Security Considerations for Clouds and Cloud Services

By Kurt Roemer and Christian Reilly

Through a combination of genuine concern and an unhealthy amount of fear, uncertainty and doubt, the advent of early cloud computing was initially heralded by traditional IT organizations as the beginning of the end of security. As time has passed and maturity levels have grown, is it safe to suggest that cloud computing is now being viewed through its silver lining as a rebirth of security?

In this post, a follow up to our previous blog, we explore some key questions. What’s the reality of the cloud today? What’s changed to enable strong cloud-based security use cases? And what’s required and recommended for critical business functions and sensitive data to be protected in a trusted cloud?

All those initial doom and gloom predictions of early cloud computing have given way to more considered realizations that, in certain areas, cloud computing can indeed provide some very substantial benefits over the traditional enterprise computing model. But, with all new and emerging paradigms, there are always two sides to the story.

Let’s take a brief look at some of the prevailing pluses and minuses that continue to make cloud computing so polarizing.

On the negative side of the cloud equation, many in traditional IT believe that clueless users are:

  • Haphazardly purchasing cloud services, without engaging IT in the due diligence decision process
  • Bypassing or circumventing internal governance policies, compliance mandates and contracts that clearly specify how to classify and protect sensitive data
  • Not configuring services for even the basics of security, including strong authentication, end-to-end encryption and audit logging
  • Disregarding lifecycle management and portfolio management by provisioning apps and data with little consideration for how access control is orchestrated
  • Not considering that cloud-based services are not deployed on the company network and therefore are subject to the availability, speeds and insecurity of raw Internet service
  • Directly entrusting data to a third-party who would never be able to protect that data as well as the company’s IT department and their own trusted administrators. Shadow IT be damned!

On the positive side, end users might not be so “clueless”. Professionally managed cloud services can make applications more performant, cost effective and geo-specific, while delivering a level of security that’s prescribed, transparent and consistent (as carefully defined in the terms of service). Users adopt the cloud service willingly because it’s not the same old arduous and expensive one-size-fits-all model as promoted by IT. The cloud service simply removes many of the unnecessary IT barriers and makes it easier to get business done directly.

Both sides have valid points. And working towards integrating and automating requirements for securing sensitive data is exactly what’s needed. Let’s make that happen.

What’s the reality of the cloud today?

While most applications and data benefit from the security and cost models of a professionally managed cloud environment, today’s public clouds are not appropriate for everything. Cloud-unfriendly use cases include a combination of: materially-sensitive data that must never leave the concrete bunker, contractual obligations that specify onsite governance and demands full end-to-end physical control, as well as life-and-limb requirements for true offline access. Additional concerns are that rogue administrators can access data and manipulate services, data that’s accessible can therefore be stored and moved anywhere, and that encryption must be always-on to be ensured for data in storage, in transit and in use. These issues are unfairly attributed to the cloud, when they’re also huge concerns in enterprise access models.

Much business is being conducted in the cloud today, even for sensitive applications that include payment processing, sales opportunity management, employee benefits, human resource management. While large organizations are often more tactical in the use of clouds, small and medium businesses have found that a “cloud first” model gives them the resources and cost structure to compete while assuring security, privacy and compliance in ways they never could have realized onsite.

What’s changed to make the cloud appropriate for security-oriented workloads?

The short answer is that cloud providers – from infrastructure to platform to apps and services – have addressed specific security use cases and concerns. There are clouds certified for PCI DSS, HIPAA and US Government usage via GovCloud. Most cloud providers also have zones to manage geo-specific availability, privacy and data sovereignty. Security services such as Cloud Application Security Brokers, Web Application Firewall, policy management and directory services are integrated with cloud providers and services Multi-party administration has delegated and clearly delineated responsibilities, furthering the principle of least privilege for administrative access. Encryption has evolved into rich platform and customer-managed feature sets. Rigor of process, transparency and rich reporting features prove the value of a professionally managed cloud for security use cases.

The cloud has indeed become a mature platform for security.

Recommendations for delivering a more usable and effective cloud security posture

Tips for driving security sensitive workloads into the cloud include:

  • Have a documented set of security use cases, functional requirements, technical requirements, processes and procedures that drive purchase criteria. Share these with strategic partners and vendors to plan cloud migrations and lifecycle management.
  • Special use cases such as PCI, FISMA and HIPAA and geo-privacy require special cloud provisioning that must be demanded, with detailed and vetted compliance reports. Also design for the tough use cases of multitenancy, distributed administration, non-employee access and mitigation of third-party risk.
  • Avoidance of the cloud for “security reasons” should be the exception, not the rule. Take all of IT’s objections to the cloud and build them into comprehensive policies backed by technologies and practices that address those objections using a cloud model.
  • Define the shared administrative workflow model and responsibilities for providers, application and data owners and tenants. Ensure that no single administrator can negatively impact the security or availability of critical apps and services. Admin and privileged user replacement, succession and retirement must be carefully planned.
  • Portability is the flexibility to change cloud providers and must be considered across data, applications, user experience, usage cases and the administrative model. Migrating to clouds, across clouds and from clouds are essential aspects of portability.
  • Encryption is not optional and is not a checkbox! Encryption keys must be managed by those responsible for the data. This applies for company, customer, supplier and system administrative data. Encryption must protect data in usage, storage and transit within and between clouds, as well as external app and data interactions. Ensure sufficient algorithm and key strength for specific use cases across the intended lifecycle of the data.
  • Data sovereignty must be carefully considered for cloud deployments to keep data in country when required, satisfy local and regional privacy objectives and define sharing between sovereign enclaves. Configure zones for high-availability and data protection.
  • Multi-factor authentication is required for access to sensitive data. Investigate the use of CASB as well as identity brokering and federation for enterprise authentication to clouds. Ensure that a web application firewall is configured to protect all critical web and web-services interfaces – especially authentication.
  • Assure transparency, monitor contracts for undesired changes to terms of service and privacy policies. Look for CSA STAR Alliance membership as a great way to see what features and practices are supported, as well as to compare cloud offerings.

Tech Tip: Are your users going direct to consumer-grade cloud services? Setup redirect policies on your load balancer to inform them to use enterprise-approved services instead, and automatically redirect them to the appropriate app.

Kurt Roemer
Chief Security Strategist

Christian Reilly
VP Chief Technology Officer Workspace Services