IT Operations Management (ITOM)

How to manage security as a cloud services broker

How to manage security as a cloud services broker


With written contribution by Andrew Wahl


When your IT organization adopts a cloud service broker model, the business user may never be aware of the distinction between public cloud service and private clouds—after all, they requisition computing resources through a self-service web portal and IT provisions in a largely automated fashion those cloud services that best suit the requirements. However, there are unique security implications for private vs. public cloud services.


Security Architecture

As I have noted in previous blog posts, a risk-based security strategy is essential, one where each layer of architecture is secured and integrated as part of a Cloud Management platform. One fundamental challenge that must be addressed is how current cloud technologies are often isolated from each other, and frequently tasked to work within siloed operational teams. This always results in security gaps and inefficient IT processes.


An integrated approach, including advanced network security, is key: no single technology will be sufficient to protect dynamic cloud environment like that of the cloud. (For more on this, read one of previous posts, HP Cloud Management - security comes integrated)


Securing access

The interconnected architecture of cloud services also requires a careful execution of access rights. It’s important that a strategy is in place to restrict which business users and various IT roles can access data and modify cloud services. Working with a cloud management platform that clearly defines the variations in user and administrator roles through the existing enterprise directory and LDAP DN structure can simplify how you authorize new users and control access to the platform.


Security of Public Cloud Services

Within private cloud services, you clearly have control over how security is managed. Public cloud services present a different challenge. You will need to examine the security capabilities of each service provider; some may have only perimeter security, so it will be up to you to harden operating systems and administer secure passwords. Similarly, some public cloud services may provide anti-virus protection while others don’t.


In each case, the IT enterprise security team will have to assess what measures need to be in place at each layer of the stack to meet overall security requirements.


In the cloud, security is a shared responsibility to protect the services. The public cloud service provider will deliver some capabilities, but IT organizations need to then work with what they are given to ensure they achieve the levels of security they require.


Ultimately, your organization needs to be in a position to take responsibility for the cloud services you deliver to the business, whether they are private, public or a hybrid of the two.


Learn more

HP’s comprehensive IT Operations Management portfolio of tools can help address data security issues. Find out how HP Cloud management provides comprehensive, end-to-end security for application, platform and infrastructure services with cloud brokering and heterogeneous environments. Visit


Alternatively, meet us at HP Discover in Barcelona. See security for the cloud in action at the demo booths and learn from the breakout sessions what it means to provide cloud services that are secure and compliant.


discover13_Barcelona_signature_646x220 (1) (3).jpg


Editor's Note: This is the fifth in a series of thought leadership blog posts on the seven things you need to know about becoming a successful cloud services broker. To catch up on the series, be sure to read these posts:

1.        Your cloud transformation starts here: How to develop a strategic plan

2.        Building on a foundation of automation

3.        How to decide what cloud services to offer

4.        Managing SLAs for your cloud services


Making Cloud Simple
  • cloud management
0 Kudos
About the Author


Lending 20 years of IT market expertise across 5 continents, for defining moments as an innovation adoption change agent.