Security Experts:

Overcoming Cloud Security Challenges

What are the Security Challenges you Need to Take Seriously Before Moving to the Cloud?

It seems as if you can’t turn on the television, pick up a paper, or surf your favorite online news source without seeing a reference to “the cloud.” In fact, Microsoft has created a catch-all phrase to illustrate how the cloud can solve an array of problems. If you want to take better family photos, create the perfect holiday card, or entertain yourself at the airport, simply go “to the cloud.”

But the proliferation of the cloud isn’t just marketing hype.

Clooud Security ChallengesAccording to William Fellows of the 451 Group, “Cloud computing has reached escape velocity and is transferring into mainstream computing.” In a recent study, the research firm found that 50 percent of enterprises are using private or public clouds and that will rise to 60 percent by 2011.

Regardless of where your deployment plans fall in using different types of clouds—public, private, or a combination—you need to ask the question: Is cloud computing secure?

“Flying Blind in the Cloud,” an April 2010 study by the Ponemon Institute and sponsored by Symantec, found that a mere 20 percent of enterprises involve IT security in the cloud migration process and only 30 percent evaluate cloud services from a security perspective before deployment.

So what are the security challenges you need to take seriously before moving to the cloud? They fall into three main categories.

1. Loss of Governance. When you’re handing over the keys to your kingdom to an outside cloud vendor you need to make sure you do your homework and understand the risk profile of that vendor. You should have a clear picture of their security infrastructure and policies; the level of security training their personnel receive; their physical access controls; their patch management, vulnerability assessment, and logging policies; and their firewall and intrusion detection and prevention systems (IDS/IPS). If the cloud provider outsources security to another vendor you need to understand their contractual obligations. In addition, if your organization has made considerable investments in achieving certification either for competitive advantage, to meet industry standards or to comply with regulatory requirements, such as PCI DSS, this investment may be put at risk with migration to the cloud. You need to understand up front if the cloud vendor can provide evidence of their own compliance with relevant regulations or if the vendor’s infrastructure is available for compliance audits.

2. Potential insecurity of shared infrastructure. The multitenant nature of public clouds means that you may be sharing infrastructure with a completely unknown set of other parties. Your neighbors could be independent hackers or those employed by competitors, organized crime, or others looking to gain access to your most critical data. Recent evidence has already shown that hackers have begun to use cloud services for malicious purposes. For example, IDG News Service reported in December 2009 that security researchers discovered the Zeus password-stealing botnet running on Amazon’s EC2 cloud computing servers.

If you are in the cloud, it can be difficult to tell how your cloud provider has segmented customers from one another. If all customers share the same backend database then a vulnerability in your neighbor’s Web application could mean the loss of your sensitive data. It’s also a good bet that your cloud provider uses virtualization hypervisors to provide segmentation. Even though hypervisor exploits are still theoretical, malicious hackers may someday use them to gain control over other users’ systems in the cloud.

3. Data Loss and Leakage. Data within the cloud can be at risk. As an enterprise you are responsible for the security of your data. Cloud vendors may have their own protections, but history has shown that may not be enough. Examples include a hacker group that was able to obtain e-mail addresses and SIM card numbers for over 100,000 iPad users from the AT&T website, or T-Mobile Sidekick customers who temporarily lost their data due to an outage in a Microsoft data center. In both cases cloud customers, Apple and T-Mobile, were left holding the bag because of data losses not within their own networks but those of their cloud vendors.

Regardless of these risks, the cloud is here to stay and organizations must have a security strategy in place. Below are three steps for overcoming cloud security challenges.

1. Establish criteria for evaluating public cloud vendors. The Cloud Security Alliance (CSA) and the European Network and Information Security Agency (ENISA) provide solid guidance for cloud vendor evaluation. Common control examples include:

• Personnel Security: pre-employment checks, security education, continuous evaluation.

• Supply Chain Assurance: which services are outsourced/subcontracted and audit procedures.

• Operational Security: change control and remote access policies, backup procedures, log retention and review policies, patch management, isolation technologies, application security.

• Identity and Access Management: privileged account management, segregation of duties, key management, encryption, two-factor authentication.

• Asset Management: automated inventory, asset classification by criticality. Data Portability: standard data formats and APIs, export to other clouds.

• Business Continuity Management: recovery and failover procedures, customer communication processes.

• Incident Response: escalation procedures, security monitoring infrastructure, documentation, metrics.

• Physical and Environment Security: personnel monitoring, physical inventory and segmentation, fire/flood/earthquake prevention, HVAC, power.

• Legal: provider country and physical location of data.

2. Sequence your migration to the cloud. It is likely that your management is strongly encouraging you to move to the cloud to save costs and increase agility. If you start with low risk applications, you can demonstrate to management the inherent risks of cloud computing while not sacrificing your critical data, reputation, and potentially incurring legal or financial risk. In effect, this can be a ‘proof of concept’ without major consequences.

Many organizations are taking this approach. A June 2010 study by the 451 Group uncovered that a large majority of end users and stakeholders in the cloud computing industry are currently only conducting pilot projects or using clouds for noncritical applications with a little under one-third using clouds for critical applications.

3. Evolve your internal infrastructure into a private cloud. For cost savings and operational efficiencies, consider moving your internal infrastructure to a private cloud architecture. Most IT applications are well suited to take advantage of the strengths of cloud computing—rapid elasticity and on-demand self-service. Building a private cloud is similar to building a virtual network. Remember a few key principles to maintain security: visibility is crucial – make sure you see the changes; server operations and security should work together to reduce blind spots; make sure your security policies account for the dynamic nature of virtual networks.

Despite the numerous security risks involved with cloud computing, it is critical that we take a thoughtful and proactive approach to this transition to the cloud. If you can be quick to migrate some applications to the public cloud; be smart about evaluating cloud vendors; and be proactive in building out a secure private cloud, you’ll be well on your way to going safely “to the cloud.”

Read More in SecurityWeek's Cloud and Virtualization Security Section

Subscribe to the SecurityWeek Email Briefing
view counter
Marc Solomon, Cisco's VP of Security Marketing, has over 15 years of experience defining and managing software and software-as-a-service platforms for IT Operations and Security. He was previously responsible for the product strategy, roadmap, and leadership of Fiberlink’s MaaS360 on-demand IT Operations software and managed security services. Prior to Fiberlink, Marc was Director of Product Management at McAfee, responsible for leading a $650M product portfolio. Before McAfee, Marc held various senior roles at Everdream (acquired by Dell), Deloitte Consulting and HP. Marc has a Bachelor's degree from the University of Maryland, and an MBA from Stanford University.
view counter