How to fix cloud security
The five tips for effective cloud security
By Elisabeth Horwitt | Computerworld US | Published: 15:52, 02 February 2010
For Logiq³, the decision to go with a cloud-based provider of IT infrastructure as a service (IaaS) was a matter of cost and flexibility.
A start-up that began operations in 2006, the life reinsurance management firm could not afford to build and staff a data center from scratch, according to David Westgate, Logiq³'s vice president of technology. So Logiq³ instead chose cloud computing and managed IT services provider BlueLock to handle its data needs in the cloud.
BlueLock's virtualised environment allowed data and volumes to move between systems in a dynamic, low-cost way that would be impossible with a traditional, hosted environment, Westgate says.
Related Articles on Techworld
There were, however, security concerns to be addressed before Logiq³ would entrust its critical systems to BlueLock's cloud. The life reinsurance company handles death records, which include personal information like social security numbers, as well as financial data and information about major assets that its large financial customers have on their books.
Although Logiq³ isn't regulated by the US government's Sarbanes-Oxley Act, its customers in the financial sector are, "so they'll be auditing us," says Westgate. As a result, Logiq³ needed potential cloud vendors to demonstrate that they were in compliance with applicable regulations and could provide high levels of security.
Logiq³ is far from alone. While security and compliance issues crop up in any web-based outsourcing arrangement, businesses are justifiably concerned about putting everything in a virtualized cloud. It's a comparatively new service area where risks are unknown - "which in itself is a risk," says Jay Heiser, an analyst at Gartner. "If I can't figure out how risky something is, I have to assume it isn't secure."
5 tips for effective cloud security
- Find out as much as you can about a software-as-a-service provider's security measures and infrastructure. If you are going with an infrastructure-as-a-service provider, ask what tools it can provide you to protect your virtual environment.
- Encrypt data at rest and in transit; otherwise, don't put sensitive information in the cloud.
- Divvy up responsibilities between your administrators and the service provider's administrators, so no one has free access across all security layers.
- Check whether a vendor has been accredited as meeting SAS 70 Type 2 and ISO 27001 security standards. If you are an international company, check for European Safe Harbor accreditation as well.
- Go with a high-end service provider with an established security record. "You get what you pay for," says Gartner analyst Jay Heiser.
The extent to which hackers can take advantage of unique cloud vulnerabilities is being hotly debated at websites like Linkedin.com's Cloud Computing Alliance. So far, there have been few instances of a successful, large-scale data breach on a public cloud. Just recently, however, someone managed to set up the Zeus password-stealing botnet inside Amazon.com's EC2 cloud computing infrastructure by first hacking into a website that was hosted on Amazon servers.
It is, in other words, early days yet in the cloud computing industry. Cloud vendors are, in some instances, playing catch-up on the security front, and IT managers are trying to figure out just exactly what the risks are and how to counter them.
Divvy up responsibility
A crucial first step is for cloud-based service providers and their potential clients to sit down and determine who has responsibility for securing and protecting what components of the IT infrastructure, which often spans both companies' systems.
Sometimes, particularly with an IaaS provider, the division of labor is negotiable. For example, at Logiq³, Westgate decided to let BlueLock handle patching and configuration management because he was familiar with the software BlueLock was using, a tool from Shavlik Technologies.
The division of labor between Logiq³ and BlueLock actually strengthened security, because "no one person, or company, has all the keys to the kingdom." says Westgate. Because BlueLock manages the firewall, for example, "none of my admins can go in and decide to sell or move the data," he notes. "And BlueLock admins can't do it either, because they don't control the systems."
How much responsibility lies with the cloud-based service provider largely depends on the type of service.
With an IaaS setup, for example, the customer is usually responsible for protecting everything above the middleware and APIs, including the applications and operating system, says Todd Thiemann, senior director of security vendor Trend Micro Inc.'s Data Protection group.
The terms of service for Amazon's IaaS offering, for example, state that the customer is responsible for protecting the data it puts into the public cloud, he adds.
In contrast to IaaS arrangements, a software-as-a-service provider is usually responsible for protecting whatever customer applications and data reside on its cloud. That setup often works well for budget-challenged businesses, because it gives them access to advanced security technologies and resources that they might not be able to afford in-house.
IBM's LotusLive SaaS offering, for example, which was launched January 2009, utilizes "the same standards, security, compliance and governance we use to run major business systems for some very large and important companies," says Sean Poulley, IBM's vice president of online collaboration services. For example, LotusLive data centers are protected by environmental and biometric controls, including closed-circuit TV. Access control is handled by IBM's enterprise-scale Tivoli software.
However, many cloud-based service providers -- and SaaS providers in particular -- feel that their security practices and technologies give them a competitive advantage, so they don't like to reveal details about how they approach security. This means companies have to take the vendor's word that its systems are indeed secure and compliant. "Vendors have done little to accommodate security risk evaluation," says Gartner's Heiser.
"They may have incredibly secure and robust systems, but there's no sensible way to ensure this." Security accreditation standards such as ISO 27001 and SAS 70 Type 2 provide some assurance, he adds, noting that "27001 is more relevant to cloud security issues, but weak when applied to new forms of technology."
Playing nicely with the cloud
Many SaaS vendors are understandably reluctant to have a customer insert third-party security products into their proprietary platforms, even if it's just an agent that would permit a customer's security system to interact with theirs.
For example, Pfizer had outsourced some security services to D3 Security Management Systems Inc. and was interested in using Oracle's Access Manager in D3's incident management applications. But D3 expressed concerns about installing Oracle agents on its systems, says Kurt Anderson, the pharmaceutical company's manager of global operations business technology.
Anderson solved the problem by using Symplified's SinglePoint Cloud Access Manager, which does not use an agent, but rather interacts with D3's published APIs, he says.
Since IaaS customers technically own their virtualized slice of a vendor's infrastructure, they can install security software and controls. However, only a few vendors provide products that can protect both private and public cloud-based environments.
One such product is Trend Micro's Deep Security 7. Once its agent is installed in a private or public cloud infrastructure, it can perform deep packet inspection, monitor event logs and monitor system activity such as file changes for unauthorised activities, Thiemann says.
Shavlik, a cloud-based vendor that provides systems management for private cloud installations, tackles public cloud security from a different angle. It licences its patch and configuration management and compliance-monitoring software to cloud-based service providers - including its own IaaS provider, says Mark Shavlik, the company's CEO.
Cloud-based service providers are catching on to the fact that using an established commercial security product can attract customers. For Logiq³'s Westgate, BlueLock's use of Shavlik's software was a definite selling point. "I am very familiar with Shavlik: I've been using it for patch and configuration management for years," he says.
Access control in the cloud
The dynamic, flexible resource provisioning that makes virtualization and cloud services so attractive to cost-challenged IT executives also makes it difficult to track where data is located at any given time, and who is accessing it. This is true in private clouds, and even more so in public cloud-based systems, where access control has to be correlated between the customer and the service provider - and often several service providers.
Pfizer uses Symplified's Single Point Cloud Access Manager to provide single sign-on (SSO) functionality across different SaaS providers and applications. When the end user moves between an Oracle- and a Symplified-managed domain, for example, he still has to log on again but he can use the same set of credentials, Anderson says.
Symplified and Ping Identity are two vendors that currently provide SSO systems for both internal and SaaS cloud-based applications, using federated identity technology that coordinates user identity and access management across multiple systems.
However, Anderson feels that it's up to the SaaS vendors to adopt a more holistic and standardised form of access management, so the customer would no longer have to bear that burden.
Another access management concern when dealing with a cloud-based service - or any outsourced service for that matter - is how to ensure that the service provider's system administrators don't abuse their access privileges.
Again, SaaS customers don't have a lot of control or oversight of how the service provider addresses that issue. IaaS providers, in contrast, will often allow a customer to install event log monitoring software on their virtualised portion of the infrastructure.
Logiq³, for instance, uses Sentry Metrics's security event management service, which monitors event logs, does trend analysis and reports on anomalies. So the Sentry Metrics system could, for example, alert Logiq³ when a BlueLock administrator logs on without being given a specific job to do, Westgate says.
Checking bona fides
Customer control and monitoring of a carrier's cloud can only go so far, however, no matter what the type of service. So how do you ensure that sensitive data is adequately secured and protected?
Service level agreements with monetary penalties don't cut it, says Pfizer's Anderson, especially for a Fortune 50 company, since "the small amount they get back is a pittance" compared to the cost of a major security breach.
Therefore, due diligence is critical, Anderson says. Pfizer uses SAS 70 Type 2 certification, in which an independent third party audits the service provider's internal and data security controls. Anderson also verifies the vendor's level of Safe Harbor compliance and checks Dun & Bradstreet research to make sure it's legitimate, he adds.
Another standard by which to evaluate a service provider is ISO 27001, which defines best practices for designing and implementing secure and compliant IT systems.
While such standards provide a useful starting point, their criteria tend to be generic, says Gartner's Heiser. Companies still need to match a service provider's specific controls to their specific requirements, he adds.
For example, after checking out BlueLock's SAS 70 Type 2 accreditation, Logiq³'s IT staff did a further evaluation to "make sure the controls we require are supported by the controls they have in place," Westgate says. His team then followed up on discrepancies, identifying missing controls and working with the vendor on solutions. The company plans to repeat the process at least once a year, he says.
Cautioning users doesn't work
Many companies that want the cost benefits of cloud-based services but still have security concerns tell their end users not to put sensitive data on the cloud. But this is generally an exercise in futility, according to Heiser. "The problem is that users often don't know what's sensitive, and probably won't follow the rules anyway," he says. "You can assume that any application or data service end users can pump with data will get sensitive data eventually."
Pfizer is in the process of establishing a SaaS center of excellence to educate users about the correct way to deal with SaaS activities, Anderson says. In addition, his group is establishing best practices for procurement of SaaS services. Among other things, those best practices forbid applications that involve competitive or personally identifiable information from being included in a SaaS setup.
Basic security tasks such as access control and rights management become even more complicated when, as often happens, a SaaS provider outsources its infrastructure or development platform to another cloud-based service provider -- adding yet another party to the equation.
Take the case of Cloud Compliance, which provides access-control monitoring services for private cloud environments. The company entrusted its infrastructure to Amazon because it's the most proven service provider, according to founder Robbie Forkish. However, he acknowledges that the arrangement introduces potential security problems.
"There are certain areas where we, as a consumer of their services, need to fill in security capabilities they lack" in order to meet Cloud Compliance's internal security requirements and to reassure its customers.
For example, Cloud Compliance encrypts data in transit and gives customers the option of either encrypting data at rest -- on Cloud Compliance's Amazon-hosted servers - or not putting any data in the cloud. The latter option involves a performance hit, since customers have to re-upload data into the cloud every time an application is run, but some customers accept that trade-off in return for a higher level of security, Forkish notes.
Cloud Compliance's external customers do ask about Amazon's security, Forkish says. The concerns they raise change from month to month, depending on what vulnerabilities the press has been writing about, he adds. Cloud Computing will either address their concerns or, if it can't, pass them on to Amazon.
"In some cases, we don't get a response, and we figure this is a real issue, but they're working on it," Forkish says. But the recent Zeus botnet incident on Amazon, he says, "as far as we can tell, was not a threat over and above what we would expect for an Internet service, cloud-based or not."
Compliance in the cloud
Public clouds add a whole new set of issues to regulatory compliance -- issues that providers, users and regulators themselves are just starting to look at. HIPAA and Sarbanes-Oxley privacy and data-retention requirements weren't designed with cloud-based services in mind. "IT staffs have to figure out new ways to analyze and assess risk, and how to meet compliance requirements," Forkish notes.
"Many compliance standards require being able to point where data is, which is impossible with a cloud. And there's legal discovery, getting access to data when required. Can discovery be done by a third party without your knowledge because it resides on cloud storage? These are examples of things I think will be worked out over course of next couple years."
In the meantime, Forkish suggests, many businesses, especially those in highly regulated industries, will entrust their sensitive data to private clouds or traditional managed services "and maintain the status quo."
And then there are the pioneers like Logiq³'s Westgate, who says he sees cloud computing as "a natural evolution of how we are managing systems in this industry" and adds that the key question about this evolution "is not why, but why not?"