stream of information
June 1, 2009

Vincent Serpico

Protect Stream Of Information Coming Into Your Company From Multiple Sources

About 2,500 years ago, the Spartans seemingly perfected cryptography by ingeniously wrapping a thin sheet of papyrus around a staff called a skytale. Today, while our encryption and data security methods have significantly improved, the need for securing data is just as relevant. And with the advent of cloud computing, new methods must be refined and perfected in order to compete in the online world of SaaS, PaaS and IaaS.

In case you’re wondering, the above-mentioned acronyms are not part of tech-geek poetry. They stand for the newest methods by which technology is developed and delivered. SaaS stands for Software as a service; PaaS stands for Platform as a service; and IaaS stands for Information as a service. And while we’re at it, let’s make sure we define another hot term right now, cloud computing. This essentially means that the information that used to reside on your desktop, such as most software applications, now resides on a server owned by the company that developed that software. Hence, Software as a service (SaaS). Developing and licensing software or other technology from a cloud environment is a rather new and preferred method. And if you bring up “the newest cloud application to hit the enterprise market” in your next business meeting, you’ll sound very smart.

The common mantra thus far has been “use the cloud only if security is not an issue.” However, if we are truly going to utilize the power of the cloud, the mantra should be “architect your cloud solution around a sound security model.” The cloud offers too many rich opportunities to be relegated into a space where security is an afterthought. But how do you build security into a new and evolving technology like the cloud, thus protecting the flow of your company’s intellectual property?

There are now some tried and true best practices, as well as unique approaches to securing IP data flowing into the cloud. The first is standard SSL (Secure Sockets Layer). For instance, many companies utilize Windows Communication Foundation (WCF) as their preferred method for data encryption. WCF allows the company to implement a robust security layer around all user data flowing into the servers. Through this encryption process, the security layer ensures no one is eavesdropping on sensitive data. In addition, all messages are signed to further ensure data integrity.

Companies should implement security measures that make sense for their unique scenarios. One way to ensure that customer data is secure is through a three-step algorithmic approach. First, all SOA (Service Oriented Architecture) messages are “owned” by the user. For example, if “Jon” uploads data to the servers, that line of communication is unique to Jon and can only be used by Jon. Second, to further ensure data integrity, the unique communication line that belongs to Jon also belongs to Jon’s group, or platform. Therefore, he can access data about his group, but no one else’s. Finally, the user and group binding is not only implemented in the call from the application, but also bound to the databases in the company’s servers. In essence, each user has a “tunnel” to their data that is designed in such a way that no other user can penetrate that tunnel, nor can a user expand out of his or her tunnel. Data is thus very secure.

At first glance, the casual reader may assume a paranoid approach to data security. However, in order to facilitate widespread adoption of the cloud for enterprises, security must be built up front, and continually improved as the software evolves. By employing standard security techniques, coupled with vendor-specific approaches, IP data can be safely secured, allowing enterprises to confidently employ the power of the cloud.