The enterprise cloud security Q&A
Thu 3 Sep 2015 | Lee Field
Security is a prime concern for all enterprises and with more enterprise data and applications being deployed into cloud infrastructure the perfect first question is what makes a secure cloud?
Talking to many users and customers around the world there are three fundamental themes in securing cloud services and the applications and data that resides within:
Strong logical and physical controls. As any building developer will tell you, it’s critical to have strong foundations, and any CISO will add that trying to secure weak physical access is nearly impossible. Cloud services should be located in facilities that are purpose-built as data centers, using redundant power and cooling systems, interior and exterior video monitoring, along with 24/7 on-site security personnel backed by remote monitoring.
Governance and Controls. These are necessary for establishing standardized, repeatable processes to streamline operations, to help make the cloud stable and reliable and to maintain strong security for data and applications. Cloud usage policies that explain what requirements must be met can really help to drive understanding into business application owners. Cloud operational policies are critical to ensure that business support requirements can be met and exceeded. It’s common to see different sets of requirements for different classifications of business applications and data.
Added Security Services. Cloud-based firewall and VPN is a start and allows implementation of access control to network and VM services. The ability to implement application security, an intrusion detection system (IDS) and other security controls is a strong positive. Managed security services also extend the visibility of security within the cloud. Private network connectivity can be a real plus here, by extending existing private networks into the cloud platform and ensuring that all data is secured in transit and not reliant on Internet connectivity.
How does an enterprise that may already be using cloud services start to look at secure cloud?
First document the policy and process to provide governance around cloud usage. This will probably include a service classification matrix linking business applications and data to a grade of service. Then define controls required for each of these grades. This will allow an organization to either map existing processes for operations or build new ones and also look at vendor selection for each grade of service required. Secondly, understand the cloud services in use across the organization; this can be completed using tooling if required. Then retrospectively run the service classification to ensure the service provider meets the required standards and has the necessary controls in place. If not, work with the line of business or service owner to rectify the situation. Don’t be a barrier, but do get any identified issues under control.
What are the three biggest threats to cloud services?
Attacks against the Cloud Management Portal and API perimeter. An example of this would be a brute force attack against logins. Strong authentication policies, role-based access control and two-factor authentication are all in use and deployed extensively.
Externally caused service disruption. A cloud service provider should protect the perimeter of the network itself at the logical layer, and the network infrastructure itself through the use of network firewalls and Intrusion Detection Systems. One also needs to ensure that they can detect and mitigate distributed denial of service (DDoS) attacks against cloud infrastructures and customer environments where and when required. Layer approaches to perimeter security including the use of application firewalls and managed security services can really help.
Lastly I would note the possibility of internal threats. The ‘least privilege’, model with escalating privileges on a per-need basis that time out, expire and are revoked on use, make it much harder to bypass any controls that are in place. Restricting access to private networks can also assist here. The same security controls used within an organization should extend into cloud services, ideally with the same feeds into security information and event management tooling and any analytics services.
What are the economic considerations attached to securing the cloud?
There is no doubt that the cloud has bought greater agility to businesses – Verizon’s recent “HBR: Cloud Driving a Faster more Connected Business” indicates that for 71% of respondents their use of cloud had increased business agility in a number of key areas. However, this agility has to be weighed against increasing security concerns. Businesses need to look at the value and business criticality of the different applications and inputs/outputs that they are looking to associate with the cloud and build appropriate security models to correspond with these needs.
For example, productivity tools may be using Software as a Service (SaaS) with single sign-on authentication connected to a single corporate repository; the sales CRM tool, however, will require access from a corporate device, connected to either a corporate network or two factor authenticated corporate VPN with secure authentication.
Enhancing cloud security for all of a business’s applications and levels of data has a cost associated that can affect the overall economics, efficiencies and return on investment for the entire cloud adoption. It therefore needs to be considered and reviewed carefully. By using a model that offers differing security profiles based on business value, criticality and other scorecard style criteria, companies can ensure value is realized across all areas of the business.
How is privacy enhanced across a secure cloud?
In order to understand levels of privacy and how these can be enhanced there are 3 questions to answer:
Who can access my data? Key considerations here include authentication, access control, authorization and auditing.
How do users access my data? Considerations here are network connectivity, encryption, audit, endpoint type and authentication.
Where is my data? Look at where the data is, physically; is it encrypted? If so, look at key management – is it geographically diverse? Understand regulation and compliance requirements.
By answering these questions, companies can gauge the appropriate controls that should be implemented to protect the privacy of the data and application.
What security risks can we expect with the growth of IoT and connected devices?
Open up any application on your smartphone; do you know what data it is collecting and/or sending to third parties? It’s pretty difficult to understand and to keep a track of. When this data-collecting app then becomes a device, the issue becomes even more complex. When investigating IoT enterprise users need to consider the privacy and protection of the data collected by IoT devices. At the scale enterprises are implementing IoT; this becomes a hugely complex challenge.
Access control and machine authentication is critical; this in turn means that key management becomes an even bigger challenge. Let’s consider an example to try to answer what this means in terms of risk: a power plant using IoT sensors to control cooling in a generator. If a malicious third party were to introduce erroneous data, an incorrect decision could be made to increase or lower cooling. At best the generator simply goes offline; at worst it potentially has a catastrophic failure.
What key trends are you seeing emerge in secure cloud technologies?
Connectivity and Managed Security are themes that come up time and time again. Enterprise customers are requesting private and secure connectivity mechanisms to cloud service providers, and the providers are rushing to deliver solutions that meet this need. The ability to deploy security services that mirror those used in an enterprise data center is a frequent request. There are also increasing numbers of requests for virtual appliances from key security vendors rather than enterprise users deploying dedicated hardware. Key management for encryption is also a big discussion area.
What are the main issues companies face with regards to cloud security?
Interestingly 39% of respondents to the “HBR: Cloud Driving a Faster more Connected Business” report said that security increased with the adoption of cloud services. The report discusses in depth the reason why, and it’s very noticeable that these responses show a trend of business working with IT increases security whilst improving reliability and integration with other corporate systems. This illustrates a change in thinking away from shadow IT towards strong integration and partnership between business and IT leaders.
Should secure clouds be managed by in-house security teams?
The answer to this critical question depends on the level of maturity of the in-house security organization. Mature IT operations means that there will be a segregation of duties across different departments, ensuring IT Security will be handled in-house. This will provide consistent reporting and tooling across in-house and cloud-based locations. We are certainly seeing an increased interest in using managed security services to manage secure cloud locations; it makes a lot of sense not just in smaller enterprise organizations but the bigger ones too.
How do secure cloud strategies sit alongside business continuity?
We would advise to view secure cloud strategies as an important consideration and often a key component in the delivery of a business continuity plan, rather than as a separate business component that sits alongside.
Also see Lee Field’s ‘The Enterprise Cloud Q&A’