Global Integration on Demand
(206) 838-5400
Contact Us
Hubspan Connections Blog
 
Sign up for our free expert email series
 
Contact Us

See how Hubspan can help solve your integration challenges.

verification image, type it in the box

* marks required field

 
Case Studies
Hubspan Survey
 
« Back to Hubspan Connections Blog

Cloud Security Basics: Access Control

Posted by on March 8, 2010

In previous posts, we introduced some basic cloud security concepts, including what questions you should always ask a cloud vendor.  In the coming weeks, I am going to dig into the details behind those questions, such as encryption, key management, access control and others. 

What’s important to remember at the highest level is that when it comes to cloud security,  some requirements may change or differ when you are in the cloud versus on premise, but the fundamentals do not.  Whether cloud or premise, infrastructure needs to be secured, applications need to be secure, and you need to follow secure operational practices. It’s sort of like a pyramid – your cloud provider has to balance all three elements to ensure protection and security.  By stretching or shrinking any single facet, the foundation of your  security, and therefore the protection of your data, will be inherently weak.

One of those important foundational elements is access control: who is accessing what, when, how and where. And can you audit that access for compliance reporting? There are three areas I want to focus on with access control: physical access, personnel access, and application access.

1.  Physical Access Control

  • The beginning of a secure cloud system starts when the vendor puts limits on who can access your data. Most people are familiar with application access control and user entitlements, but physical access control is just as important. Most people take it as a given that their vendors will have robust access controls in place, but this is not always the case. They should be limiting physical access to things like backup storage in addition to the servers and other critical network systems. 

2.  Personnel Access

  • Personnel considerations are another aspect of network security closely related to physical access control. Who does your vendor let access your data and how are they trained? Do they approach operations with a security-centric mindset? The security of any platform depends on the people that run it. This means that HR practices can have a huge impact on your vendor’s security operations. Smart vendors will institute background checks and special security training for their employees to defend against social engineering and phishing attacks. Also, there will be clear policies in place along with strong authentication, monitoring and reporting.

3.  Application Access

  • When it comes to application access control, think front-end as well as back-end.  While the application may have rigorous access management rules when the application is accessed via the application interface (the front end of the app), what about system maintenance activities and related accesses that are routinely performed by your cloud vendor to ensure optimal application and system performance, such as patching?  Does your cloud vendor also apply the same rigorous access control rules (if not more)?

Tags: , , ,

No Comments »

No comments yet.

Leave a comment

© 2012. All rights reserved.



Site by Portent, an Internet Marketing Company