As the world races to adopt cloud computing, there is still a nagging challenge for IT security professionals: How can applications and infrastructure be trusted and controlled when organizations have seemingly given up both to their cloud providers?
With Forrester Research forecasting public cloud computing to reach $57 billion in 2013 and exploding to over $157 billion by 2020, IT security needs to find an approach that works or risk becoming marginalized.
Gartner VP Distinguished Analyst John Pescatore summed up the concerns of the IT security professionals I’ve spoken with pretty well:
“As you move out to cloud-based models, there are some things you can trust your cloud provider with, but for critical business data and regulation-controlled information, very rarely is the [cloud provider’s] infrastructure going to be enough”
Industry and government organizations have taken a similar view. The European Network and Information Security Agency (ENISA) carefully reminds organizations that an enterprise “can outsource responsibility but you can’t outsource accountability.” But when it comes to accountability there is a tremendous amount of uncertainty and lack of experience with enterprise audits involving the cloud.
SAS 70 and its replacement SSAE 16 provide some assurances and have become standard parts of vendor risk management, but don’t help solve the control gap. Furthermore, there is little precedent with compliance involving regulated data such as healthcare, financial, and citizen data. Some IaaS (Infrastructure-as-a-Service) and SaaS (Software-as-a-Service) providers have started to introduce security services tailored to specific verticals needs, like HIPAA (Health Insurance Portability and Accountability Act), HITECH (Health Information Technology for Economic and Clinical Health), FISMA (Federal Information Security Management Act), or EU Data Protection, but responsibility for compliance ultimately falls to the enterprise using the cloud.
For example, there’s no coincidence when the UK Information Commissioner’s Office (ICO) issued guidance on cloud security stating, “As a business, you are responsible for keeping your data safe. You can outsource some of the processing of that data, as happens with cloud computing, but how that data is used and protected remains your responsibility,” that the regulator also reminded organization it can and has levied fines up to £250,000 for data protection violations.
So why is the challenge of control so difficult? It’s not just the lack of physical separation that’s change with the cloud. The whole ability to govern the use of the computing and data has changed. Now developers and testing teams can spawn up entire duplicates of enterprise architectures in the cloud in seconds. And even when use of the cloud is strategic and coordinated, systems can be scaled quickly and architectures modified or even replaced within seconds. This lack of governance compounds the challenge of IT security professional to re-establish control and accountability to manage risk in the cloud.
So where are enterprises starting to build back governance and control in the cloud? A first step is managing the foundation of trust itself: digital certificate and encryption key management. Digital certificates allow enterprises to trust communication to and from cloud services from users or administrators through to web servers, applications servers, databases, and other SaaS services. And there are new encryption applications tailored just for the cloud like cloud encryption gateways and virtual machine encryption. In fact, Gartner expects 25 percent of all enterprises to use cloud encryption gateways by 2016.
Failing to manage certificates and encryption keys can more than ruin any cloud strategy. SSH is used through IaaS (Infrastructure-as-a-Service) and controls access to cloud servers. The FreeBSD.org found that failing to monitor, manage, and control these keys can lead to near catastrophic consequences. Unfortunately for organization depending on FreeBSD worldwide, hackers accessed FreeBSD systems used to build software updates using stolen SSH keys. As a result, months of software updates can’t be trusted.
Not being in a position to respond to a certificate or key management issue in the cloud can also spell disaster. In 2011, Netherlands-based certificate authority (CA) DigiNotar was hacked and hundreds of counterfeit certificates for high-profile web services were minted. As a result, DigiNotar and all certificates ever issued could no longer be trusted. The Dutch government went so far as stating it “denounced its trust” in DigiNotar and the CA subsequent went bankrupt. Thousands of enterprises could be vulnerable but only those that understood completely there use of certificates could respond authoritatively.
These and other challenges in regaining control over certificate and key populations and management in the cloud can be addressed with the very same security and operational best practices enterprises have developed managing on-premise systems. These best practices include the ability to:
• Discover certificates and encryption keys in use and those archived throughout cloud deployments and on systems used to access the cloud
• Monitor ongoing use and proper configuration across cloud systems
• Automate the renewal, provisioning, and configuration of certificates and encryption keys to cloud applications and users
• Report on where and how certificates and encryption keys are being used to maintain governance and compliance
Once established, an organization needs to test and audit its cloud-based certificate and key management controls. One good place to start is evaluating an organization’s ability to respond to a CA compromise against NIST recommendations. When another major certificate authority is breached, will you know where certificates are used throughout your production, test, and development clouds? Which certificates and keys are used to authenticate applications to SaaS services? Who has SSH access to the impacted systems? Could you then replace certificates quickly if necessary throughout your clouds and across a range of applications?
Of course, bringing certificate and encryption key management to the cloud is just one step in a journey to bring control and governance to your cloud strategy. But, it’s critically important because certificates and encryption keys provide the foundation of trust necessary to use cloud safely in the first place. Doing so addresses Gartner analyst John Pescatore’s recommendation to “get visibility into the system, the change controls and the vulnerabilities.” You’ll not only be able to confidently embrace the cloud but address the compliance and audit demands that regulators and your auditors are enforcing today and tomorrow.
