Thursday, September 08, 2016

Moving to the cloud. How to handle the user information in hybrid cloud?

Today most of the clouds are hybrid clouds

Companies are moving to the cloud - whether they notice they do it or not. Starting to use Microsoft O365 or CRM as a SAAS (Software As A Service) is using cloud service and moving parts of the software and services into cloud. That will actually be a hybrid cloud. Especially when this happens in small steps during longer period it might lead to forgetting something very fundamental - the user and data protection and legislations.

O365 is a great example. More and more companies have moved using it. Now what about authentication. Where do you keep your user credentials and what happens when the main site of the service will be down. Where are the credentials in that case? And can you be sure about it? And what if you have other services also in cloud? How will you offer these services easily to the user? Will you handle authentication for each service separately? And when one day you need to remove the user from everything he/she had access to? How will you do that?

The only certain way to make sure the user authentication and user data is not leaking out is to keep it to yourself, meaning in your premises. Buy the services from where ever you want. But don't push the user data into the cloud service. It's not necessary. There are several ways today to do the authentication against services in cloud without user credentials leaving your own premises. This is possible using f.ex. OAuth (more information about OAuth here) and SAML for example. Other benefits that can be offered to make the whole hybrid cloud accessing easier is to offer webtop for the user. There should be one place to access what ever the user is entitled to - based on how strong the authentication is, from what network the user is coming from and what client the user is using to access the service. Role and device based access management.

You can't forget the legislation either. In EU there will be GDPR (more information about GDPR here) that will be very strict about how and where you keep the user related data. In case it leaves EU 'In any event, transfers to third countries and international organisations may only be carried out in full compliance with this Regulation'  - also in the case when the service provider main site of the cloud service in EU area goes down and service is moved to a backup site (mostly outside EU). In practice that will be quite impossible and you should be looking for solution where you can be sure the user data is staying somewhere you can be sure it's not leaking out and can be easily managed from one place even if there are several different clouds you're using. In the end you also need to be able to track what ever the user has been using in order to find the related user data - in case the user wants to be forgotten and remove everything related to him/her. And to remove the user access from all the services at once.

As applications are moving to the web it becomes more and more about application services - not so much about the network. Network plays of course a major role in accessibility and user experience - but that is bread and butter which just needs to work and only then you can move in to the cloud.

If you're starting to use or if you're already using cloud services in hybrid way then one of the major things is to think what would be the easy and secure way of taking care of the authentication and federation. Before you've solved that, you're not ready to move into hybrid cloud. Luckily there are options for that. Not one silver bullet that's solving everything but there are good options that make your life easier, keeps the user credentials secure, makes user's life easier (SSO and webtop) and helps you follow the legislation. Make sure you take this in consideration with your IT department and service providers before you take the final step.