This document discusses cloud computing and security considerations for organizations adopting cloud services. It makes three key points: 1. Cloud computing provides on-demand delivery of computing resources but also poses new security risks and challenges for organizations related to loss of control of data and infrastructure. A holistic risk management approach is needed. 2. Key security considerations for organizations adopting cloud services include understanding compliance requirements, performing risk assessments of cloud assets, validating information lifecycles, ensuring data security, and establishing security agreements with cloud providers. 3. As organizations lose control of their data and infrastructure in the cloud, new strategies are needed to ensure data portability between cloud providers, availability of audit controls, and proper management of data

1. Journal Online
1ISACA JOURNAL Volume 5, 2013©2013 ISACA. All rights reserved. www.isaca.org
Cloud computing is a significant step in the
Internet’s evolution, providing the means through
which everything—from computing power to
computing infrastructure, applications, business
processes or personal collaboration—can
be delivered as a service wherever and
whenever needed.
The cloud in cloud computing can be defined
as the set of hardware, networks, storage,
services and interfaces combined to deliver
aspects of computing as a service. Cloud
service models are based on three categories:
Infrastructure as a Service (IaaS), Platform as a
Service (PaaS) and Software as a Service (SaaS).
Consumer cloud computing services have
been well-established since the Internet has been
mainstream. Well-known examples are WebMail
services and social networking platforms. However,
the adoption of cloud computing in the enterprise
sector has been slower. The numerous security
risks, concerns and challenges posed have primarily
influenced the slow uptake in cloud services, even
though they have much to offer.
Full assessment of the governance, risk
and compliance factors of cloud services by
organizations is needed to provide informed
judgments. Data and information life cycle, source
and origination, transfer, destination, validation,
and deletion all need to be understood.
Transborder data flow across countries with
different cyberlaw jurisdictions needs to be
carefully considered, and any sensitive information
leakage that results in litigation requires the
involvement of cyberlaw legal teams. Periodic
rights for third-party audit clauses, frequent
reporting mechanisms for security violations and
a clearly defined service level agreement (SLA)
between an organization and the cloud service
provider (CSP) need to be developed.
With CSPs utilizing shared pools of resources,
virtualization and isolation capabilities need to
be questioned along with identity access control
and management frameworks. Some of the
critical factors to consider are the encryption
key life cycle of virtualized environments and
the portability of information if the organization
decides to move to another CSP.
This article introduces a holistic security
approach to cloud computing and equips chief
information officers (CIOs) and information
security executives with the knowledge to
understand key security drivers, requirements,
risk factors and challenges they are likely to face
when migrating the enterprise infrastructure,
platform and services to the cloud.
Cloud Service Model
The typical characteristics of any cloud computing
environment are based on multiple concepts,
such as rapid provisioning of services, agility of
infrastructure, elasticity of computing resources
based on demand, a high level of scalability,
modularity and performance, multitenancy
through virtualization, and compartmentalization
and dynamic security. Cloud computing provides
enterprise IT economies of scale through effective
and efficient utilization of a shared pool of
resources to perform IT functions. Offloading
complementary IT functions to a cloud service
provider allows IT personnel to focus on
business-critical activities such as reducing
operational expenditures that help manage,
maintain and support the IT infrastructure.
All IT functions such as applications,
networking, security, storage and software
work in tandem to provide users with a
service based on the client-server model. This
client-server model can be delivered through
sharing infrastructure, platform and service
that are user transparent. With such ground-
breaking definitions, typically not found in
traditional enterprise architectures, this service
model should result in a shift in the way the
organization thinks.
Infrastructure as a Service
The infrastructure provides provisional
processing, storage, networks and other
Shah H. Sheikh, CISA, CISM,
CRISC, CISSP, CCSK, is the
cofounder and senior security
consultant at DTS Solution, a
dynamic start-up organization
that provides network and
security solutions in the
Middle East regional market.
Sheikh has more than 10
years of industry experience.
Having worked for a service
provider, system integrator
and multiple technology
vendors, Sheikh has extensive
knowledge on complete
project life cycles that focus
around security solutions.
Does Your Cloud Have a Secure Lining?
A Holistic Security Approach to Cloud Computing

2. 2 ISACA JOURNAL Volume 5, 2013 ©2013 ISACA. All rights reserved. www.isaca.org
fundamental computing resources where the consumer
can deploy and run arbitrary software, including operating
systems and applications. The consumer does not manage or
control the underlying cloud infrastructure, but has control
over operating systems, storage, and deployed applications,
and, possibly, limited control of select networking
components (e.g., host firewalls).
Platform as a Service
The platform allows the consumer to deploy onto the cloud
infrastructure consumer-created or acquired applications
using programming languages and tools supported by the
provider. The consumer does not manage or control the
underlying cloud infrastructure, including network, servers,
operating systems or storage, but has control over the
deployed applications and, possibly, the application hosting
environment configurations.
Software as a Service
The software allows the consumer to use the provider’s
applications running on a cloud infrastructure. The
applications are accessible from various client devices through
a thin client interface such as a web browser (e.g., web-
based email). The consumer does not manage or control the
underlying cloud infrastructure, including network, servers,
operating systems, storage or even individual application
capabilities, with the possible exception of limited user-
specific application configuration settings.
Figure 1 provides an example of the different cloud
computing services model structures based on the consumer
and provider relationship.
Deployment Models
There are four deployment models for cloud services, with
derivative variations that address specific requirements:
• Public cloud—The cloud infrastructure is made available to
the general public or a large industry group and is owned by
an organization selling cloud services.
• Private cloud—The cloud infrastructure is operated by a
single organization. It may be managed by the organization
or a third party, and it may exist onsite or offsite.
• Community cloud—The cloud infrastructure is shared by
several organizations and supports a specific community
that has shared concerns (e.g., mission, security
requirements, policy, and compliance considerations). It
may be managed by the organization or by a third party and
it may exist onsite or offsite.
• Hybrid cloud—The cloud infrastructure is a composition
of two or more clouds (private, community or public)
that remain unique entities, but are bound together by
standardized or proprietary technology that enables data
and application portability (e.g., cloud bursting for load-
balancing between clouds).
Cloud Computing Risk Management Framework
Numerous information security regulations, standards and
compliance frameworks have been established and matured
over the last decade (e.g., ISO 27002, the Payment Card
Industry Data Security Standard [PCI DSS], the US Health
Insurance Portability and Accountability Act [HIPAA], the US
Sarbanes-Oxley Act). Such industry standards have played a
vital role in providing organizations and security professionals
with the ability to measure security in the context of business
risk; as the awareness, importance and requirements for
securing information assets gain more traction, the industry
is set to face key challenges when it comes to securing
information assets for the cloud.
A standardized information security framework
specifically for cloud computing does not exist, given the
uniqueness in how cloud computing operates. The European
Network and Information Security Agency (ENISA),1
for
example, has developed a cloud computing risk assessment
strategy; however, global adoption and acceptance has been
difficult due to the lack of clarity on securing the cloud
infrastructure. Security professionals undoubtedly face
complexities and challenges when it comes to addressing
key security requirements for cloud computing. While any
organization should follow its own respective enterprise IT
risk management framework in the context of the cloud, other
considerations need to be assessed, evaluated and deployed
as well. Managing risk appetite when the information resides
out of the organization’s control can be problematic and it is
imperative that security SLAs are well defined with the
cloud provider.

3. 3ISACA JOURNAL Volume 5, 2013©2013 ISACA. All rights reserved. www.isaca.org
As a common step toward managing information security
risk in the cloud, the following items focus on areas of risk
management that should be at the forefront when considering
cloud deployment:
• Identify the assets for cloud deployment (requirements
needed to move to the cloud).
• Evaluate assets and measure both the technical and business
risk associated with the assets.
• Correlate the assets to the type of cloud service and
deployment model appropriate for the organization.
• Identify the potential data flow.
• Develop audit controls that can be delivered to the organization
as a self-service or on-demand service by the CSP.
• Validate information life cycles (e.g., data encryption and
decryption, data residency, retention, deletion) for the asset.
• Ensure consistency of authorized use of assets by users
between existing in-house and proposed CSP services.
• Ensure no lock-in clause for a CSP and the ability for assets
to be portable between CSPs.
• Ensure data protection from leakage, data residency and
malicious CSP administrators.
• Examine legal risk and transborder data flow among
countries with differing legal jurisdictions.
• Ensure that security SLAs with the CSP have clearly defined
financial penalty clauses for any violations.
Figure 1—Cloud Computing Service Models
SaaS
PaaS
IaaS
Host Application,
Services and Software
Platform and
Infrastructure Software
Virtualization and
Multitenancy
Operating System
Physical
Servers
Network and Security
Infrastructure
Data Center
Foundation
• Software as a Service
• Enterprise email
• Hosted IP telephony—VoIP
• Hosted teleconferencing
• ERP/HR/payroll systems
• Electronic health records database system
• Federated identity access—cross-domain SSO
• Portals
• Transactional sites
• Virtual desktop profiles
• Data center site
• Power
• Physical access control
• HVAC
• Data center fabric
• Switches, routers and access points
• Service layer—application control delivery
• Network security
• Federated identity access
• IPAM, DNS, DHCP, QoS
• Physical servers
• Storage area network (SAN)
• Computer/storage resource
• Windows Server 2008
• Redhat Linux Enterprise
• Solaris
• Partitions/containers
• Virtualization—ESX, Hyper-V, XenServer virtual machines
• Virtual networking—VRF/virtual routers
• Virtual security—virtual firewall systems
• Virtual ADC and load balancing
• Commercial-off-the-shelf (COTS) platforms
• Customized developed platforms
• Infrastructure manage software

4. 4 ISACA JOURNAL Volume 5, 2013 ©2013 ISACA. All rights reserved. www.isaca.org
Compliance and Audit Control in Cloud Computing
Environments
When infrastructure/platforms and services are under the
control of the organization, ensuring compliance through
governance is straightforward—roles and responsibilities
are clearly defined, compliance controls are designed and
implemented with management approval, and audit of
compliance status can easily be tracked and measured. When
services are migrated to the cloud, an organization loses
control on how compliance is implemented and maintained
and this control is relinquished to the CSP. As part of any
compliance requirement, a gap analysis must be undertaken
to identify how regulatory, legislative and industry compliance
can be designed and implemented from day one. It is
imperative that any compliance requirements the organization
is required to observe are validated and certified before
migrating to the cloud.
Of the many regulations touching on information
technology with which organizations must comply, few were
written with cloud computing in mind. Auditors and assessors
may not be familiar with cloud computing generally or with a
given cloud service in particular. That being the case, it falls
upon the cloud customer to understand:
• Regulatory applicability for the use of a given cloud service
• Division of compliance responsibilities between the CSP and
the customer
• The CSP’s ability to produce evidence needed for
compliance on demand
• The cloud customer’s role in bridging the gap between the
CSP and the auditor/assessor
The following recommendations should be carefully
considered by the cloud customer when applying compliance
and audit control processes within a cloud environment:
• Reserve the right to request an on-demand audit of the
services to which the customer is subscribed (a right-to-
audit clause).
• Comprehensively analyze legal and contractual agreements
and terms that address compliance needs.
• Analyze the compliance scope to ensure that the compliance
regulations to which the organization is subject are not
impacted by the use of cloud services.
• Examine the impact of regulatory compliance for data
security and determine if the data that will move to the
cloud are subject to compliance requirements.
• Review CSP partners; in certain cases, a CSP may
subcontract partial functions (i.e., data processing) to
another party.
• Determine how to provide on-demand evidence of compliance
and how each compliance requirement is being met.
Information Life-Cycle Management in the Cloud
One of the primary goals of information security is to protect
the fundamental data that power an organization’s systems
and applications. As an
organization transitions to
cloud computing, its traditional
methods of securing data are
challenged by cloud-based
architectures. Elasticity,
multitenancy, new physical
and logical architectures, and
abstracted controls require
new data security strategies. With many cloud deployments,
data are also transferred to external—or even public—
environments in ways that would have been unthinkable only
a few years ago.2
Key challenges regarding data life-cycle
security in the cloud include:
• Location of the data—There must be assurance that
data, including all copies and backups, are stored only in
geographic locations permitted by contract, SLA and/or
regulations. For example, use of compliant storage as
mandated by the European Union for storing electronic
health records can be an added challenge to the data owner
and CSP.
• Data remanence or persistence—Data must be effectively
and completely removed to be deemed “destroyed.”
Therefore, techniques to effectively and completely locate
data in the cloud, erase/destroy data, and ensure the data
have been completely removed or rendered unrecoverable
must be available and used when required.
• Commingling data with other cloud customers—Data,
especially classified/sensitive data, must not be commingled
with other customer data without compensating controls
while in use, storage or transit. Commingled data are a
challenge when concerns are raised about data security
and geolocation.
• Data backup and recovery schemes for recovery and
restoration—Data must be available, and data backup and
”
“Traditional methods
of securing data
are challenged
by cloud-based
architectures.

5. recovery schemes for the cloud must be effectively in place
in order to prevent data loss, unwanted data overwrite and
destruction. It should not be assumed that cloud-based data
are backed up and recoverable.
• Data discovery—As the legal system continues to focus
on electronic discovery, CSPs and data owners must focus
on discovering data and assuring legal and regulatory
authorities that all data requested have been retrieved.
In a cloud environment, if the question of discoverability
arises, it is extremely difficult to answer and will require
administrative, technical and legal controls when required.
• Data aggregation and inference—With data in the cloud,
there are added concerns of data aggregation and inference
that could result in breaching the confidentiality of sensitive
and private information. Therefore, practices must be in
place to assure data owners and data stakeholders that
their data are protected from subtle breach when data are
commingled and/or aggregated, thus revealing protected
information (e.g., medical records that contain names and
medical information mixed with anonymous data but that
contain the same crossover field).
Cloud Data Security Life Cycle
The cloud data security life cycle is different from information
life-cycle management as it reflects the different needs of
the security audience. Careful consideration is needed when
migrating corporate data to the cloud. The cloud data security
life cycle consists of the following six phases:
• Create—Classify and assign rights to data, data labeling
techniques, digital rights management and watermarking,
and user tagging to classify data.
• Store—Base data access control on who needs to know,
as well as on the database management system (DBMS),
the document management system, data encryption and
decryption to authorized users, and content discovery tools
(such as data loss prevention).
• Use—Use activity monitoring and enforcement via log
files, rights management and logical controls using DBMS
solutions, and data owner notification on change of status.
• Share—Use encryption for transit information and signed
documents, activity monitoring for shared information, and
maintaining integrity for transit data.
• Archive—Monitor data residency within storage
environments, asset management, tracking and encryption
on backup archived information and for data at rest.
Archived data should be retrieved only by the data owner.
• Destroy—Ensure removal and secure deletion of
information by authorized personnel; validate deletion
with content discovery. Cryptoshredding and content
construction should not be possible.
Data Portability and Interoperability Between
Cloud Providers
The cloud brings new opportunities for enterprises to develop
and deploy efficient and compelling services, unlock the
potential of the public and private domain data, and reduce
costs for information and communications technology (ICT)
services. Cloud’s interoperability and portability are key topics
of discussion for policy makers, both as a tool to reduce
integration costs and to reduce dependence on large ICT
vendors.
While systems interoperability becomes the primary
domain of the CSP, issues around data interoperability still
remain important, and perhaps even critical, as enterprise
data become increasingly contained within the systems
provided through the CSP. Many public cloud networks
are configured as closed systems that do not interact with
each other. This lack of integration makes it difficult for
organizations to consolidate their IT systems in the cloud and
realize the resultant productivity gains and cost savings. The
issue of cloud portability is important to all enterprises, as
they want to ensure that customers can switch CSPs without
unreasonable switching costs. Inevitably, when a customer
changes the CSP, it is reasonable to assume that there will be
a certain amount of switching costs. However, from a cloud
portability perspective, it also becomes critical that data are
shareable between CSPs, since without the ability to port
data, it would become impossible to switch CSPs at all.
Policies need to be crafted around data-interoperability-
related issues to ensure that data interchange between cloud
services is unhindered, as most enterprise users are likely to
use heterogeneous CSPs for their needs. Policy makers must
focus on data ownership and control issues to ensure that the
owners continue to control the destiny of their data.
To achieve the economies of scale that will make cloud
computing successful, common platforms are needed to
ensure users can easily navigate between services and
applications regardless of where they are coming from and to
enable organizations to more cost-effectively transition their
5ISACA JOURNAL Volume 5, 2013©2013 ISACA. All rights reserved. www.isaca.org

6. IT systems to a services-oriented model. IT personnel want
the same types of control they have in the data center in the
cloud. When an organization pushes data out to the cloud, it
outsources availability and security to the cloud vendor, which
is considered a major weakness.
Virtualization and Multitenancy Environments
The ability to provide multitenant cloud services at the
infrastructure, platform or software level is often underpinned
by the ability to provide some form of virtualization to create
economic scale—utilization of a shared pool of resources to
host multiple tenants. However, use of these technologies
brings additional security concerns. While there are several
forms of virtualization, by far the most common is the
virtualized operating system known as virtual machines
(VMs). If VM technology is being used in the infrastructure
of the cloud services, the organizations must be concerned
about compartmentalization, isolation and hardening of those
VM systems.
The reality of current practices related to management of
virtual operating systems is that many of the processes that
provide security-by-default are missing and special attention
must be paid to replacing them.3
The core virtualization
technology itself introduces new attack surfaces in the
hypervisor and other management components, but more
important is the severe impact virtualization has on network
security. VMs now communicate over a hardware backplane,
rather than a network.4
As a result, standard network
security controls are blind to this traffic and cannot perform
monitoring or in-line blocking. These controls need to take a
new form to function in the virtual environment.
Interference and commingling of data in centralized
services and repositories are additional concerns. In theory,
a centralized database as provided by a cloud computing
service should improve security over data distributed over a
vast number and mixture of endpoints; however, this is also
centralizing risk, increasing the consequences of a breach.
Another concern is the commingling of VMs of different
sensitivities and security. In cloud computing environments,
the lowest common denominator of security is shared by all
tenants in the multitenant virtual environment, unless new
security architecture can be achieved that does not “wire in”
any network dependency for protection.
Virtualization technology has been around for many years
and many enterprises already have some form of virtualization
deployed within their internal data centers; however, with a
CSP that requires providing virtualization in a multitenancy
environment, the security risk inevitably increases.
Application and Hypervisor Security
Cloud environments by virtue of their flexibility, openness
and, often, public availability challenge many fundamental
assumptions about application security. Some of these
assumptions are well understood; many are not. Cloud
computing can influence security over the lifetime of an
application in many ways—from design, to operations, to
decommissioning.
It is important that all stakeholders, including application
designers, security professionals, operations personnel and
technical management, understand how to best mitigate risk
and manage assurance within cloud computing applications.
Cloud computing is a particular challenge for applications
across the layers of SaaS, PaaS and IaaS. Cloud-based
software applications require a design rigor similar to
applications residing in a classic DMZ. This includes a
deep up-front analysis covering all the traditional aspects
of managing information confidentiality, integrity
and availability.
Applications in cloud environments impact and are
impacted by the following aspects:
• Application security architecture—Consideration must be
given to the reality that most applications have dependencies
on various other systems. With cloud computing,
application dependencies can be highly dynamic, even to the
point that each dependency represents a discrete third-party
service provider. Cloud characteristics make configuration
management and ongoing provisioning significantly more
complex than in traditional application deployment. The
environment drives the need for architectural modifications
to assure application security.
• Compliance—Compliance clearly affects data, but it also
influences applications (e.g., regulating how a program
implements a particular cryptographic function), platforms
(perhaps by prescribing operating system controls and
settings) and processes (such as reporting requirements for
security incidents).
• Vulnerabilities—These include not only the well-
documented—and continuously evolving—vulnerabilities
associated with web apps, but also vulnerabilities associated
with machine-to-machine service-oriented architecture
(SOA) applications, which are increasingly being deployed
in the cloud.
6 ISACA JOURNAL Volume 5, 2013 ©2013 ISACA. All rights reserved. www.isaca.org

7. • Tools and services—Cloud computing introduces a number
of new challenges around the tools and services required
to build and maintain running applications. These include
application management utilities, the coupling to external
services, and dependencies on libraries and operating system
services, which may originate from CSPs. Understanding the
ramifications of who provides, owns, operates and assumes
responsibility for each of these is fundamental.
Hypervisor security is the process of ensuring the hypervisor
(the software that enables virtualization) is secure throughout
its life cycle, including during development, implementation,
provisioning, management and deprovisioning. The hypervisor
that enables virtualization and the use of VMs is a critical
component for securing VM assets in the cloud. The hypervisor
is the central software that enables VM-to-VM communication
and VM-to-external-entity communication; therefore, it is the
most critical component in providing security.
VM-to-VM communication does not traverse the network
infrastructure and remains inside the physical server;
therefore, the traditional network security firewalls cannot
be deployed for traffic inspection. It is important to give
consideration to hypervisor security in the form of a security
virtual appliance. A virtual firewall that operates at the
hypervisor level provides security among VMs and increases
visibility of the communications among authorized VMs.
Without such mechanisms in place, the organization is likely
to be susceptible to blind attacks.
A common hypervisor security deployment is illustrated
in figure 2 where products such as the virtual GW (vGW)
product from Juniper Networks or Cisco ASA 1000V are
providing security to the individual VMs. Security and
compliance concerns are first-order priorities for virtualized
data center and cloud deployments.
Encryption and Key Management
Cloud users and providers need to protect against data loss,
leakage and theft. Encryption of personal and enterprise data
is widely used and, in some cases, mandated by laws and
regulations around the world. Cloud customers want the same
level of data encryption services for data at rest and in motion
and want their providers to encrypt their data to ensure
protection—no matter where the data are physically located.
Likewise, the CSP needs to protect its customers’ sensitive
data to avoid embarrassment and protect its own integrity.
Figure 2—Virtual Machine Hypervisor Security Deployment
Strong encryption with key management is one of the
core mechanisms that cloud computing systems should
use to protect data. While encryption itself does not
necessarily prevent data loss, safe-harbor provisions in
laws and regulations treat lost encrypted data as not lost at
all. The encryption provides resource protection while key
management enables access to protected resources.
One common question that often comes up during cloud
computing discussions is where the enterprise data are stored.
Data sovereignty raises issues for businesses adopting cloud
computing for sensitive data. CSPs often store customer
data in various geographical locations to ensure scalability,
efficiency and resiliency—often on a common platform shared
by multiple tenants. The organization’s data may not reside
within the same country as the business, and privacy laws and
jurisdictions may vary dramatically among countries
and regions.
When moving applications to the cloud, the organization
must understand not only where its users reside, but also
7ISACA JOURNAL Volume 5, 2013©2013 ISACA. All rights reserved. www.isaca.org
Virtual Network
Physical Security Is “Blind” to
Traffic Between Virtual Machines
VM1
HYPERVISOR
VM2
VIRTUAL
SWITCH
VM3
ESXHost

8. 8 ISACA JOURNAL Volume 5, 2013 ©2013 ISACA. All rights reserved. www.isaca.org
where its data reside in the cloud application—if not precisely,
at least in which legal jurisdictions. This information can be
difficult to determine, as data are constantly in motion in
the cloud.
Cloud environments are shared with many tenants, and
service providers have privileged access to the data in those
environments. Thus, confidential data hosted in a cloud
must be protected using a combination of access control,
contractual liability and encryption. Of these, encryption
offers the benefits of minimum reliance on the CSP and lack
of dependence on detection of operational failures.
Encrypting Data in Transit Over Networks
There is the utmost need to encrypt multiuse credentials, such
as credit card numbers, passwords and private keys, in transit
over the Internet. Although CSP networks may be more secure
than the open Internet, they are, by their very architecture, made
up of many disparate components, and disparate organizations
share the cloud. Therefore, it is important to protect this
sensitive and regulated information in transit even within the
CSP’s network. Typically, this can be implemented with equal
ease in SaaS, PaaS and IaaS environments.
Encrypting Data at Rest
Encrypting data on disk or in a live production database has
value, as it can protect against a malicious CSP or a malicious
cotenant as well as against some types of application abuse.
For long-term archival storage, some customers encrypt their
own data and then send them as ciphertext to a cloud data
storage vendor. These customers then control and hold the
cryptographic keys and decrypt the data, if necessary, back on
their own premises. Encrypting data at rest is common within
IaaS environments, using a variety of provider and third-party
tools. Encrypting data at rest within PaaS environments is
generally more complex, requiring instrumentation of provider
offerings or special customization. Encrypting data at rest
within SaaS environments is a feature cloud customers cannot
implement directly and need to request from their CSP.
Encrypting Data on Backup Media
This can protect against misuse of lost or stolen media. Ideally,
the CSP implements it transparently. However, as a customer
and provider of data, it is the organization’s responsibility to
verify that such encryption takes place. One consideration for
the encryption infrastructure is dealing with the longevity of
the data.
Tokenization
Emerging technologies that provide complete encryption using
standardized encryption algorithms and key management life
cycle have seen significant growth. One emerging technology
known as tokenization provides the enterprise customer of
the CSP the ability to store, retrieve and delete data based on
keys that the enterprise holds. No other cotenant—or the
CSP, for that matter—has access to the data. Any store,
retrieve and delete process of the residence data can be
encrypted and decrypted only by keys that are owned by the
enterprise customer. Tokenization techniques are now being
adopted for PCI DSS compliance.5
Tokenization and Data Residency
Tokenization is the process of substituting original (sensitive)
data with randomly generated alphanumeric values (tokens).
While structurally similar to the original data, these tokens
have no mathematic relationship with the original data. The
mapping between the original data and tokens is stored in a
secure token database, and access to this database is required
to reverse the process and retrieve the original data. By
retaining original data within the concerned jurisdiction and
storing tokens in cloud applications, data residency challenges
can be eliminated.
Tokenization Eliminates Cloud Data Residency Challenges
Tokenization technology allows customers to replace sensitive
information with anonymous values (tokens) that respect field
formatting and preserve all native features and functionality
of compatible cloud solutions, such as searching, sorting
and reporting. The token database that stores sensitive
information can either be placed behind the enterprise
firewall or with a trusted hosting provider in the customers’
jurisdiction. Additional key characteristics include:
• Rapid configuration and deployment
• High-performance architecture with ultra-low latency
• Support for multiple load-balancing and high-availability
deployment topologies to address global customer needs
• Subscription-based pricing that eliminates up-front
capital expenditure
• Centralized logging and auditing of user activities in
the cloud
• Extensible architecture for cross-platform tokenization
Federated Identity and Access Management in the Cloud
Managing identities of users and access control for enterprise
applications remains one of the greatest challenges facing IT

9. 9ISACA JOURNAL Volume 5, 2013©2013 ISACA. All rights reserved. www.isaca.org
today. While an enterprise may be able to leverage several
cloud computing services without a good identity and access
management (IAM) strategy, in the long run, extending an
organization’s identity services into the cloud is a necessary
precursor toward strategic use of on-demand computing
services.6
Supporting today’s aggressive adoption of an
admittedly immature cloud ecosystem requires an honest
assessment of an organization’s readiness to conduct cloud-
based IAM, as well as understanding the capabilities of the
organization’s cloud computing providers.
Identity Provisioning
One of the major challenges for organizations adopting cloud
computing services is the secure and timely management of on-
boarding (provisioning) and off-boarding (deprovisioning) of
users in the cloud. Furthermore, enterprises that have invested
in user management processes within an enterprise will seek to
extend those processes and practices to cloud services.
Authentication
When organizations start to utilize cloud services,
authenticating users in a trustworthy and manageable
manner is a vital requirement. Organizations must address
authentication-related challenges such as credential
management, strong authentication (typically defined as
multifactor authentication), delegated authentication and
managing trust across all types of cloud services.
Federation
In a cloud computing environment, federated identity
management plays a vital role in enabling organizations
to authenticate their users of cloud services using the
organization’s chosen identity provider (IdP). In that context,
exchanging identity attributes between the CSP and the IdP in
a secure way is also an important requirement. Organizations
considering federated identity management in the cloud
should understand the various challenges and possible
solutions to address those challenges with respect to identity
life-cycle management, available authentication methods
to protect confidentiality, and integrity while supporting
nonrepudiation.
Authorization and User Profile Management
The requirements for user profiles and access control policy
vary depending on whether the user is acting on his/her/
its own behalf (such as a consumer) or as a member of an
organization (such as an employer, university, hospital or
other enterprise). The access control requirements in SaaS,
PaaS and IaaS (SPI) environments include establishing trusted
user profile and policy information, using it to control access
within the cloud service and doing this in an auditable way.
Identity Federation
Identity federation builds a trust relationship between
applications that reflects business affiliations so that
employees can remotely access applications with a single
sign-on (SSO), regardless of whether or not the applications
are locally or remotely located. Identity federation also
protects an employee’s private information. As a first step
toward the organization’s cloud initiative, it is recommended
to use an identity federation solution with an open-standard
solution, such as Security Assertion Markup Language
(SAML), to ensure interoperability in a hybrid cloud
environment while extending the organization’s internal
IAM systems into the cloud. SAML addresses one of the key
challenges in how to integrate all cloud computing resources
with internal enterprise resources in order to deliver a unified
service to employees and customers anywhere and anytime
while still maintaining a secure environment.
Figure 3 shows the user is accessing many applications on a
hybrid cloud computing environment, which goes beyond the
boundary of the enterprise data center. The cloud environment
must enforce the user’s access control, i.e., outside the data
center, and this creates new challenges for the enterprise when
adopting cloud computing and transforming its business.
Single Sign-on Challenge
The enterprise typically uses access management to integrate
applications in different domains to an application portal
so that the end user can access applications without
reauthentication. While access management might work well
for the applications within the data center or within the same
domain, the cloud computing service typically is external to
the data center and is located within a different domain and
shared with multiple tenants.
Security Challenge
Security is another challenge; one example is an access
control policy change. Typically, the application is associated
with a dedicated IAM solution. Many applications using this
approach create duplicated IAM functionality. Therefore,
the application’s access control policies reside in multiple

10. 10 ISACA JOURNAL Volume 5, 2013 ©2013 ISACA. All rights reserved. www.isaca.org
Figure 3—Identity Access and Federation Within Cloud Computing Environment
locations across the network, creating policy management
overhead and complexity. Furthermore, an employee
often requires multiple roles for different applications,
and the duplication of IAM prevents identity provision
and enforcement on demand. Finally, the traditional IAM
approach cannot fit into a cloud computing platform because
the enterprise does not control the CSP’s IAM practices and
has even less influence over strict security practices.
Identity federation is based on two important concepts:
1. The virtual reunion or assembled identity of a person’s user
information (or principal), which is stored across multiple
distinct identity management systems. Typically, the user’s
name, being a common token, joins the data.
2. A user’s authentication process, which is integrated across
multiple IT systems or even organizations
For example, a traveler could be a flight passenger and a
hotel guest. If the airline and the hotel use a federated identity
management system, they have a contracted mutual trust in
each other’s user authentication. Initially, the traveler can
self-identify as a customer for booking the flight and then this
distinct identity can be transferred for hotel reservations.
The ultimate goal of identity federation is to enable
users of one domain to securely access data or systems of
another domain seamlessly, without requiring redundant user
administration. This requires that all participating systems use
the same protocol to be interoperable. For example, public
cloud computing service providers such as Google, Amazon
and Salesforce.com offer their own IAM interface, which, by
default, is not capable of single sign-on (SSO). Private cloud
computing service providers may recommend different
Identity Provider (IdP) Cloud Service Provider
The Organization IDaaS Agent
LDAP Queries
Active Directory
AD Authentication
User Entity A
Local Identity Store
VM Entity A
WWW APP DB
VM Entity B VM Entity C
LDAPS (LDAP Over SSL)
One-way Sync
Identity Federation

11. 11ISACA JOURNAL Volume 5, 2013©2013 ISACA. All rights reserved. www.isaca.org
IAM practices than enterprise customers. To integrate cloud
service into an enterprise’s access portal with SSO, the use of
an identity federation open standard, such as SAML,
is recommended.
The SAML protocol decouples both the SAML identity
provider and the SAML service provider. This enables the
enterprise to have a centralized identity provider that can
support many other service providers in a distributed fashion.
The SAML identity provider focuses on identity management,
access policy management and security token generation,
while SAML service providers receive the remote security
token, retrieve credential data and reinforce user access
policies locally.
With the SAML protocol, the enterprise can provide
services to other enterprises. Identity federation supports
cross-domain SSO and interchanges access control
information with a wide range of partners, reflecting business
trust relationships.
The SAML protocol is interoperable. Because CSPs
implement different identity federation protocols or different
versions of the same protocol, the enterprise cloud can
leverage Security Token Service (STS) to interoperate
between these different SSO practices. For example, the
SAML assertion token can be converted between SAML 1.1
and SAML 2.0.
Identity Authentication Flow Patterns
Identity authentication patterns reflect authentication
flows between the user and IAM. All participants globally
are required to log into a common application platform,
creating a fan-in identity authentication flow to applications.
Enterprise users can log into a portal and then access
different applications using SSO, creating a fan-out identity
authentication flow. During mergers and acquisitions,
authentication flows between the two companies involved
often spill over because each company holds partial identity.
In three authentication flows, the IAM is required to handle
on-demand requests and do so in high volume. As a result, the
enterprise IAM often faces challenges concerning performance
and on-demand capacity to meet SLAs. Identity federation
does not change the flow of the identity authentication.
However, it decouples the authentication process and access
control process such that regulating identity authentication
occurs at one site and reinforcing authorization occurs at
another. This simplifies the IAM infrastructure.
Enterprises use identity authentication patterns in the
following ways:
• To act as the identity provider, processing employee
authentications locally. With identity federation, the
employees’ service requests fan out to the cloud services.
• To build a private cloud data center that hosts services,
acting as a service provider. With identity federation, the
service requests from different trusted partners fan into this
private cloud data center with SSO.
• For two companies involved in a merger and acquisition
process, where employees’ service requests cross over
different domains and data centers with SSO
Identity Federation Pattern: Trust Domain
The identity federation is about creating a trust domain.
This is the trust relationship of identity authentication and
authorization that reflects the business relationship. A trust
relationship can transfer trust from one party to another,
creating a trust domain chain. The user can have different
credentials in each application or cloud service. When these
applications and cloud services are in a chained trust domain,
the SAML identity provider can reconcile different identities,
allowing users to access different applications using their
appropriate credentials. As in the previous example where a
traveler is both a flight passenger and a hotel guest, if both
the airline and the hotel use a federated identity management
system, they have a contracted mutual trust in each other’s
authentication of the passenger/guest. Initially, the traveler
can self-identify as a customer when booking a flight and
then be transferred for a hotel reservation as an identified
customer. The enterprise can leverage this pattern to integrate
different cloud services into the enterprise remote access
portal to improve overall productivity.
SAML Patterns: Identity and Service Providers
With the trust partnership, the involved parties can act as
an identity provider, which asserts information about the
user, or a service provider, which consumes the assertion
provided by the identity provider. In SAML integration,
the SAML identity provider directly accesses an identity
management system such as LDAP or Active Directory, while

12. 12 ISACA JOURNAL Volume 5, 2013 ©2013 ISACA. All rights reserved. www.isaca.org
the SAML service provider strictly reinforces application
access. An SAML integration pattern decouples the access
and the authentication so that access and authentication can
collaborate within a trusted domain over the Internet.
The enterprise can create a centralized identity service
with an identity provider that supports SAML for cross-
domain SSO; the enterprise can also implement SAML service
provider functionality in the private cloud data center with
ease using identity management.
Cloud Ready Data Center
Cloud computing can vastly improve the performance, scale,
agility and security of applications in any data center. This
reduces IT costs while improving the user experience. IT
services are delivered by infrastructures that are centrally
managed and shared through consolidation and virtualization.
Any of the standard data center elements—such as servers,
appliances, storage and other networking devices—can be
contained within a cloud-like architecture. By abstracting
the logical from the physical, these elements can be arranged
in resource pools that are shared securely across multiple
applications, users, departments, suppliers and customers. The
resources in these pools can also be dynamically allocated to
accommodate the changing capacity requirements of different
applications and improve asset utilization levels. Consequently,
cloud infrastructures have proven to simplify management,
reduce operating and ownership costs, and allow services to be
provisioned with unprecedented speed. The characteristics of
the cloud-ready data center, or next-generation data center, are
based on building simplified, scalable, agile and secure networks
with these design objectives.
Success in building a cloud-ready data center network
requires three steps:
1. Simplify the architecture. Consolidate siloed systems and
collapse inefficient tiers using a network fabric and a single
network operating system. This gives the organization
fewer devices, a smaller operational footprint, reduced
complexity, easier management operations and improved
application performance.
2. Share the resources. Virtualize network resources to
segment the network into simple, logical and scalable
partitions for the organization’s various applications and
services while using fabric technology to ensure seamless
connectivity to those resources regardless of where they
are located. Keep privacy, flexibility, high performance
and quality of service (QoS) as primary goals. This sharing
enables agility for multiple users, applications and services.
3. Secure the data flows. Make sure that integrated and
dynamic security services are resident in the network to
provide security scale, threat visibility and enforcement.
These comprehensive services secure data flows across
both physical and virtual environments, while leveraging
centralized orchestration to drastically simplify the
enforcement of dynamic, application-aware and identity-
aware policies, ultimately ensuring better application
availability and network performance.
It is also important to automate at each step. Whether the
organization is running its internal IT infrastructure to be cloud-
like or plans to connect with
public cloud services, designing
a cloud-ready data center
network involves removing
the restrictions on where the
organization places its resources.
This gives the organization
significant operational
advantages that can help it
lower costs, increase efficiency,
and keep its data center agile enough to accommodate any
changes in business or technology infrastructure.
Conclusion
Numerous information-, network- and application-related
security concerns that CIOs face when cloud computing
comes up during board meetings have been identified. The
strategic decision to migrate to the cloud can be well justified
economically and commercially—allowing organizations
to focus on their business objectives. However, the main
inhibiting factor and slow rate of cloud adoption can be
attributed to the lack of security knowledge within the cloud.
Innovative cloud-based security technologies, along with
international cloud security frameworks, are being developed
to address the need, and it is important that information
security is at the forefront of any cloud computing discussion.
”
“Designing a cloud-ready
data center network
involves removing the
restrictions on where
the organization places
its resources.

13. Endnotes
1
ENISA, Cloud Computing Security Risk Assessment,
20 November 2009, www.enisa.europa.eu/activities/
risk-management/files/deliverables/cloud-computing-risk-
assessment
2
Cloud Security Alliance, https://cloudsecurityalliance.org/
education/ccsk/
3
DTS Solution, www.dts-solution.com/?page_id=70
4
Raj, Pethuru; Cloud Enterprise Architecture, Auerbach
Publications, 2012
5
Scoping SIG and Tokenization Taskforce, Information
Supplement: PCI DSS Tokenization Guidelines, PCI
Security Standards Council, August 2011,
https://www.pcisecuritystandards.org/documents/
Tokenization_Guidelines_Info_Supplement.pdf
6
Cloud Security Alliance, SecaaS Implementation Guidance,
Category 1: Identity and Access Management, September
2012, https://downloads.cloudsecurityalliance.org/
initiatives/secaas/SecaaS_Cat_1_IAM_Implementation_
Guidance.pdf
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription
to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance
Institute®
and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in
writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St.,
Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date,
volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without
express permission of the association or the copyright owner is expressly prohibited.
www.isaca.org
13 ISACA JOURNAL Volume 5, 2013 ©2013 ISACA. All rights reserved. www.isaca.org