How to implement cloud computing security


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

How to implement cloud computing security

  1. 1. 1 Cloud Security - Some Implementation Techniques It has been wonderful to discuss with software vendors both large and small their transition to the cloud. And as you would expect, security is very much “top of mind”. After reading a post by Olivier Coudert, I decided to provide a high-level description of some of the main techniques used to secure a cloud implementation. Hopefully it’s useful when considering a cloud (Infrastructure-as-a-Service, IaaS) or platform (Platform-as-a-Service, PaaS) provider. Most of our customers use our platform with the Amazon cloud. And so the infrastructure portion of this discussion will be taken from their implementation, described in more detail in their white paper. (One of the primary reasons why we built our platform on top of Amazon’s infrastructure is because of their security.) The areas to consider are illustrated below. The user (client) on the left, and the public or private cloud on the right form the two end-points. The communication network in between (what we used to call “the cloud”, before there was “The Cloud” ) is the other key component. End-points to Cloud Security The Cloud - Physical Security This is the most fundamental of considerations. Not only is it important if your data is valuable, but if you’re in a public cloud consider what else could be stored and valued in the same physical location. The Amazon Cloud boasts extensive physical security measures, protocols, and technology, including “military grade perimeter control berms” and other “natural boundary protection”. The Cloud - Logical Security Firewall
  2. 2. 2 Many breaches of security come from bots pinging IP addresses on multiple ports, mechanically looking for a way to get in somewhere (Port Scanning). This type of attack is prevented at the Firewall: (i) Close all ports except those that are to be used. And only open those when they are actually used. (ii) Restrict access by the protocol used (http, ssh, etc.) (iii) Restrict access to only known client IP addresses. In addition to this, AWS detects port scanning, stops it and blocks it. Counter measures are also in place to protect against Distributed Denial of Service (DDoS) and Man In the Middle (MITM) attacks. Operating System (Host and Guest) Operating System Security The Host Operating System that resides on the actual hardware needs to have strong key access to a limited number of Administrators. No one else should have access at this level. And those that do have access should only have it on a limited basis and only when they are doing actual work. Guest OS’s (the virtual instances that are actually used by the hosted software) are isolated from the Host by the hypervisor (which also provides isolation between running instances). Unprivileged Access to these instances should only be allowed via token or key-based authentication. Key control is paramount for success at this level. Data - Backup & Encryption All stored data should be redundantly backed up, ideally (as with AWS) in multiple physical locations. In addition, data can be encrypted on the remote instance. In fact, encryption can be taken down to a very low level, but performance trade-offs come into play very quickly.
  3. 3. 3 The Network Other than protection from threats residing elsewhere on the network, data interception should be protected against. Therefore, data traveling across the network should be encrypted. In our case, we implemented communication and data transfer protocols that use AES-128 symmetric key encryption for all data sent between the client and the cloud server. The User After all of the above (and much more) has been put in place, we still need to provide access to users (customers) outside of the firewall. And so we need to know who the users are, and to be able to confirm that they are indeed who they say they are. In order to scale the business, the authentication and validation process must be automated and built into the on-boarding and access process. Fortunately, as we’re dealing in a business-to-business environment, the easiest and most reliable way to automatically confirm identity is via an email validation process during user on-boarding. Once validated and prior to accessing the cloud, the user’s identity should be authenticated again using the email address (or a username linked to the email address) and a password. On the Xuropa Platform, we go one step further and add an additional security protocol to ensure that only the previously authenticated user can gain access to the cloud from a detected IP address. Life’s a Trade-off These are just a few of the techniques employed - when it comes down to it, anything is possible. However, people need to have access, and in order for businesses to run, access needs to be straight forward for the user, monitored, controlled, and automated. In architecting our platform, security is paramount, which means we have to put a great deal of effort into automation and the user experience (UX) design. How are you securing your cloud processes? And what are your concerns related to security  find out how the Cloud is going to Operate compared to the DMZ wen it comes to logical Information Security. By the looks of things the Clouds is going to operate outside the DMZ. if that is True, that will make the Cloud computing to be highly vulnerable. o Please explain to me how logical security will operate in the clouds.  James Colgan May 25, 2011 12:23 pm o Thanks for your comment Putso. Unfortunately “DMZ” really doesn’t mean that much without context.
  4. 4. 4 How To Implement Cloud Computing Security o Logical security involves such strategies as the encryption of data traversing to/from the cloud, and between instances within the cloud. It also refers to the issuance of credentials to authorized users and then logically locking communication between that user’s client and the cloud resource. o o It also refers to locking down the ports on firewalls at the points of entry to the cloud. We can also go further up the stack and look at access control interfaces, etc. There’s so much in this domain…I’ll put together more posts on the subject in the near future. Maintaining security after a cloud computing implementation You've successfully migrated your organization's selected applications and data into the cloud, and everyone has said what a great job you've done. But you and I both know the task of maintaining the security of these apps and data has only just begun. In this tip, I'll review which technologies and processes must be initiated, monitored and secured after a cloud computing implementation or initiative is up and running. IAM Cloud computing turns us all into remote workers, which makes identity and access management (IAM) one of the key challenges after a cloud computing move. It is important to have robust lifecycle management regarding users and user access so that user accounts, credentials and access rights are always relevant and up to date, including disabling an account when an employee leaves. Also look to initiate an IAM strategy that can make full use of federated identity management, which enables users to securely access data or systems across autonomous security domains. More specifically, consider introducing single sign-on (SSO) for enterprise applications and leveraging this architecture to simplify cloud provider implementations. A move to the cloud will appear far more seamless to your users if they are already used to SSO, and it'll make managing trust across different types of cloud services less onerous. You will also have logged baseline data to help you monitor and gauge changes due to cloud activity. How To Implement Cloud Computing Security How To Implement Cloud Computing Security You may not realize it but your company may have adopted cloud computing. Your company may have subscribed to other miscellaneous services like the ones being offered by or you may be using a hosted email. Your organization may even be implementing an internal private cloud. With all the uncertainties and fears of using the cloud, one must accept the fact that cloud computing will be here for a long time.
  5. 5. 5 It is but expected that everyone will have security as their number one fear when a new technology is introduced to the market especially when media tends to play up the security inconsistencies of cloud computing. But when you really look deeper into the problem, you’ll realize that these security breaches happen because the organization allows them to happen. Cyber criminals often look at cloud computing loopholes and attach those which have loose controls in place. When an organization decides to move to the clouds, it must first determine its foundational controls which form the backbone of the company’s security principles. Plans must be laid out in order to secure the company’s assets so that when the company subscribes to cloud computing, all the needed security controls must already be in place. Also, the company will have to be workload-focused instead of cloud-focused. When moving to the clouds, the organization must take into consideration each workload so that it will be able to enforce a security program which is focused on the workload with a possibility to implement non-traditional security measures. More often than not, a company decides to move to the clouds because higher management has decided it. Because not all parties are included in the decision process, some security measures may not have been considered. When this happens, the organization may face usability and integration challenges. Concerned departments must be included in the decision making so that people working with the affected departments will know what to expect when cloud computing is finally implemented. A plan must be enforced to mitigate the risks. It must have a documented plan so that employees will be able to quickly resolve cloud computing issues when they arise. Training, education, as well as documentation and management of risks must be included in the risk mitigation plan. A major advantage of cloud computing is that it is capable of virtualization and because of this advantage an organization must have a management process for its storage image implemented. This will guarantee that the required images are made available when needed. The images must also be appropriately managed and identified so that image sprawl will be avoided. Before a company migrates to the clouds, it must first check the cloud computing provider’s infrastructure and applications for any security hazards so that controls can be set in place in order to ensure that the transfer to the clouds are secure. The company must also take note of ethical hacking so that they can use it to check their own cloud applications for the usual security vulnerabilities. There are also security services available in the market which can help the company obtain the best security without the traditional overhead expense. These services include security event log management, identity and access management, and intrusion prevention which transfer the strain of implementing them from the organization to the security services provider. A resiliency program must also be considered when adopting cloud computing because cloud technologies are not perfect. Critical workloads must be restored quickly in case
  6. 6. 6 of attack or catastrophe. Restoration must be done quickly and responsibly so that there is less impact on the business process. Monitoring is also important when the organization moves to the clouds. If the company fails to oversee the implementations in cloud computing, there is a great possibility that there will be security, satisfaction, and performance issues. A monitoring program must be actively implemented so that security threats are properly identified. By diligently ensuring security measures are in place, the company can be a step in allaying fears of security breaches. Security plans must be reviewed regularly because new threats may be just lurking around the corner and as such the company must be prepared to deal with them. Florence de Borja “Choosing a Cloud Provider with Confidence” Cloud computing is rapidly transforming the IT landscape and the conversation around adopting cloud technology has progressed from “if” to “when”… Free Download Report (Disclaimer: CloudTweaks publishes news and opinion articles from different contributors. All views and opinions in these articles belong entirely to our contributors. They do not reflect or represent in any way the personal or professional opinions of or those of its staff.) Tagged as: adopting cloud computing, business process, Cloud Application, Cloud applications, Cloud Computing, cloud computing loopholes, Cloud Computing Security, cloud technologies, clouds, computing security, Crime preventionCrime prevention, cyber criminals, depa, implement cloud computing, miscellaneous services, new technology, Private Cloud, Salesforce .com, security breach, security breaches, security event log management, security measures, security principles, security program, security services, security threats, security vulnerabilities, services provider, traditional security, virtualization Cloud Security Guidance IBM Recommendations for the Implementation of Cloud Security Abstract Cloud computing is a flexible, cost-effective, and proven delivery platform for providing business or consumer IT services over the Internet. Cloud resources can be rapidly deployed and easily scaled, with all processes, applications, and services provisioned "on demand", regardless of user location or device. As a result, cloud computing gives organizations the opportunity to increase their service delivery efficiencies, streamline IT management, and better align IT services with dynamic business requirements. In many ways, cloud computing offers the "best of both worlds", providing solid support for core business functions along with the capacity to develop new and innovative services.
  7. 7. 7 Cloud Security In addition to the usual challenges of developing secure IT systems, cloud computing presents an added level of risk, because essential services are often outsourced to a third party. The "externalized" aspect of outsourcing makes it harder to maintain data integrity and privacy, support data and service availability, and demonstrate compliance. The security measures discussed in this IBM Redpapers™ publication represent best practice implementations for cloud security.