When our Director of Sales and Marketing asked me how one goes about Securing the Cloud, I thought it was an interesting subject, for certainly that depends on who you ask, what we mean by security, not to mention what you mean by "Cloud". In today's rapidly evolving IT environment, Cloud security is something we should all be concerned with. Organizations need to make sure their customer data is safe in the cloud, and end users (consumers) should be aware of what the cloud is and how it affects the assets they wish to protect.
The National Institute of Standards and Technology defines cloud computing as:
"Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."
The NIST also defines five essential characteristics that compose the Cloud model, three separate service models, and four deployment models. The essential characteristics are On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, and Measured service. While the use of virtualization is not a specific requirement for the Cloud, it typically plays a key role in facilitating cloud offerings. Multi-tenancy is another aspect of the cloud that is often treated as an integral component, although not part of the formal definition.
THE SERVICE MODELS
Software as a Service (SaaS) - Provides consumers with access to some service or application running on a cloud infrastructure. The customer does not manage or control the underlying infrastructure such as network, servers, operating systems, or storage. The customer has the ability to manage customized settings within the application only.
Platform as a Service (PaaS) - Consumers are granted access to an application hosting environment where they have the ability to deploy custom applications they create/acquire using tools/platforms supported by the provider. The customer does not manage or control the underlying infrastructure such as servers, operating systems, network, or storage, but has control over the deployed applications and custom settings within those applications.
Infrastructure as a Service (IaaS) - The consumer is able to provision processing, storage, networks, and other fundamental computing resources. This allows the customer the ability to deploy custom software such as operating systems and applications. The customer does not manage or control the underlying infrastructure but can have access to networking interfaces such as firewalls.
THE DEPLOYMENT MODELS
Private Cloud - The cloud infrastructure is provisioned for exclusive use by a single organization. It may be owned, managed, and operated by the organization or a third party, and it may exist on or off premises.
Community Cloud - is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns. It may be owned, managed, and operated by one or more of the organizations in the community or a third party, and it may exist on or off premises.
Public Cloud - is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.
Hybrid Cloud - is composed of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability.
When we discuss security, we are usually concerned with Logical security and Physical security.
Logical security protects data by utilizing software safeguards such as authentication methods, authorization, and ensuring user permission levels. Common examples of this layer are:
- A username and password combination that was assigned to access a network or shared resource.
- Token based authentication - a user is able to generate a token such as a cryptographic hash that identifies the user and no password is actually shared as part of the authentication scheme.
- Two-way authentication - In addition to providing credentials or a token, the user must respond to a challenge presented by the system before gaining access to resources. An example would be for the system to present a security question when the user is logging in from a new device or network.
Physical security is responsible for securing access to the infrastructure, datacenters, buildings, and other assets such as employees. In addition to protecting against unauthorized access or damage by individuals, physical security should also address withstanding natural disasters, climate control and preventing accidental damage.
As you move down the cloud stack, the consumer becomes more responsible for implementing and managing security measures. For example, an IaaS provider will secure the infrastructure, but it is up to the consumer to implement proper security measures in the operating systems and software they choose to host on the providers system. At the top of the stack, Saas providers are responsible for the most as they must secure the infrastructure, as well as their networks and applications and provide strong logical security measures to protect customer data. Regulatory compliance also comes into play, especially when dealing with credit card, healthcare, and financial data (PCI, HIPAA, SOX).
When assets or infrastructure are moved off premise into the cloud, the consumer must make sure that their Cloud Service Provider has adequate Physical controls in place, as well as logical controls to mitigate potential threats that might emerge. Monitoring of Logs for example, becomes difficult if not impossible when using a Saas provider since the server logs will most likely not be available to the consumer, and contain information for multiple customers.
Some potential threats present in a cloud environment not found in a traditional datacenter have to do with Virtualization and Multi-Tenancy. Resource pooling on a virtual machine host increases the risk for noisy neighbors and resource contention. A guest OS handling high I/O and CPU workload for one Customer could result in poor performance for other guest OS's, creating a denial of service scenario for the affected Customers. Attacks against the hypervisor are also on the rise, if a guest OS maliciously attacks and compromises the Host, the other resident guests are now at risk of being compromised. It is critical to make sure the Cloud Service Provider has adequate security zones (virtual networks, vlans) configured per Tenant and that they adhere to best practices when updating their virtual infrastructure to ensure a secure environment.
As companies move their data to the cloud to take advantage of the time and cost savings, a comprehensive risk assessment should be made on the assets being moved so that proper Monitoring and Incident response plans can be crafted to deal with potential breaches. Encryption of data at Rest (at the cloud provider site) and in Motion (data travelling to and from the CSP) are also key elements that can increase a Secure Posture when dealing with a Cloud Provider. SLA's should address what logs consumers will have access to in the event of a compromise, as well as detail specific counter measures being taken to mitigate threats to the data. Cloud offerings hold tremendous reward for Companies in terms of reducing overall expenditures and time savings , but there is also risk as control over assets is passed on to another organization and out of immediate physical control. Proper vetting of Service providers and adherence to Industry standards are crucial to maximize return.
- Steve Kohler is Vice President of Systems Development at B2BGateway.
|