Enabling Cloud Computing
by Marco Rottigni - SSL VPN Product Manager – StonesoftCloud Computing is one of the most frequent buzzwords heard in these days. You may think it is the next big thing as it seems to be recognized as the new paradigm for the IT of any kind of an organization - from small to large, from the private to the public sector, private and stock-listed companies alike.
However, Cloud Computing is not hassle-free, and you can waste lot of time speculating about privacy, data protection, security and possible misuses.
Wikipedia defines Cloud Computing as "a paradigm shift whereby details are abstracted from the users who no longer need knowledge of, expertise in, or control over the technology infrastructure in the cloud that supports them. It typically involves the provision of dynamically scalable and often virtualized resources as a service over the Internet."
Cloud computing is the "phrase du jour" and, as usual, concepts and definitions change according to who is talking. "Cloud", as the internet, and "computing" are the only terms that do not change, but every time you combine them things become fuzzier and fuzzier.
There is one single good reason that motivates me to write this article: the consideration that no matter how big the fence is, there must be a way out and a way in. And that is where SSL VPN technology comes into play.
When SSL VPN solutions first hit the market few years ago, they were all classified as a clientless replacement to Mobile IPSec VPN...although they are not.
Mobile IPSec VPN and SSL VPN are two different things, made for two different purposes, and you will realize this as you continue reading this article. I hope to be able to demonstrate why you would want to adopt SSL VPN to enable your corporate cloud computing experience.
First, let us start from a dogma: cloud computing is a state of mind. It is something you feel comfortable with, it is something you want, something you think is good for your company, and for the corporate IT you are most probably responsible for.
Second, how to access it? Access is the keyword here, since everything in Cloud Computing is related to this: you need to provide a trusted, authenticated, assessed, easy, consistent, office-like access to corporate approved applications. Every concern and every weakness, functionality, feature, usability issue is based on planning a consistent access strategy.
So, let's talk about this access thingy. Access means at least that you need to care about the following things: the user needs to have a similar experience in the office and outside of it, since the application exists "in the cloud". Access is a matter of trust, and this trust does involve not only the user, but also his equipment, the location he is connecting from, the client and OS he is using, the authentication method.. and more. That is, the user session as a whole.
Access is persistent; hence checks, scans, validation must be persistent as well. Morever, access is not related to human beings only; we could talk of ATMs talking to corporate services, web services conversing with other web services, etc.
Access has an end; thus, we might want to eliminate any trace of our "been there, done that" once that specific access is over.
Aaccess is to applications, to systems the user wants to use for specific purposes, NOT to networks, tunnels, corporate IP addresses... these are only relevant for network maintenance, not for user experience.
Now, step back and think whether IPSec VPN really is so close to SSL VPN as you thought when you started reading this article. It definitely is not, right?
Now that you have understood how to start with cloud computing, let us take into consideration several other things that a decent system enabling your access to cloud computing should take into consideration.
First things first, before even requesting access you need to check the equipment, connecting conditions, presence of certain software (antivirus) and absence of other software (trojans). This must cover the initial pre-access check and must be repeated periodically, to ensure that the clean state persists until the end of the session. During this phase, you might even want to perform some hardware checks in some cases, to make sure that, for instance, the laptop the user is connecting from is the same piece of equipment that the company has assigned to that specific user. And this means being able to check in-depth, down to the serial number of the motherboard or mac address of the NIC, if needed.
After that, you want something that is customized for your potential user, but without having to make a customization for every user... this is achieved by elaborating a strategy based on the interaction of three entities: groups of users, even coming from different repositories, accessing to applications, based on some access rules.
By defining the appropriate criteria, you will be able to discriminate access consistently. Techniques like Single Sign On, Ticket SSO, support for two and three factors authentication, interoperation with other security and authentication standards... these are all things you might want to look for when choosing a solution. Should you search a solution for such ubiquitous universal access, please take a look at the StoneGate SSL VPN.
Part of the broader StoneGate Network Security Architecture, this technology provides assessed, consistent, authenticated access to the cloud, no matter where the applications and services your company needs are located.
By including sophisticated techniques such as Ticket Single Sign-On for transparent authentications to web services such as SalesForce, Google Apps, eLearning systems, support for federal standards such as SAML and ADFS, advanced authentication solutions like OATH compliance and MobileID token software included for unlimited users, complete assessment and trace removal based on multiple customizable criteria, StoneGate SSL VPN solution represents the state of the art in enabling ubiquitous transparent secure access to corporate applications today.
Cloud Computing. Simplified.
