Hult CIO Tackles Cloud Application Security – Part 2 of 2

This is part two of my two part interview with Yousuf Kahn, CIO of Hult International Business School. You can read part one here.

I recently had the chance to sit down with Hult International Business School CIO Yousuf Kahn to get his take on cloud IT security. Hult has five campuses across the globe and has been recognized by Apple as a Standout School for their mobile initiatives to enhance and extend the classroom with iPads and Apps.

Is your organization or its cloud providers doing anything to shore up security in light of emerging cloud IT security threats, and if so what?

With over 2000 students and 200 faculty and administrative staff members accessing both public and private cloud applications, we chose to implement a cloud-based identity and access management solution called OneLogin, which consolidates a lot of our security into one application.

The idea here is you’re not telling people to go to an application directly- users go to a portal and are then authenticated into the web app. Users benefit by having a single sign on to go to for quick access to campus applications and because we know OneLogin’s secure, robust and used by an impressive growing list in the education space we’ve got a secure centralized starting point for access into our public and private cloud applications. So, if something does happen, we have a consolidated place to look where we started off. Otherwise, if you have 15 applications, then you’d have 15 points to figure out which one was a problem. It keeps the focus on where the security layer might have been breached. The more cloud applications you have, the more you need a solution like OneLogin. In terms of specific measures one can analyze the security model of your application providers interfaces. You need to ensure and insist on strong authentication and if working with API’s understand the dependency chain that exists.

Has your organization had any security problems related to the cloud?

We have not had any security issues internally at all. However whether done with an external application provider or in your private cloud my recommendation is to use root cause analysis and remedial measures applied across your application stack rather than fixing just one problem. If a breach can happen at one application then no matter how remote the chance of it happening to another you should ensure that it also has got a consistent security protocol in place whenever possible.

What are some best practices for improving cloud IT security?

  • Make sure your cloud providers are in Tier 1 data centers and have standard security protocols in place like SSL
  • Unfortunately expect an outage or security breach and develop a good backup plan internally. Chances are it is unlikely but let’s remember that defence and security organisations have been compromised in the past
  • Put end user policies in place to make sure that people have guidance on managing their credentials
  • Use an identity and access management system like OneLogin to simplify the access and security of your public and private cloud applications
  • Get the best security expertise. We don’t pretend to be security experts, so we looked for the the right people to partner with. That’s where OneLogin, for instance, came in
  • Keep abreast of growing threats and ensure that your providers are aware as well. If you know more than your vendor in something that is critical to their service provision to you then something is definitely wrong. If you are thinking about it and they are not– that can’t be right