If you are going to run business critical systems in the cloud you need to understand the security implications, so FSN contributing editor Lesley Meall explores emerging cloud security concerns and practices.
Predicting the future is a risky business, whether you are an end of the pier fortune teller or the Big Brother of the internet, but this didn’t stop the UK technical lead for Google, Xenophin Lategan, from having a go at the recent Storage Expo, where he reportedly suggested that “soon, the browser will be the new desktop or new operating system for users.” For many, it already is.
The internet has made a lie of that old chestnut ‘there is no such thing as a free lunch’. Consumers have migrated into the cloud en masse, drawn first by the lure of free email, and more recently by myriad other free web-based services for communicating and sharing, ranging from blogs, through social networking sites, to VoIP, with the corporate world shuffling along a couple of paces behind.
Many organisations have chosen to explore the world of virtualised services via electronic communications – and they’ve been doing this since the earliest days of the ‘application service provider’. But over the past couple of years, along with the emergence of ‘cloud computing’ in the form of Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS), there has been a paradigm shift.
It’s not just corporate email any more. When Storage Expo surveyed more than 400 IT professionals, it found that 90 per cent worked for organisations that had migrated to a virtualised environment – in some shape or form. Statistics can all too easily be used to prove the most preposterous propositions, but it is hard not to believe the reason for ‘holding back’ given by the survey respondents who have not rushed into the cloud: security.
New risk landscape
As Adam Bosnian, VP of products, strategy and sales at Cyber-Ark observes: “The process of storing, accessing and sharing company data and processes remotely on the internet has changed the audit and risk profile of systems in many organisations, and whilst the economics of going down the cloud route are highly attractive, there are a number of security issues to consider.” Quite a few, actually.
The de-perimeterisation of enterprise data processing creates myriad governance and security issues in areas including: compliance and audit, enterprise risk management, information lifecycle management, legal, plus portability and interoperability, and these range from application security and cross-border data transfer, to incident response and information lifecycle management.
“Traditional approaches to securing a network boundary are at best flawed, at worst inefficient,” warns Adrian Seccombe, chief information security officer and senior enterprise information architect at Eli Lilly and a member of the board of the Jericho Forum, because cloud computing comprises many processes that bypass or undermine the traditional perimeter firewall, and can’t be solved by simply acquiring a new firewall of virus scanner.
“Virtually all company IT systems are engineered to support physical devices,” adds Bosnian, “so integrating a cloud environment into the IT resource usually involves a lot of work on the software and integration front.” And it won’t be easy. “In the real world, you can see your PC or drive has been stolen,” he observes, “but in the virtual world there are no such comforts.”
Enterprises will need to assess their policies and procedures in the context of this new and more dynamic environment, and they will almost certainly need to make adjustments. “To counter these issues, it is necessary to employ a carefully defined risk analysis of IT systems and procedures before you can make a decision on which cloud technology and service is the best option for your organisation,” suggests Bosnian, “before later steps such as the creation of service level agreements, remediation procedures and penalty clauses are started.”
Live by the sword
Before you can undertake a clearly defined risk analysis of your IT systems and procedures, you need to really understand cloud computing, and its myriad potential security implications. Fortunately, you can find increasing amounts of guidance online and off. The body for IT governance professionals, ISACA, recently released a downloadable white paper which considers the business benefits of cloud computing (in its many service and deployment models) and suggests strategies for addressing cloud computing risks.
“By addressing many of these issues in advance, and with the involvement of a broad range of stakeholders, enterprises can gain significant advantage with appropriate control,” suggests Jeff Spivey, trustee for the IT Governance Institute, which is affiliated with the ISACA, and director of Security Risk Management. And in recognition of the new risks surrounding cloud computing, the ISACA has joined the Cloud Security Alliance, another source of useful information.
The CSA is a not-for-profit body that was set up to promote the use of best practices for providing security assurance within Cloud Computing, and to improve security by providing education. Founding members include representatives from BT, eBay, HP, Intuit, Sun, Salesforce.com, Visa, and many more subject matter experts, and corporate members range from McAfee and Microsoft to Trend Micro and Verizon.
So the website is a good source of information on the security challenges created by cloud computing and approaches to solving them.
Security guidance for critical areas of focus in cloud computing has been written to support security practitioners and cloud providers, and at 83-pages long, it may offer too much information for those who do not consider themselves security experts. But
but if you are considering or already utilising cloud-based resources, you have much to gain and little to loose by putting a little time and effort into reading at least the 10-page executive summary.
It includes an explanation of cloud computing architectural frameworks, and security guidance on governance in the cloud and operating in the cloud – all domains that organisations will need to navigate if they are to exploit the benefits of the cloud as well as adequately protecting the data that goes into it. “I strongly feel that the most cost effective way to secure the cloud is to do it right the first time,” says Dave Cullinane, security ayatollah at eBay and a founding member of the CSA, adding: “A high standard of security benefits both providers and consumers alike.”
Some of the areas that give rise to security concerns are unique to cloud computing; others are exacerbated by it. These include:
- governance and enterprise risk management
- legal
- electronic discovery
- compliance and audit
- information lifecycle management
- portability and interoperability
- traditional security, business continuity and disaster recovery
- data centre operations
- incident response, notification and remediation
- application security
- encryption and key management
- identity and access management
- storage
- virtualisation.
All of which translates into some very serious questions that potential users of cloud computing should be asking themselves and their service providers before making any leaps of faith. “Important questions such as ‘Where is my data really being stored? What happens when I delete it? What happens in the event of data corruption?’ need to be asked by the audit team before any negotiations with the cloud service provider begin,” suggests Bosnian.
Because cloud computing can help enterprises to meet the increased requirements for lower total cost of ownership, higher return on investment , increased efficiency, dynamic provisioning and utility-like pay-as-you-go services, it may seem difficult to resist, but it should be approached with a certain amount of caution. “Our observation here at Cyber-Ark is that cloud computing can really work for most organisations,” reports Bosnian. “But we at the start of a huge learning curve with cloud security,” he adds, “so you need to do your homework, know your options, and apply the principle of caveat emptor.” Buyer beware.
