Dedicated to Providing Insight Into the Enablement of Cloud Hosting Environments.

Cloud Hosting Journal

Subscribe to Cloud Hosting Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Cloud Hosting Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

“cCommerce” – Cloud-based eCommerce, will be made possible through Cloud hosting providers achieving compliance with security frameworks like PCI, the requirements for credit card processing.

This will unlock the floodgates of Cloud adoption and usher in a new age of IT models.

Cloud Security best practices
Cloud Providers should be able to provide details on security controls, specifically as they relate to hosted VMs.  Key security concerns around privacy, compliance, segregation of VMs in public clouds (inter-VM security risks such as hypervisor breach or vulnerabilities), and interoperability and litigation hold should be addressed in the SLA.

As an example of the framework required, this Amazon white paper (24 page PDF) describes their mix of technologies and procedures they implement to achieve this.

Given the market demand for Cloud hosting that is not based in the USA (due to the Patriot Act), this presents regional Cloud providers with the opportunity to emulate this same approach and offer tailored services for key sectors like Government and Finance.

Achieving PCI compliance demonstrates to clients a high standard of trustworthy security, as every one understands the scrutiny and protections the financial sector applies to processing money!

It demands a rigorous set of technology and procedure requirements to ensure credit card transactions are as safe as possible. This includes encryption of data, passwords et al, and also virtualization best practices, identity access, logging and other audit controls.

This corresponds with the program of activities the Cloud Security Alliance proposes, directing it towards financial transactions, and vendors like Guardtime and Joyent offer even further innovations to safeguard and prove the integrity of these Cloud environments.

This trend won’t be limited only to online retail transactions but rather instead will act as a secure foundation for a broader ‘Identity Ecosystem’ which will fundamentally transform the nature of eCommerce.

It will also facilitate other similar evolutions, such as ‘Trusted Services’ offered by governments looking to go fully digital, most notably the USA and UK.

The keystone to this effect is Cloud Identity, which represents the intersection between this lower level infrastructure security with the broader web experience. Technologies such as Open ID and OAuth are implemented by vendors to achieve effects like “Social Login“.

October 6th last year the USA Government issued a directive for their web sites to start allowing this type of log-in.

For agencies that find these technologies complex or expensive there are managed service options, what`s called ‘IDaaS’ – Identity as a Service, such as the Verizon service. As described in this release it offers compliance with the US Govt ID standards to ICAM levels 1 through 3 as defined by the US Govt, and that this Cloud model offers a cost model 20-70% cheaper than trying to run it in-house.

For other Cloud providers looking to offer similar capability, the types of technologies that can implement this include the VMware Spring framework - In this presentation David Syer from VMware provides a basic introduction to how it might be used for technologies like OpenID and OAuth.

This means that Cloud Providers, the managed security services suppliers, who operate their Clouds using the VMware platform can easily build upon it to offer these increasingly more personalized and critically compliant Cloud services.

UMA-enabled Social Commerce
With these mechanisms in place they provide the foundations for a new world of information-sharing, a linked dataweb that builds on the Social Log-in effect.

The required accreditation of Cloud providers to offer the ICAM levels described is facilitated through ‘Trust Framework’ providers appointed by the US Govt, such as the Kantara Initiative, and their R&D stretches into areas such as ‘UMA’ – User Managed Access.

This information universe is also described as the ‘Personal Data Ecosystem‘, the ultimate evolution of these trends that is fundamentally concerned with the sharing of our personal data across the Cloud.

It will require and drive highly innovative government policies, like this Whitehouse announcement, and be enabled through technologies and standards like UMA.

UMA defines a series of data sharing protocols that put control in the hands of the users themselves, a principle that is very nicely explained through this presentation from one of the core team Domenico Catalano.

This illustrates the mechanics of UMA in a simple scenario of social media sharing; you can extrapolate from here how these same principles can therefore be applied to e.g. e-commerce transactions, as ultimately they are all about sharing of your personal details (like the credit card number and your address to vendors).

Domenico is a member of the Oracle Identity team, and he offers other great presentations that offer insights into the opportunities this presents for vendors and merchants.

For example this one is a great conclusion to this article, as he shares a best practices presentation for securing Internet transactions, using their Adaptive Access Manager technology. Hosting providers like BT use this context to define new value-add services, like a managed service for Fraud Protection.

Read the original blog entry...

More Stories By Cloud Best Practices Network

The Cloud Best Practices Network is an expert community of leading Cloud pioneers. Follow our best practice blogs at

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.