By Ian Moyse, Sales Director www.workbooks.com , Eurocloud UK Board Member & Cloud Industry Forum Governance Board Member
Security is one of the most important factors for companies who want to store data and operate using the cloud and it continues to be highlighted as the greatest concern in end user studies. Implementing and utilizing a cloud solution brings great potential benefits, but also introduces challenges around securing content and access control. The cloud offers the promise of large potential savings in infrastructure costs and improved business agility, but concerns about security are a major barrier to implementing cloud initiatives for many organizations. Before transitioning to the cloud, you need to figure out how to implement and enforce an effective security program.
What you will learn…
The benefits of cloud computing are resounding, but businesses are still wary of the security implications. How are you assured that your data is as safe on the cloud as it is in your own network? What are the security pros and cons of utilising the cloud? And what steps should you be making to ensure your cloud experiences are not only beneficial to your users, but are secure for your business. In this article you will learn about the security areas to consider when adopting cloud solutions and some of the questions to ensure you ask.
What you should know…
This article is aimed at those with a fundamental understanding of cloud and security concepts, but is written to be informative for anyone in an IT or business role who is concerned or has read about cloud security issues.
About the author
Ian Moyse has over 25 years of experience in the IT Sector, with nine of these specialising in security For the last 8 years he has been focused in Cloud Computing and has become a thought leader in this arena. He now holds the role of Sales Director at Cloud CRM provider Workbooks.com. He also sits on the board of Eurocloud UK and the Governance Board of the Cloud Industry Forum (CIF) and in early 2012 was appointed to the advisory board of SaaSMax. He was named by TalkinCloud as one of the global top 200 cloud channel experts in 2011 and in early 2012 Ian was the first in the UK to pass the CompTIA Cloud Essentials specialty certification exam.
Cloud security refers to the computer, network and information security of cloud computing providers and incorporates data protection, infrastructure and governance issues. Security concerns surrounding cloud computing are generally considered to be security and privacy (of the information stored), compliance (with legislation and user company policy) and legal/contractual issues. In end user survey, after survey, the top 2 issues that surface to the top are security (data being the typical lead in this) and reliability (being availability and accessibility). A good reference point for this being the Cloud Industry Forums 2011 Cloud Adoption and Trends Survey where 64% cited Security as their most significant cloud concern.
"Another study, carried out by network performance monitoring company Network Instruments, added confirmation that the top cloud challenge is the security of corporate data, with 45% of respondents surveyed reporting it as their key concern."
As with other major technology transitions, cloud computing has gained widespread attention and scrutiny in the media. We have seen stories abound around cloud, SaaS (Software as a Service), PaaS (Platform as a Service), etc, both in the consumer (eg. iCloud) and business worlds. Many of the stories have scare mongered, seeing cloud as a pure risk and citing exposures such as Sony and Blackberry as examples of security and reliability in the cloud, of which you could hardly fail to notice. Sony is a good case in point, where the press reported in April 2011 “Two of Sony's online gaming services, were hacked, compromising confidential data of more than 100 million customers.” under banner headings of being a cloud failure! This could be better named as an internet issue. Sony wasn’t delivering a service hosting on behalf of customers, more delivering a service accesed over the ‘cloud’ such as Instant Messenger, Amazon or any other online seller or provider of wares. The core issue was that they held customers identities and payment details! This breach could have rung true if hacked for any online E-tailor such as Ebay, Paypal, Amazon or others you may use and yourself trust. The “Cloud’s” generic branding is utilised quickly in such instances, as a useful hyped term and one that covers anything internet based. It is a wide sweeping brush that Sony became the poster child for.
The Sony leak was followed on with a report later by an independent security expert that found 67% of the users whose passwords were published on the Sony leak, were still using the same password that was leaked a year prior in the Gawker 2010 breach. Meaning users who knew their password had been leaked previously and knew they used the same password on Sony Online had not believed a need or taken the action to change it! Users responsibility for their part in security remains an issue whether on network or in the cloud of course!
Sony of course started paying a its toll however with a flow of share price drops in the weeks following the issue going public, taking it from above $30 down to $20 a share. However today only a year on how many of the 24 million affected Sony users have deserted the provider, relatively few, but in the scheme of things there was moral outrage, but consumer apathy bore out and the news has passed!
As an increasing number of legacy IT Vendors move to offer cloud computing as part of their portfolio, they have played down the concerns around security. However, even with industry heavyweights now committing heavily to the cloud, customers are far from blindly trusting the cloud model.
While IT teams may embrace cloud services as a way to achieve cost savings and increased business flexibility, these technologies are introducing new components and environments which change the security challenge once more. Security challenges in the cloud should be familiar to any IT manager— loss of data, threats to the infrastructure, and compliance risks, with focus varying depending on the size of organisation you represent. Cloud security is a complex topic with many considerations ranging from protection of hardware and platform technologies in the data centre through to regulatory compliance and defending cloud access through different end-point devices.
Whether you are implementing a private or public cloud or a hybrid model that includes both, security must be a strong component of your solution.
IT Security in itself, bar cloud, already beholds a great deal of responsibility. It must protect corporate assets from an ever increasing volume and sophistication of attacks, ensure any regulatory compliance is met, monitor and protect the business against internal threats and keep information from leaking through an ever increasing number of mediums including email, the web and social networks. Over the past decade the IT security market has expanded rapidly as vendor solutions to thwart all the attack types have come into being and IT security has become more complex with a need not only to understand basic point solutions, but to correlate together a range of vendor offerings in a coherent manner and ensure they are also configured and updated accurately. Attackers have become more adept at penetrating systems, often still using the user as the weak link, and whereas they used to only care about high-profile or larger targets, they are also now setting their sights on smaller companies to achieve their goals.
To this end existing on-site security solutions and infrastructure may not be sufficient or cost effective to protect against the dynamic growing and changing attack landscape. This is not a reason alone to consider a move to the cloud, but cloud security approaches are now recognised as highly effective (in reducing cost and complexity) defence mechanisms, when approached diligently.
A 2012 survey commissioned by Microsoft indicated for example that SMBs are gaining significant IT security advantages from cloud computing, with 35% surveyed experiencing “noticeably higher” levels of security since moving to the cloud and 32% spending less time each week managing security than companies not using the cloud. Security, rather than acting as a barrier to cloud adoption in smaller businesses, is in fact one of the key benefits that they can experience by moving to the cloud.
The economies of scale and flexibility the cloud brings can be a friend and a foe from a security aspect. The concentration of data presents an attractive target to attackers, but cloud defences can be more robust, scalable and cost-effective than a self-build and manage approach! You must face the reality though that many employees will be using cloud services regardless if this is offered up by the business and IT as official policy.
How does security differ with private vs. public clouds? Businesses directly control the security of private clouds whereas with a public cloud rely on the standardised delivery and security of the cloud provider. Doing it yourself can give you control but it also gives you the responsiblity and overheads of delivery, updating, configuring and responding to threats. With a public cloud and carefully chosen vendor the security of the cloud component is done for you, typically with you retaining control over access management and policies through your management portal. There are pro’s and cons of each aproach and do not assume vendors are all equal, doing diligence and asking pertinent questions is key. Also understand that utiliskng a public cloud vendor does not mitigate your security responsibilities as there remains a need to secure your endpoints,user access and user security.
Private cloud security has similarities to that of security in the traditional datacentre. Worries remain around network security, authentication, auditing and identity management. However you are no longer are in complete control of the workloads, or even of the operating systems that are running in your datacenter. With private cloud, the consumers of your services can spin up new operating systems and create new applications depending on the service model you make available to your users. Therefore you need to address new areas such as the following;
- Deciding who has the rights access and consume your cloud services?
- Do you have controls for the behaviors of the services and operating systems that your private cloud customers will be able to run up?
- Are you able to identity self service users that may represent potential threats, such as anyone using stolen credentials?
- Do you have mechanisms to ensure that users cannot migrate their user role into an administration role?
- Do you have a way to automate security responses to incidents, such as possible denial of service situations ?
Public cloud is going to require that you do your diligence on the cloud provider. For example asking where they host, who with, where your data is located, who has access to it, what security policies do they operate, what access do you have to apply your own security policies (access control for example). Is your data striped across multi-location datacentre’s? Do they apply data mingling where your data is in the same host and database as other customers’ or are you allocated a separate and discrete data store in the service?
Very few, if any, companies will move completely to the cloud in the short term, there are too many legacy systems to maintain that are cloud unfriendly. Regulation will also play a part in areas which delay or restrict cloud being a viable solution (for now).
Cloud brings great advantage to mobile users and with estimates from Gartner that by 2014 around 80% of professionals will use at least two personal devices to access corporate systems and data, the two are likely to become more entwined. The growth of mobile access and BYOD (Bring Your Own Device) cultures is moving the security perimeter out past the organisations infrastructure to bold new areas. The cloud has delivered an expectation of applications that are free from the constraints of legacy desktop tied clients and that can be accessed anywhere from pretty much any device. Cloud combined with mobile/BYOD can deliver major benefits to productivity and flexibility of an organisations workforce, but introduces a new range of security concerns. IDC recently stated “Mobility will present the greatest security challenge in the next five years.”
Security experts have highlighted how BYOD can put an organization’s network at risk because workers could inadvertently transfer a virus-infected file into the network or gain access and ownership over restricted organisational data by downloading it on to a non-work owned and secured device. With Cloud of course the user is increasingly likely to want to use a mobile device and with a mobile device the user is likely to demand more access to cloud like applications. The fact is that Perimeterless Security is harder.
Off the back of cloud and mobile devices comes authentication. How does a user authenticate securely to the cloud service (private or public)? Do they login via a browser on the mobile device or have a mobile client that pre-authenticates that device? If a client login how will the user remember an ever increasing number of passwords? (which in most user domains is already an issue despite the promises of Single Sign On and Directory Systems). Also cloud services like web sites tend to use different user ID and password formats, some being email address, some first name surname and some employee number and with varying password lengths and rules around characters to be utilised. All of this is a security aspect that needs to be considered. How will you secure users outside your directory and with systems accessible from any device? With cloud applications the user credentials become even more valuable as the login is often no longer tied to a VPN connection or device, so ensuring that the user (person) side of password protection doesn’t slip up is essential in the cloud world, as if it wasn’t already! (sic).
Data governance and security has headline visibility whenever cloud is mentioned and is a top concern for adoption. Under new guidance from the National Institute of Standards and Technology, users and not providers have ultimate responsibility for the security and privacy of data stored on the public cloud. Guidance co-author and NIST Computer Scientist Tim Grance commented "accountability for security and privacy in public cloud deployments cannot be delegated to a cloud provider and remains an obligation for the organization to fulfil." This is a good thing and to be expected. Utilising cloud does not and should not totally devolve you of security responsibility for your users behaviour.
In pursuing public cloud services, the guidelines recommend that organisations:
- Carefully plan the security and privacy aspects of cloud computing solutions before implementing them.
- Understand the public cloud computing environment offered by the cloud provider.
- Ensure that a cloud computing solution of cloud resources and cloud applications satisfies organisational security and privacy requirements.
- Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.
A simple question that often gets asked of a cloud vendor “is where is your datacentre located?”. Advised questions would also include “and is that where my data will be held?” and “Where is your backup data center?”. Further questions have arisen from recent reports highlighting that simply looking to keep data in the EU is not enough for European firms. In June 2011, the managing director of Microsoft UK admitted that it would comply with the Patriot Act as its headquarters are based in the US and that it would try to inform its customers of any data request as it happened, but that it would not guarantee this! Meaning that if you do business with a UK subsidiary of a US-based cloud operator, you can choose to specify that English law applies and ensure they offer you a EU based data center operating under EU data protection laws, but your data is till open to US access if your vendor is US owned. If this is of concern, you need to ensure that your provider is European owned and legislated. Of course this would limit you from many mainstream providers such as Amazon, Google and Microsoft so there are always balances and measures to apply in your decisions.
Gartner believes all cloud customers should have some basic rights to protect their interests and defined six of these as being;
The right to retain ownership, use and control one's own data
- The right to SLAs that address liabilities, remediation and business outcomes
- The right to notification and choice about changes that affect the service consumer's business processes
- The right to understand the technical limitations or requirements of the service up front
- The right to know what security processes the provider follows.
- The responsibility to understand and adhere to software license requirements
In addition to security approaches, more education is also needed in cloud across all sectors to enable businesses to understand and utilize this important new technology option to its advantage in a secure manner and this need for understanding stretches past simply the border of the IT department. CompTIA’s Cloud Essentials certification is an example option that enables employees of varying roles to validate their cloud knowledge, take online training and exam condition testing. Expect to see more cloud courses and exams providing the market with the required validations in this new cloudy world. Lack of knowledge breeds concern and risk. If you are in IT or a position of influencing your strategy, start educating now on the various forms of cloud and how to secure them in you environment. Resistance and ignorance will deliver only a short term strategy to cloud in the ever competitive business world.
Those wishing to learn more and participate in the cloud can also find some great vendor independent resources such as http://www.cloudindustryforum.org/ , https://cloudsecurityalliance.org/ and http://www.eurocloud.org/.
Can you utilise Cloud, private and public securely? Yes. Does it pose new security challenges? Another Yes. Do Cloud Security questions give you a reason to ignore cloud and maintain the status quo of on network deployments? In places of course you will decide that a specific application or requirement is best served on network, but it is not an encompassing no for sure! Cloud offers a lot of benefits, varying by organisation and application and the security aspects can be overcome as others have been in the past. Educate, learn, adapt and adopt, as cloud is here to stay in its varying form factors, there are too many success stories and businesses doing well utilizing cloud for security to be a pure play excuse any longer.