Understanding Cloud Security Challenges


Published on

Using encryption, obfuscation, virtual LANs and virtual data centers, cloud providers can deliver trusted security even from physically shared, multitenant environments, regardless of whether services are delivered in private, public or hybrid form.

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Understanding Cloud Security Challenges

  1. 1. • Cognizant 20-20 InsightsUnderstanding Cloud Security ChallengesUsing encryption, obfuscation, virtual LANs and virtual data centers,cloud providers can deliver trusted security even from physicallyshared, multitenant environments, regardless of whether services aredelivered in private, public or hybrid form. Executive Summary This means building security and trust architec- tures that ensure each company’s applications The need to reduce costs and enable IT respon- and data are isolated and secure from those of siveness to business change is driving more other customers in a multitenant environment. and more applications, including critical ones, By adhering to emerging security standards and to various types of cloud platforms. While cloud leveraging encryption, obfuscation, virtual LANs providers can implement many of the same and virtual data center technologies, service security measures required of an internal IT providers can not only provide security services group, many companies are still wary. This is that meet or exceed internal SLAs, but also especially true for less expensive, multitenant provide trusted security, even from physically public cloud environments that are inherently less shared, multitenant environments. Companies secure than in-house IT environments, assuming should understand that public cloud providers that the onsite, internal IT environments follow must also adhere to the stringent security regula- proper security procedures and have the right tions of the countries in which they operate. technology and standards in place. If not, then public cloud service providers often provide a Whether adopted in public, private or hybrid form, more secure IT environment than local IT groups. or delivered as IaaS, PaaS or SaaS, the cloud imposes unique and stringent security demands. Providing security for cloud environments that But with appropriate levels of security, trust and matches the levels found in internal data centers governance, service providers can provide a is essential for helping modern organizations secure environment for company data and appli- compete and for allowing service providers to cations. meet their customers’ needs. However, to match the levels of security that customers experience Cloud Security Concerns internally, service providers must make the proper investments in providing, proving and The cloud — especially the public, multiten- ensuring appropriate levels of security over time. ant cloud — raises new and significant security cognizant 20-20 insights | november 2012
  2. 2. concerns for companies that are accustomed to • Legal and regulatory compliance. hosting their data and applications within their own four walls. • Trusting data to the people and processes employed by the provider. Within a traditional internal IT infrastructure, it • The threat of confidential data mingling with is comparatively easy to ensure proper security that of other customers. mechanisms, such as authorization, authenti- cation, privacy, confidentiality and nonrepudia- • Achieving legal redress in the case of a cloud security violation. tion. These mechanisms must be accompanied by proper security policies and processes that • The viability of the cloud vendor. are followed by employees. Although some users All of this makes it more challenging to create (such as customers and partners) are outside the trustworthy controls for the monitoring, organization’s control, the IT staff has physical governance and auditing of the cloud provider control over and direct visibility into the IT infra- environment. structure. It can make changes relatively easily to the authorization policies determining which Cloud Security Requirements users can take which actions, deciding on the Before moving mission-critical data to the cloud, physical locations of servers organizations require not just security but robust Before moving and databases, and validating security that they can trust and monitor. Security mission-critical the trustworthiness of their individuals managing the is not always a feature offered by cloud providers; sometimes providers require customers to bring data to the cloud, systems. their own. Here is a closer look at all threeorganizations require Data stored and processed requirements: not just security outside the enterprise firewall • Robust security: Meeting the first require- but robust security involves an inherent level of ment — providing robust security — means risk, due to a number of factors. that they can trust For one, third-party services moving beyond a traditional perimeter-based approach to a layered model that ensures the and monitor. often bypass the physical, proper isolation of data, even in a shared, mul- logical and personnel controls titenant cloud. This includes content protec- that IT shops have over their in-house resources. tion at different layers in the cloud infrastruc- However, according to local and federal laws, the ture, such as at the storage, hypervisor, virtual end user organization can specify the zone of the machine and database layers. It also requires data center in which its data will reside. Making mechanisms to provide confidentiality and ac- changes to the service provider’s authorization or cess control. These may include encryption, access control policies may require going through obfuscation and key management, as well as the provider’s systems and processes. In public, isolation and containment, robust log manage- multitenant environments, companies must trust ment and an audit infrastructure. the provider to safeguard their data even though it shares physical hardware with other customers. • Trust and assurance: To meet the second requirement — providing trust or assurance And lastly, providers may impose limitations on — the company needs to have confidence in the liability they will accept for security lapses, the integrity of the complete cloud environ- and there may be a need to work out proper ment. This includes the physical data centers, notifications of security- and compliance-related hardware, software, people and processes em- events. ployed by the provider. The service provider The loss of control in moving applications and needs to establish an evidence-based trust data out of the enterprise to a cloud provider, architecture and control of the cloud environ- and the resulting challenges in monitoring and ment, through adequate monitoring and re- governing those resources, create wider security porting capabilities to ensure the customer of concerns that service providers must address. transparency around security vulnerabilities These include: and events. This should include audit trails that help the customer meet internal and ex- • The protection and confidentiality of data ternal demands for provable security, as well as it moves over the Internet to and from the as automated notification and alerts that sup- cloud. port the customer’s existing problem or inci- cognizant 20-20 insights 2
  3. 3. dent management protocols so it can manage • Isolation: To ensure isolation within a mult- its total security profile. itenant environment, service providers often employ multiple virtual data centers, each Collectively, these capabilities can assure on its own virtual LAN, to maintain customer the customer of the operational quality and data separation. For further security, each security of the cloud provider. Companies also virtual data center can be configured into need to take an active role in governing their one or more trust clusters (each including, for cloud implementations and taking action on example, separate Web servers, application the information delivered by the provider. servers and database• Monitoring and governance: This is where the zones), separated by de- While obfuscation third requirement — cloud governance — comes militarized zones (DMZs) in: utilities that allow customers to monitor and virtual firewalls has traditionally been the environment for security, as well as en- to ensure multitenancy used as a one-way sure compliance with other KPIs, such as per- formance and reliability. Using these utilities, security. masking technology, • Confidentiality: Confi- using obfuscation in customers should be able to perform these dentiality is provided by activities almost as well as they could in their encryption and/or obfus- the cloud to protect own data centers. Just as importantly, these cation based on business data requires the use utilities allow customers to take appropriate requirements. Encryp- of new architectures action based on the security information re- tion might seem like ceived from the provider. These actions might the most complete and and approaches that include shutting down an application that ap- foolproof protection, but enables access to the pears to be under attack or forcing the provid- by completely obscuring original non-obfuscated er to tighten its procedures if critical updates the characteristics of or patches are not being applied on time. the data, it can defeat in- data as needed underGovernance also includes risk management, dexing and search capa- tight security control.allowing companies to tailor their security bilities and increase thespending to both the likelihood and possible expense of filtering, querying or consolidation.impact of various threats. Doing so requires Obfuscation retains enough properties of theknowledge of how the service provider monitors data to allow these operations, as well as anyfor breaches, how security events are detected that rely on the semantics of the data, whileand reported, and the protection the provider obscuring the data sufficiently to destroy itsoffers from a legal and financial perspective. value if compromised.Well-drafted contracts and a legal framework that While obfuscation has traditionally beendefines liability — including whether the provider used as a one-way (nonreversible) maskingwill reimburse the customer for business losses or technology, using obfuscation in the cloud tojust for service interruptions — are all issues the protect data requires the use of new architec-provider must address. tures and approaches (such as tokenization) that enables access to the original non-obfus-Cloud Security Controls cated data as needed under tight securityCloud security controls can be classified in a control.tiered model. Front-end security handles authen-tication and authorization. The middle layer deals • Access control: Identity management and provisioning platforms ensure that only au-with VM (virtual machine) security, OS security, thorized users can see the appropriate appli-etc. Back-end security handles storage security, cations and data. This needs to be backed bydata and database security, network security, etc. compliance and audit and log management, soDelivering assured and verifiable security in the that customers have a record of which userscloud requires separate architectures for security accessed (or tried to access) which resources,and trust, as well as a framework for governance. when. In a cloud environment, access and iden-Security Architecture tity management (which proves users are who they claim to be) is often provided throughThe security architecture provides the isolation, federated identity management that allowsconfidentiality and access control required to customers to use their existing IT manage-protect company data and applications. Here is a ment systems in the cloud. Authentication, au-look at these three requirements: cognizant 20-20 insights 3
  4. 4. thorization and validation processes also help concern in cloud security. ensure access and identity control. Governance Framework Providers may also need to ensure the integrity This record of information will be used in the of data and messages (whether in transit or governance and risk control framework, where resident in the cloud) through strong authen- customers make use of data from the provider to tication or other means to make sure data has ensure ongoing security. This framework should not been compromised in transit. provide:Trust ArchitectureThe trust architecture demonstrates the cloud • The monitoring and control of the provider’s performance against the SLAs (service levelprovider’s level of security through a variety of agreements) that govern security perfor-monitoring, reporting and alert functions. These mance.include: • Shared responsibility and accountability• Continuous monitoring and automated between the company and service provider. compliance and reporting protocols, such as (The customer, for example, must update the Security Content Automation Protocol (SCAP). provider about the existence of new data or applications that require certain levels of• The Cloud Trust Protocol (CTP), the Security, protection.) Trust and Assurance Registry (STAR) and Cloud Trust Authority (CTA), which show • Identification, assessment and agreement the provider’s commitment to industry best on how to manage ongoing security-related practices and pave the way for trust to develop functions. These include assessing, monitoring over time. and reporting of liability and legal risks; managing disaster recovery and business• A proven track record of integrity of the continuity, risks to compliance, IP and business provider’s cloud environments and processes. reputation; and providing compliance audits These range from strong patch management and centralized, policy-driven log management. and the use of only digitally signed code, to automated notification and alerts of security Raising Cloud Confidence breaches, attacks and vulnerabilities. The cost and agility benefits of the cloud will• A real-time feed of information to an executive continue to drive organizations to migrate dashboard about the number of breaches more critical applications and services to these detected, the amount of unauthorized activity platforms. As they do so, they will choose cloud in the customer’s environment and the actions providers that deliver not only the required taken to thwart it. Over time, future metrics security but also the assurance of robust security can be developed based on the initial reports and the governance capabilities to manage and the historic record used to provide a ongoing security needs in a cost-effective way. foundation of trust. Companies that choose to work with serviceTo further elevate their trust architecture, providers offering robust security, assurance andcompanies can turn to organizations such as governance architectures will have powerful first-the Cloud Security Alliance (CSA) that work to mover advantage as competitors of all sizes moveestablish and standardize protocols such as CTP more of their business to the cloud.and CTA. In addition, Gartner and other industryanalysts have identified and classified areas of cognizant 20-20 insights 4
  5. 5. About the AuthorsDr. Jean-Claude Franchitti has 29 years of experience in the information technology industry, including15 years working for leading IT consulting firms. He is an experienced Enterprise/Solution Architect andSenior Manager with a track record of technical leadership on large programs. Jean-Claude held seniormanagement, consulting and technical leadership roles in many large IT strategy, modernization andimplementation projects for Fortune 500 corporations. He was involved in planning and developing allfacets of architecture solutions in a myriad of industries and was exposed to various types of complexbusiness transformation involving EA, SOA and cloud computing. He teaches as a Professor of ComputerScience at New York University and is the author and co-author of several books and publications. Jean-Claude holds Ph.D. and M.S. degrees in computer science and an M.S. degree in electrical and computerengineering from University of Colorado at Boulder. He can be reached at Jean-Claude.Franchitti@cognizant.com | Linkedin: www.linkedin.com/in/jcfranchittiPurna Roy is a Consulting Principal and Architect with 24 years of industry experience. Purna has heldleadership and management positions with firms in Silicon Valley, startup companies and corporationssuch as Charles Schwab and Morgan Stanley. He consults across multiple industry value chains, includingfinancial, pharmaceutical, retail and manufacturing, and works across business and technology domains.Purna has been a leading contributor to Cognizant’s cloud consulting assets and a subject matterexpert. Purna holds a master’s degree in computer science from Pennsylvania State University. He canbe reached at Purna.Roy@cognizant.com | Linkedin: www.linkedin.com/in/purnaroyAnant Bardhan is the Chief Technology Architect within Cognizant’s Advanced Solution Group in NorthAmerica. He is actively engaged with many Fortune 500 clients, helping them achieve business agilityand competitive advantage through a series of business transformation initiatives. These include large-scale business transformation strategy and planning, complex program management and deliveryand enterprise architecture. Anant has 22 years of IT experience and has held architecture leadershippositions, both within the company and at many top-tier enterprises. He holds a master’s degree incomputer science from the University of Illinois and an overseas MBA. Additionally, he is a professionalIT Security Expert with CISA and earned his CISM certification. He can be reached at Ananta.Bardhan@cognizant.com | Linkedin: www.linkedin.com/in/anantbardhanAbout CognizantCognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process out-sourcing services, dedicated to helping the world’s leading companies build stronger businesses. Headquartered inTeaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep industryand business process expertise, and a global, collaborative workforce that embodies the future of work. With over 50delivery centers worldwide and approximately 145,200 employees as of June 30, 2012, Cognizant is a member of theNASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performingand fastest growing companies in the world. Visit us online at www.cognizant.com or follow us on Twitter: Cognizant. World Headquarters European Headquarters India Operations Headquarters 500 Frank W. Burr Blvd. 1 Kingdom Street #5/535, Old Mahabalipuram Road Teaneck, NJ 07666 USA Paddington Central Okkiyam Pettai, Thoraipakkam Phone: +1 201 801 0233 London W2 6BD Chennai, 600 096 India Fax: +1 201 801 0243 Phone: +44 (0) 20 7297 7600 Phone: +91 (0) 44 4209 6000 Toll Free: +1 888 937 3277 Fax: +44 (0) 20 7121 0102 Fax: +91 (0) 44 4209 6060 Email: inquiry@cognizant.com Email: infouk@cognizant.com Email: inquiryindia@cognizant.com©­­ Copyright 2012, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by anymeans, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein issubject to change without notice. All other trademarks mentioned herein are the property of their respective owners.