gardner: Moving into the future road map, what we expect, it seems, is that not only is access management important for today’s infrastructure. As we continue to automate, ramp up rules and policies, and start using events-based inference and business intelligence, this also is a foundation for creating a more robust and increasingly automated approach to IT, as well as provisioning of services and application. This is particularly true, as we move into what we call cloud computing nowadays, where we are going to get applications and services from the variety of different sources.

So who wants to take the approach to the future, and have us build on that opportunity?

Rueckert: I’ll comment on just some of the things that are happening right now, and you haven’t talked about the mobility of employees.

We talked more traditionally about datacenters and maybe desktops, but now we have hand-held devices that are mobile in nature and contain a lot of power, and we need to make sure we validate that they can have access.

You can take simple examples of BlackBerry devices and other entities that now tie back into applications and key data that they need in the field, and can use wireless networks. It’s a tremendous benefit overall, as far as where we are going, and it’s why this is so important as we start to work towards the future.

Reed: I’d back that up by saying that, when we start to consider IAM, one thing we really haven't touched on, but sort of alluded to so far in the conversation, has been all of this process and other stuff that happens on the identity management side of house. The provisioning, the decisions, the policy management happens over the longer term. Access management is more of a defined policy and enforced in real-time. There is a lot of more to this overall aspect that relates to one of HP's core areas of expertise, management tools in general.

So, when we define the policies, when we decide what the procedures are for following that, we need good tools that allow you effectively to implement and write out what they are, and automate those policies and procedures, so that they are enforceable.

More importantly, over the longer term, changes occur. For example, in the last year alone, in 2008, there is an estimate of an extra 9,000 to 10,000 regulations that small to medium businesses must follow -- and that's not including what big businesses have to follow in terms of changes for the regulations they're already engaged in.

Now, consider the impact that has on being able to rewrite change, manage the policies across all of your business units, and consider what Mark was talking about in terms of businesses that have siloed security approaches. There is no guarantee, unless you have a comprehensive view over all of your systems, services, and business policies, that you can guarantee to the outside world that you are complaint.

Once we've got all this defined, we now need to monitor, and report at least internally, sometimes externally, that we are being complaint. This is another area where management tools and IAM in particular, allow you to say and prove that you have done what is required by the regulations.

Regulations are generally thought of as being driven by government bodies. If you deal internationally, that can mean a lot of different things in lot of different regions. But, regulations can also be internally driven.

They can be internal policies that you have decided as an organization need to be enforced, because you believe that if you want better customer service, you do things this way. Ultimately, it all comes down to making sure that the process is defined, is easily either automated or followed, and finally, and ultimately, reported on an adequate way -- whether it has been circumvented, incorrectly used, or, more generally, that the right thing was done.

Ultimately, it comes back to this discussion we had earlier, which is that GRC and things like IAM play a critical role in that. That's why we have chosen to go with the strategy that we have as HP, as part of Secure Advantage.

Working with folks like Oracle, who have some of the best tools out there in order to support certainly middle sized businesses, but also large organizations with huge, siloed security problems, different businesses, and different geographies. It’s a huge issue that companies need to resolve with tools, because there's no way to do it manually.

Gardner: Alright. Looking toward the next rev, if you will, of these tools, Mark Tice at Oracle, maybe you could outline what the plan for the future is for HP and Oracle working together and where the access management capabilities will come from? I surely don't expect their pre-announcements on products, but just a sense of where the technology is headed?

Tice: Sure. It runs down a couple of different threads. In your last question you touched on the cloud computing issue, and one of the things you will hear us talking about more and more in the future, is the emergence of identity management as a service.

That is, make it real easy for applications to leverage identity management services for access control, permissions, and such. Make it easy for them to access those. One, so that you can support a cloud environment seamlessly and easily. And two, you don't have to replicate a lot of security in identity management code in applications. You can have applications what do or they do best, which is support application logic and leave a lot of security infrastructure to tools like ours.

The second piece is in the area of quickly adapting to change. We see identity management right now as a 1.0 in a 2.0 piece, the very basics, like user provisioning, access control, single sign on, federation -- that is the ability to allow other entities from outside of your firewall and give seamless access for trusted sources.

We see this as kind of 1.0, the very basics that you put in place. Even in the 2.0 space, that's really where we see things like strong authentication -- that is making sure that people are who they say they are -- and tie this into real-time risk detection. So, if we are detecting fraud, we make sure that we challenge people to a fairly extreme degree, if we perceive there to be risk.

Also, in the area of real management, we see deriving a lot of access based on business function, as opposed to complex IT rules. As people move around in the organization, they do different things. As Dan pointed out, as they merge and such, access is controlled automatically, based on where people sit in the organization, and what they are working on, as opposed to IT rules. Those are a couple of the trends that we see on the technology side.

Reed: I just want to expand on those comments, as well as something that Dan mentioned earlier, which was the mobility aspect. If we’re truly looking at what's coming up, what companies need to deal with, and why this ability to be able to deal with change quickly and effectively is important, we have to look at the new employees that are coming into the market. We have to look at the new business situations or paradigms that organizations are dealing with.

The new employees are coming out of the universities these days. They've got all the Facebook and MySpace -- and all such things.

They’re also used to using their own kit. They're used to plopping down wherever they are, being able to work on what they want, using whatever equipment they want, and consider themselves masters of their own identity.

When they walk into a company, they would like nothing more than to be able to bring a hardware that they can use at home, can move around with, and still be able to access the resources they need to do the work that they have been asked to do.

We'd love for those to be HP bits of hardware, but the reality is, if you take a broader sense, you need to be able to deal with that situation. If you think about the companies and the way in which the things have been moving, that is to deal with more partners, they've got to deal with more outsourcing too, all of these situations where they are no longer in control of the identity of who is using their kit. They are responsible for it, but they may not be in control of it.

This is happening worldwide. The contractor market has been around for a long time, but is evolving in this respect. They expect to run their own equipment, but use your organizational resources to do their job. There are outsourced organizations that expect to get access to your blue prints to produce things for your company.

But you have all these regulatory issues that you have got to deal with, which require encryption, monitoring, and access controls to be in place. And again, these regulations are changing over and over. If we think more about the business sense than the technology sense, you've got to have available to the business users the tools that allow them to do those things in a secure manner, and allow them to adjust to the processes, as Mark was saying, in a rapid fashion, without compromising the security of the organization as a whole.

Gardner: So, in the future we'll have a number of different scenarios where the end point hardware might be any number of different options, only to extend that access and management to that individual, based on their role, their business process context, and so forth. Sounds like a very interesting time.

Reed: Absolutely. We've heard about the borders to the company not being anywhere, the castle metaphor thing -- being broken down. The network is no longer Secure in and of itself. There is no perimeter.

I fully expect that within the next five to ten years we will be carrying around all of our data and all of our essential knowledge on memory sticks or in the cloud, and that will be all it needs to sometimes get to work. There will be devices everywhere that we should be able to use -- be it a mobile phone, a mobile device, right through to a huge, honking desktop that just happens to be there.

Gardner: And IAM is really the key to unlocking that sort of a flexible future.

Reed: Yes. Fundamentally, IAM is about managing those relationships between who is coming into the network, who is getting access to things, why are they getting access, how, and when are they allowed to do that.

Gardner: And, when done right, there are many different benefits, not only risk reduction, but as we had been discussing, now we look into the future with a lot more flexibility in terms of how IT can be distributed and used.

Great. We have been talking about identity and access management, it's impact on security and risk, some of the new opportunities for using this in different scenarios, including cloud computing and distribution of a variety of devices, sometimes not even the organizations or the enterprises devices.

Helping us weed through some of these topics, we have been joined by Dan Rueckert, a worldwide practice director for security and risk management, at HP, C&I. Thank you, Dan.

Rueckert: Thank you, Dana.

Gardner: I have also been joined by Archie Reed, distinguished technologist in HP security office also in C&I. Thank you, Archie.

Reed: Thank you.

Gardner: And, Mark Tice, vice president of identity management at Oracle. Thank you, Mark.

Tice: Thanks, Dana, Archie, and Dan. Thanks for inviting me to attend.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You have been listening to a sponsored BriefingsDirect podcast. Come back next time for more insights on IT strategies. Bye for now.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Hewlett-Packard.

For more information on HP and Oracle Identity and Access Management.

For more information on HP Secure Advantage.

For more information on HP Adaptive Infrastructure.

Transcript of a BriefingsDirect podcast the role of identity and access management in the changing enterprise. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.