• No results found

Walk Then Run: 10 Essential Steps to Securing the Cloud

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Walk Then Run: 10 Essential Steps to Securing the Cloud"

Copied!
6
0
0

Loading.... (view fulltext now)

Download now ( 6 Page )

Full text

(1)

Walk Then Run: 10 Essential Steps to Securing

the Cloud

Security and Platform Insights from 15 CIOs

Every Organization Needs a Security Plan

Every business needs a strategic security plan that takes into account the potential security benefits cloud platforms have to offer. From the small startup to the Fortune 500 enterprise, every business needs to protect intellectual property and knowledge. Strategic security plans range from a few pages to large documents, yet all capture how to anticipate and block threats while ensuring the agility of knowledge and information, an essential element for a successful enterprise.

The Salesforce1 platform security model is designed for forward-thinking companies that are relying on security to streamline and secure their most valuable business processes and workflows. Fifteen CIOs across financial services, manufacturing and professional services were interviewed for this paper. Their insights are the foundation of the ten essential steps for creating a platform security framework. While each of these CIOs have different business models to support, they’re all concentrating on how to make the most scalable, secure enterprise they can through the use of effective frameworks.

(2)

10 Steps to a Platform Security Framework

Trusted identity hub

Evaluate mobile development support

Identity management outside the application

Admin configurable network-based security options

Support for delegated and

federated authentication

Auditability & traceability of

login history

Manage security to the API level

Network security audit passing grade

Best-in-class operations management

Virtualized infrastructure

Foundational Elements of Cloud Security

In speaking with fifteen CIOs across a range of industries, the following foundational elements emerged as the most critical to them in defining current and future strategic security plans:

Security model that extends from the cloud platform to applications. A core requirement shared by all CIOs is for a cloud computing platform to have features that enable secure applications to be built and quickly modified while staying compliant with enterprise-wide security policies. What many are looking for is the ability to provide privacy to given systems’ user data while ensuring the data itself stays independent and secure in a cloud-based database. For this reason, security to the application level needs to support all hosts, database connections, operations and support. Furthermore, the application aspects of the security model need to provide privacy for application providers and end-user customer data. What CIOs want to have is the ability to scale security from the platform to the application level, while staying in compliance with corporate-wide security guidelines. This level of governance is considered a must-have in financial services and is delivered on the Salesforce1 Platform today.

Proven ISO 27002 compliance. The most secure cloud platforms are capable of providing evidence of compliance to the ISO 27002 framework. CIOs mentioned that this is a very useful benchmark because many cloud platforms claim

enterprise-level security support, yet few have the ability to show compliance with each element of ISO 27002.

The Salesforce1 Platform orchestrates security training for employees, defines a security staff and senior management team to manage security globally and regularly completes vulnerability assessments. Only the Salesforce 1 Platform goes beyond the minimum requirement of the ISO 27002 standard by providing for detailed internal policy definitions, including escalation workflows for detection, response and forensics.

A successful track record of compliance to FISMA, SSAE 16 ISO 27001, PCI-DSS, and SSL 128-bit VeriSign transmission level security. Each of these security standards is critical for a cloud platform to be secure, yet scalable enough to manage multi-tenant applications often running in conjunction with each other. These standards are considered just the minimum set, with aerospace and defense firms needing compliance to a wide variety of Department of Defense standards, and financial services firms requiring standards compliance for financial reporting. The Salesforce1 Platform adheres to each of these standards today and has designed the security model of the

(3)

platform to scale and support additions to these certifications in the future.

A scalable security model that includes customization for specific business needs. Each company’s business model is significantly different, their directions vary and the pace of growth is continually changing. CIOs mention that having the ability to define governance for their companies just once and have it replicated throughout the entire security model is essential for scalability of their security frameworks. Governance defined at the platform level saves thousands of hours a year and helps to ensure a consistent level of compliance to internal security plan benchmarks. As a result, this is a critically important component in any cloud computing security framework.

Physical security at each access point of the data center. This is a must-have for any cloud platform provider to be taken seriously by CIOs. All CIOs mentioned how advanced biometrics, access controls at the role and privilege level, and administrator-level controls are essential in any data center operation. CIOs also expect cloud platform providers to have multiple sites with full fail-over capability and redundancy. The Salesforce1 Platform currently supports all of these requirements.

Intrusion Detection (ID) systems. Only state-of-the-art data centers support this level of intrusion detection, analysis and protection. With monitoring tools that evaluate application and database activity in conjunction with event management applications, the Salesforce platform is especially adept at anticipating and responding to potential threats.

10 Essential Steps for Creating a Platform Security Framework

CIOs are faced with the challenge of delivering high performance mobile apps today, while also ensuring cloud and mobile device security. Platform security frameworks need to address the mobile and social aspects of future presales, sales and service strategies today without impacting current performance. Based on conversations with CIOs on how to create a platform security framework, the ten essential steps are:

1. Qualify cloud platforms based on their support for a Trusted Identity Hub. With mobile

support critical to every enterprise, many CIOs are looking for a system that can integrate a variety of identity technologies at the platform layer. Requirements often include support for Security Assertion Markup Language (SAML) and delegated authentication, in addition to support for OAuth for

connecting to social and cloud platforms. These are must-haves in fast-growing, knowledge-centric business that are early adopters of cloud platforms.

2. Narrow down the list of cloud platform providers by evaluating their support for declarative tools, programmatic technologies and mobile apps. Salesforce1 was specifically designed with a mobile-first approach, supporting both declarative tools that enable applications to run in legacy Salesforce environments, while also supporting Apex and Visualforce. Salesforce1 supports the rendering of both types of apps on mobile devices, all predicated on a common security model.

(4)

3. Look for cloud platforms that support identity management and authentication outside the immediate perimeter of the application. State-of-the-art cloud platforms have the ability to support authentication well beyond immediate applications, expanding to on premise systems, social, mobile and cloud applications as well. Support for this broad security platform is essential in global deployments. Only the Salesforce1 platform supports authentication outside the immediate perimeter of applications, extending to mobile and social platforms as well.

4. Best-in-class cloud platform providers offer network-based security options that are easily configured by administrators to allow access to any authorized mobile device. This is critical for the mobile strategies of every CIO interviewed. Defining mobile use to the device and IP address level is a must-have requirement, as is the ability of a cloud platform to support wiping a mobile device of all data and resetting its configuration. CIOs mentioned that the Apple iOS and Google Android options didn’t go far enough at the application level. What they want is the cloud platform to completely disable and wipe all data from their apps in real-time. Of the many cloud computing platforms that support remote device resetting and configuration, only the Salesforce1 platform can control these functions to the IP address and identity level.

5. Support for single sign-on that includes delegated and federated authentication is a must-have to support complex, secured mobile applications. Cloud platforms vary in their level of support for single sign-on authentication techniques, which has a direct impact on how agile a mobile strategy can become over time. Supporting a highly mobile workforce requires both delegated and federated authentication. With delegated authentication, Web Services are used to define credentials. In federated authentication configurations, the cloud platform verifies the HTTP POST request and allows single sign-on. For mobile applications requiring a high degree of security, delegated authentication is critical. For mobile-based worker that don’t require access to sensitive data, the federated authentication model works best. Cloud platforms need to support both in order to meet the total set of mobility needs of CIOs today and in the future.

6. Look for support of auditability and traceability of login history and application use. Capturing specific account, case, contacts, login attempts and changes to opportunities, service contracts and leads is essential for continually improving the performance of a security model. Cloud platforms are often limited to just reporting application performance overall, not specific events. Only the Salesforce1 platform can report specific application activity, including login attempts, and perform traceability across the entire spectrum of devices an enterprise workforce needs to use daily.

7. A successful track record of managing security to the API level of applications. Cloud-based applications based on AJAX, Active X controls, Java applets and other web-based development languages are susceptible to cross-script attacks and a myriad of other threats. Being able to track potential threats through the use of monitoring, filtering and data loss prevention to the data flow level are increasingly showing up on the lists of CIOs evaluating cloud platforms. This includes

support for security patches and continued compliance to applicable regulatory requirements including the U.S. Sarbanes-Oxley Act and the U.S. Health Insurance Portability and Accountability Act (HIPAA). Legacy on premise applications are not capable of accomplishing this, yet cloud platforms including Salesforce1 track security performance of applications to the API level.

(5)

8. Look for cloud platform providers with a track record of successfully passing network security audits that comply with international standards. To pass audits based on ISO 27001, ISO 27002 and SAS 70 Type II, a cloud platform provider will need to have two-factor authentication in place at the delegated platform level, in addition to supporting IPsec and Secure Sockets Layer with Extended Validation certificates. Load balancing for firewalls, intrusion detection and prevention of Denial of Service attacks is also a requirement. Public cloud platforms can provide a subset of these functions, but not all of them. As the Salesfroce1 platform is based on a unified security model that extends from the infrastructure to the application layer, all of these requirements are met today.

9. Best-in-class operations management for managing a cloud platform. This includes a thorough background screening process for evaluating new employees working in data centers to advanced database monitoring applications. The best-in-class cloud platform providers also have processes in place to support monitoring the performance of operating systems and the security level improvements based on security patches. Best-in-class operations management also supports

vulnerability management, intrusion prevention, incident response, and incident escalation and investigation. The highest-performing cloud platform providers can also provide continuity

management and disaster recovery management that include the individual client's enterprise-specific applications and data, as well as evidence that it has tested those procedures. While large-scale public cloud platform providers are capable of doing some of these processes today, the Salesforce1 platform has been purpose-built to support each of these areas in depth with traceability and real-time monitoring.

10. Virtualized infrastructure is critical to current and future cloud platform deployment and future application development. While many CIOs remarked that virtualization has become nearly a commodity-like feature of cloud platforms, their current and future plans call for greater virtualized support of mobile platforms and more effective malware prevention. Virtualization needs to extend beyond system scalability and progress towards selective control of security performance and separation of data and security information among applications, even on mobile devices. This requirement is critical for scaling mobile applications across global workforces while protecting valuable intellectual property. Of the many cloud platforms available today, only the Salesforce1 platform can scale to support each of these requirements.

Conclusion

Across a range of business models, industries and organizational maturity, our fifteen CIOs agree: regardless of size, to create a scalable and secure enterprise, organizations require the use of effective security frameworks.

And, the CIOs interviewed also agree that such a security framework should be based on a mobile and social first approach in order to ensure scalability for future presales, sales and service strategies.

Finally, the need for adherence to industry standards, a track record of compliance and a solid physical security plan are necessary for helping enterprises go from “walking” to “running” with a scalable security

Every business needs a strategic security plan that takes the cloud into

(6)

About Apttus

Apttus, the category-defining Quote-to-Cash software company, drives the vital business process between the buyer’s interest in a purchase and the realization of revenue. Apttus is delivered on the Salesforce1 Platform, the world’s most trusted and comprehensive cloud delivery infrastructure. Applications include Configure-Price-Quote (CPQ), Renewals, Contract Management and Revenue Management. Additionally, Apttus’ patent pending X-Author technology enables Microsoft Office to be a user-interface with full interaction and control between SalesforceTM and Microsoft Office. Apttus is based in San Mateo, California, with additional offices in London, UK, Bozeman, Montana and Ahmedabad, India. For more information visit: www.apttus.com

References

Download now ( PDF - 6 Page - 430.90 KB )

Related documents

How To Balance In The Cloud

The cloud has a main controller that chooses the suitable partitions for arriving jobs while the balancer for each cloud partition chooses the best load

Sensitivity of european temperature to albedo parameterization in the regional climate model COSMO-CLM linked to extreme land use changes

FIGURE 7 | Spatial distribution of mean sensible heat flux changes over the EURO-CORDEX domain for the conversion to forest with three different albedo parameterizations [FOREST1

FIPA Agent Management Specification

unsupported-value string The receiving agent does not support the value of a message parameter; the string identifies the message parameter name. unrecognised-value string

Modeling in Corporate Real Estate

FmSim and ReSim are new software tools using system dynamics and simulation technologies which combine the user friendliness of spreadsheets, the methodology of flow diagrams

Effect of the inclusion of Galium in normal Cadmium chloride treatment on electrical properties of CdS/CdTe solar cell

Based on this understanding, this work focuses on the effect of the inclusion of shallow donor dopant such as gallium into the normal cadmium chloride post-growth treatment as

ETHICAL ISSUES IN DEFENDING A TERRORISM CASE: STUCK IN THE MIDDLE

In the twenty-five years of this statute, which was enacted in 1978 to cover foreign intelligence-gathering within the confines of the United States, no court

Factors associated with practice of water, sanitation and hygiene (WASH) among the Rohingya refugees in Bangladesh

Section 2 comprised questions assessing WASH knowledge of refugees 99. concerning water, sanitation, and hygiene including understanding of safe water sources,

Examining Effects of Technology Level and Reinforcer Arrangements on Preference and Efficacy

When using high- and low-tech reinforcers, reinforcer deliveries may be arranged to occur in a distributed manner (i.e., every response results in a reinforcer delivery), or