We laid out the essential concepts of cloud security in Cloud security: The basics.Perhaps the best way to further understand cloud security is through specific examples. Here's a peek into a few of the biggest concerns that users have and how four companies have chosen to handle them. Cloud model: SaaSSecurity concern: Single sign-onWhen Lincoln Cannon was hired 10 months ago as director of Web systems at a 1,500-employee medical device company, he wanted to help the marketing department make a switch to Google Apps and a SaaS-based training application called eLeap, in the interests of lowering development costs and improving productivity. However, there were some concerns. Marketing executives didn't want users to have more than one log-in, and IT wanted to retain access control over the applications, especially when it came to adding new employees and terminating their accounts when they left the company. Cannon turned to a single sign-on system from Symplified, which communicates with Active Directory to verify the credentials of the user who is trying to log in to the cloud application. Google Apps uses APIs to offload authentication of users to a single sign-on provider, Cannon says, but with eLeap, the system needed to use an authentication adapter. Also see "The cloud security survival guide" on CSOonline.comEither way, "it's kind of like a guardian," Cannon says. "To get to our instance of eLeap training or Google Apps, you have to authenticate with the single sign-on provider." And it's synchronized with Active Directory. "We define, through Symplified, which of our accounts has access to these SaaS applications, and when we kill the account in Active Directory, it prevents anyone from using that account to access those SaaS applications," Cannon says. The Symplified system can operate in a SaaS model itself, but the device company chose to implement a Symplified-managed router behind its firewall. It did this because IT didn't want to manage user accounts and passwords in the cloud. "All that happens behind the firewall," Cannon says. Cloud model: IaaSSecurity concern: Data encryption At Flushing Bank in New York, CIO Allen Brewer turned to the cloud for data backup after getting fed up with on-site tape backup. Using Zserver from Zecurion, Flushing is now sending files over the Internet to be stored for backup. The prime concern for the bank was data encryption and finding a provider that could accommodate the bank's already-developed encryption algorithm. "Some rely on the vendor to supply encryption, but we do our own," Brewer says. "Everything we send and store is encrypted at the vendor site." Several providers of cloud-based backup storage install appliances at the customer site to accommodate encryption, but Flushing was not interested in that setup. Brewer also chose Zecurion because he knows the location of the data center where his information is stored. "We know one of their three data centers have our data\u2014it's not just sent into the cloud and we don't know where the data is," he says. Cloud model: Private, on-site cloudSecurity concern: Virtualization When Matt Reidy, director of IT operations at Snag\u00adAJob.com, embarked on the company's three-year technology refresh, his goal was to move from a 75 percent virtualized environment to a 100 percent virtualized, private secure-compute cloud, using Dell blade servers running VMware and vSphere at the core. As a high-growth, entrepreneurially spirited dotcom, Reidy says, SnagAJob wanted the flexibility of a cloud model, but "we weren't ready to use cloud services from other vendors. A lot of stuff we'll do will wither and die on the vine, while other things will take off, and having a virtual cloud infrastructure will enable that with minimal talent investment, as far as time spent to spin new things up." Before the technology refresh, SnagAJob had a multitier infrastructure, with firewalls providing physical separation between the Web, application and database layers. Reidy was able to attain 100 percent virtualization by eliminating the physical firewalls and implementing a virtual firewall from Altor Networks. The only place a physical firewall will continue to exist is at the perimeter, in addition to an intrusion detection and prevention appliance. Before vSphere Version 4, Reidy explains, you could get firewall appliances running as virtual machines, but "they were severely limited in their performance, because network traffic had to pass through those virtual machines," he says. But now, vSphere includes an API called VMsafe that enables firewall vendors such as Altor, Checkpoint and others to move traffic inspection into the VMware kernel. "It improves performance, stability and security by a factor of 10," Reidy says.With the Altor virtual firewall, Reidy's team can also see, for the first time, what traffic is flowing between which virtual machines, including protocols and data volume. "That's a challenge in the virtual cloud space\u2014traditional products won't capture that," he says. "We're able to tighten our security more because we can see what's flowing and write rules based around what we see versus what we think is going on." Other products that enable such visibility, he says, include Cisco Systems's NetFlow and Juniper's J-Flow, as well as an open systems standard called sFlow. Cloud model: IaaSSecurity concerns: Virtualization, business continuity, auditing At his startup, Kavis has chosen to use Amazon to host his entire infrastructure. Before doing that, he sat down with a security specialist, who identified all the requirements for implementing the virtual machines. Kavis then built a virtual image applying those controls and created a snapshot that he can replicate anytime he needs to set up a new virtual machine. "Amazon provides you with the virtual image software, but it doesn't apply the security to it," Kavis says. "With PaaS, that would all be taken care of for me, but with IaaS, I can build the security to the level I want, and I have a lot more flexibility over what the machine is doing." Kavis also has to perform all the functions that a systems administrator would, such as opening and shutting down ports, writing configurations and locking down the database, which he does using the LAMP stack, provided by Amazon out of the box. Kavis is 100 percent comfortable with the perimeter security provided by Amazon, which is "at a level very few companies can do," he says. To ensure business continuity, Kavis replicates everything to at least two additional environments, in different zones. "The only way I can be totally down is if multiple Amazon zones are down," he says. "And Amazon has very high reliability in each specific zone, so we've never had everything down at one time." With IaaS, he emphasizes, "it's up to me to build an architecture that can have high reliability." One concern Kavis has yet to address is auditing. "Because the rules haven't changed to reflect cloud computing, regulations still require visits to the physical box, and you can't do that in the public cloud," he says. For data that falls under compliance regulations, Kavis plans to use a virtual private cloud. "The vendor will say, Here's your server, locked in a cage, and if you ever have an audit, you can bring in the auditors to look at it.' We'll use that for passing audits, but everything else will be in the public cloud." Even if he needs to house certain types of data on-site, he says, "we will still offload processing to the public cloud to get those benefits of scale and cost."