Novell Home

Novell Connection Magazine Home

Annexing the Cloud

Exploring a smarter approach to cloud security

  • Audio

By now, just about everyone understands the impressive potential of enterprise cloud computing. What's not to like about the concept of tapping into vast pools of inexpensive processing power, storage capacity or even whole computing platforms whenever you need them—and then instantly releasing them when you don't? But there are still a few significant hurdles preventing many enterprises from fully embracing cloud computing. And by far, the biggest of those hurdles is security. Survey after survey shows that cloud computing can never become a viable, compelling option for most enterprises until they can confidently secure, protect and enforce compliance on all the critical corporate data that lives in the cloud.

So what's the best, most effective approach for addressing these cloud security issues? Novell believes the answer lies in creating a secure, trusted broker between your enterprise and your cloud security provider that makes it possible to extend your existing identity infrastructure—including all your security policies and controls—to public cloud environments. This identity-based approach makes sense. In virtualized cloud environments, the network layer inevitably becomes abstracted, which essentially makes most traditional network security methods ineffective and obsolete. As a result, more of the security burden gets pushed up to the identity layer. Fortunately, with its long history of successful identity-based solutions, Novell is ideally suited to step in and provide the level of enterprise-strength, identity-based security cloud computing environments demand. A dedicated team of more than 20 Novell engineers has been working for nearly a year to make it happen. And the result is the Novell Cloud Security Service.

Extending Your Enterprise Security Perimeter

This innovative new service, which is typically delivered through various types of cloud providers, provides enterprise-level cloud security by performing three critical functions. First, a process Novell calls “annexing” extends the perimeter of your enterprise security policies and practices to the cloud and provides a unified view of cloud resources. This makes it possible to uniformly enforce business policies and operational practices across both your internal data center and external cloud environments. Next, Novell Cloud Security Service allows you to integrate workloads within this extended security boundary. This involves using patented and patent-pending technology to directly communicate identity and audit information to and from traditional workloads, whether they reside in your data center or in the cloud. Finally, the Novell Cloud Security Service also manages cryptographic keys to make sure information stays completely secure as it flows between the cloud and your private data center. And of course, you always maintain complete control over cryptographic key generation, exchange and storage.

With Novell Cloud Security Service, these core annexation, workload integration and encryption capabilities—all managed and controlled through a convenient web-based console—work together to provide the critical missing pieces of the cloud security space and make cloud computing a safe, viable option for your enterprise. (See Figure 1.) (See Figure 1.)

Anatomy of the Novell Cloud Security Service

The Novell Cloud Security Service consists of three main components. (See Figure 2.)

  • Identity and event connectors to specific Software as a Service (SaaS) and Platform as a Service (PaaS) providers
  • Connectors to specific identity systems across your enterprise
  • A Cloud Security Broker that resides within the cloud and maintains a secure communications bridge between your enterprise and all your SaaS and PaaS providers

Let's take a look at each of these components in a bit more detail.


Connectors to SaaS and PaaS Providers

The Novell Cloud Security Service starts with out-of-the-box identity and event connectors for specific SaaS and PaaS providers. These connectors make it possible for your enterprise identity and audit systems to communicate securely with a wide range of PaaS and SaaS environments through the Cloud Security Broker. Today, Novell offers out-of-the-box connectors for most popular cloud applications and application frameworks, including Salesforce.com, Google Apps and Spring, as well as common network services like Microsoft SharePoint. Of course, the exact nature of these connectors depends on the capabilities and characteristics of various cloud services. For example, most PaaS environments are robust enough to provide the types of identity, audit and compliance mechanisms most enterprises require. Many SaaS environments, on the other hand, lack this type of robust underlying platform or are controlled by providers who are unwilling to expose that platform to users.

Subscribe to Connection Magazine


In these cases, Novell will work directly with cloud providers to develop specialized connectors that work with specific SaaS enviroments in ways that make the most sense. You may also have the option of modifying enterprise applications running inside SaaS environments to use Novell Cloud Security Service APIs directly, which avoids these issues and typically provides a higher level of functionality.


Connectors to Enterprise Identity Systems

On the enterprise side, Novell Cloud Security Service offers standards-based integration for most identity management providers, including IBM, Microsoft, CA, Oracle, Sun and (of course) Novell. These connectors provide a secure bridge that sits behind your firewall and provides the following services and capabilities:

  • A general purpose protocol proxy that allows the aggregation of many different protocols into firewall-friendly packets.
  • An audit agent that allows the delivery of audit events to your on-premise auditing and monitoring mechanisms.
  • A policy agent that provides secure access to enterprise policy requests from the Cloud Security Broker.
  • A key management agent that maintains all the cryptographic keys necessary for secure communications between the Cloud Security Service's various components.
  • A secure communication manager that ensures all the encrypted traffic handled by the multi-protocol proxy is transported correctly and securely.

It's also worth noting that unlike some cloud security solutions, this small footprint secure bridge uses standard ports and protocols for all communications between your enterprise and the Cloud Security Broker. This approach, together with a fully encrypted communication channel, means you can achieve totally secure communications between your enterprise and the cloud without modifying your firewall.


The Cloud Security Broker

The Cloud Security Broker lies at the heart of the Novell Cloud Security Service, between the enterprise connectors and the SaaS and PaaS connectors. This core component resides inside the cloud and is responsible for maintaining all the essential connections between your enterprise and all your PaaS and SaaS providers. The Security Broker consists of a collection of protected virtual workloads that combine to provide a secure space for cloud workloads and storage resources. These protected workloads typically consist of enterprise services that have been moved from your data center to the cloud, as well as ancillary Novell Cloud Security Service processes. This creates an environment where workloads in the cloud can securely access enterprise resources using either standard protocols like HTTPS and LDAP or the more robust Cloud Security Broker API/Platform. In both cases, cloud workloads communicate with your enterprise over the Secure Bridge using cryptographic keys that are locked inside your secure data center. And both methods take full advantage of the Cloud Security Broker's robust identity and governance, risk and compliance (GRC) integration capabilities.

In the end, all of your cloud resources—whether they are accessed within the Cloud Security Broker or through SaaS and PaaS connectors—become secure, fully annexed extensions of your data center.

Getting Started with the Novell Cloud Security Service

The Novell Cloud Security Servicewill begin shipping later this year. In most cases, the solution will be delivered through leading cloud computing vendors, and the Cloud Security Broker typically resides where those vendors host their SaaS applications. However, enterprises can also work with Novell to host the service through a participating Novell hosting partner or Infrastructure as a Service (IaaS) provider. Today, Amazon EC2, GoGrid, XEN, Eucalyptus and any IaaS that uses Vmware ESX can support the Novell Cloud Security Broker. To get started with the Novell Cloud Security Service, ask your PaaS or SaaS provider if they plan to support or offer the solution. If not, contact Novell for more information about alternative IaaS hosting options.

  • Figure 1

    A unified Novell Cloud Security Service console gives you complete control over the security status of all your cloud computing resources.

  • Figure 2

    The Novell Cloud Security Service verifies user identities through connectors to your existing identity infrastructure, generates an identity token through the Cloud Security Broker and passes the token to the relevant cloud provider in the requested format to grant user access.



© 2014 Novell