BANGALORE, INDIA: The biggest global trend is movement of applications to cloud and hence the security implications thereof.  Naresh Shah, managing director, IDC and vice president, Global Engineering Strategy, Novell talks to Divya Girish of CIOL about the recent security concerns, challenges in cloud security and Novell's Cloud Security Services.

CIOL: When we think of Clouds, are the security concerns around its adoption well founded?

Naresh Shah: According to an IDC survey, "Security" was the primary issue among all challenges in the adoption of cloud computing.  It was raised as an issue by 89 p.c of the IT Managers. I will be uncomfortable if my corporate email account is hosted in a third party data center without knowing what kind of access controls they have in place. Today, enterprise administrators may not be that worried about data theft as most providers offer encrypted storage and encryption on wire. However, lack of transparency in access control and lack of real time remediation are still a cause for concern. This is where the question of data confidentiality comes into picture when enterprises move their data to cloud. Enterprises should have the flexibility to maintain mission critical data on-premise (eg. corporate identities) and still be able to leverage cloud computing as needed to expand their business.

CIOL: Can you identify the top three challenges in cloud security?

Naresh Shah: Loss of governance or compliance is projected as the most important one today. European Network and Information Security agency (ENISA) categorized the major risks as Policy and organizational,  Technical, Legal.
We found from our interactions with customers that Single sign-on, audit tracking on SaaS and provisioning users to SaaS application are the most sought after capabilities from SaaS providers.

CIOL: How secure is it to migrate data from on-premise cloud to public cloud? Are companies open to this?

Naresh Shah: If you look at the recent security breach report from US department of Health and Human services, you will notice that almost all these breaches happened in the on-premise data center.  So, the security concern of moving data off-premise is not only about if your data is secured, but also about how you can identify such breaches.
Does the provider have a process in place to detect and mitigate security issues?  Do they have good access control for their data center?

These questions are still not answered very well.   Larger enterprises are not ready to move their critical data to cloud since they don't trust the providers yet.  However, this trend is changing as more and more cloud providers are spending more effort on winning customer confidence.

4. How effective is Novell Cloud Security Services Product in managing computing market?

Naresh Shah: Novell Cloud Security Services addresses a number of security concerns and helps enterprises to move to SaaS.  Some of them are: provisioning and de-provisioning of user accounts, comprehensive audit logs from cloud applications, single sign-on capabilities between hosted applications with capabilities to extend enterprise single sign-on to cloud etc. Ability to use your enterprise accounts without duplicating them with a cloud provider and getting a audit log from the hosted application that can be correlated to your enterprise audit logs are very important for an enterprise to remain compliant. NCSS helps them by providing seemless security integration between the enterprise and the hosted environment.

Q: The global IT industry is now talking of moving to the cloud. What is your take on this? What are the advantages the cloud would offer?

Naresh Shah: Cost is still a major factor that affects this decision.   It’s not just the cost associated with computing resources, but also the cost associated with trained personnel required to manage the IT infrastructure and green computing requirements.Another advantage of moving to cloud is the agility that a cloud can offer to ramp up your business.

Q: Could you elaborate on the kind of compliance and security requirements that need to be in place for IT providers to adopt public cloud?

Naresh Shah: The required level of security could be different for each of the applications hosted.  For example, if you have an application that requires PCI compliance, you may need a log of physical access to your data center.  Enterprise administrators should be able to view the Cloud offering as an extension of their data center - as easy as adding another computing resource in their data center - for cloud computing to be successful.  One of the concerns administrators have is data confidentiality.  

How do I know that no-one else has access to my data?  We heard a lot of data security issues a few years back.  This has been addressed by many cloud providers using encrypted storage and by encrypting data in motion. Next, they need to come up with detailed compliance reports that enterprises can use for their auditing purpose. 

Q: Can you brief on your solution Novell Identity Manager 4? What is the key differentiators in your security solution?

Naresh Shah: Novell Identity Manger 4.0 is a key milestone in delivering our Workload IQ strategy.  It provides an intelligent identity framework that leverages existing IT assets and new computing models like Software as a Service (SaaS) by reducing cost and ensuring compliance across physical, virtual, and cloud environments. 

Identity Manager 4 offers an integrated identity management, roles management, comprehensive reporting and package management capabilities for pre-configuring and customizing Identity Manager driver policies. IDM4 is the industry's first solution to ensure consistent identity, security and compliance policies for an organizations entire IT ecosystem.

Identity Manger 4 is part of the Novell Compliance Management platform.  The Novell Compliance Management Platform delivers business process automation that provides users with the appropriate resources, validated in real-time to ensure compliance to company policy.  Novell continued to retain its leadership position in Gartners User Provisioning Magic Quadrant. Gartner recognizes Novell by saying "Novell’s IAM portfolio of products is well-respected by industry experts, technology professionals and long-standing customers.