CLOUD SECURITY InfoWorld.com DEEP DIVE SERIES 2 Deep Dive Staying secure in the cloud Cloud computing depends on sharing resources that were never shared before, demanding a new set of security best practices BY ROGER GRIMES Cloud computing is here to stay. But it brings combine internal private cloud services with with it all of the traditional computer security external public cloud services. It may also threats as well as a host of new ones. The cloud refer to service offerings used exclusively byThe good news is making security experts’ jobs harder than ever an invited group of private customers (alsoabout cloud before, forcing them to step up with innovative called a “community cloud”).computing is responses. This Deep Dive will detail the uniqueyou’re probably security challenges cloud computing presents Because the public cloud offers both thesaving a lot of and the best practices you should implement to least control and the least understood risks, thismoney on IT meet them. Deep Dive will focus primarily on securing theoverhead and public cloud.getting more out Cloud computing basicsof the services No matter what services your organization is How public cloud computing is deploying in the cloud – infrastructure, software, different for traditional ITyou’re paying or platform – how you secure them depends a In a traditional IT scheme, all your applicationsfor. The bad great deal on who’s providing them. There are and data are likely stored on servers and data younews is you’re essentially three kinds of cloud services: control and share with no one else.giving up a lot You know where these machines and dataof control. • The public cloud. As the name implies, are located. You know exactly how well they areThis lack of public clouds are offered to the general secured, how often they’re backed up, wherecontrol presents public. They’re accessible via an Internet those backups are located when you need them,the biggest connection and shared among multiple, and what processes will kick in if those machineschallenges. often thousands, of customers. Some of fail or are compromised. If you’re doing your job the largest public cloud providers include correctly you should have a good idea of who’s Amazon Web Services, Microsoft Windows accessing your network, what machines they Azure, and Rackspace Cloud. are using to do it, and where these users are • The private cloud. Private clouds are physically located. You probably use a centralized typically created and hosted by a single directory service to manage how employees and organization, usually behind the corporate customers are authorized to access different parts firewall, which provides services on request of the network, which you can use to deprovision to employees. Private clouds can also be them at any time. Finally, when you’re decommis- hosted by third parties, but they remain sioning servers or storage, you can make certain dedicated to a single customer. They can they are wiped clean of sensitive data before be more costly than public clouds but offer they’re sent to the boneyard. greater control over your data and better In the public cloud, many of those things are fault tolerance. no longer true. Your IT operations are accessible via • The hybrid cloud. This term typically the Internet. The machines and data you’re using applies to organizations whose IT operations could be located anywhere on the planet as part
CLOUD SECURITY InfoWorld.com DEEP DIVE SERIES 3 Deep Dive of a massively scalable user-configurable pool of • Attackers are authenticated users. computing resources. You are likely sharing many Unlike on internal networks, attackers in of those computing resources with hundreds if not the public cloud are likely to be logged-in, thousands of users who are not in your organiza- authenticated users – and, given the cloud’s tion. You may also be sharing a common authenti- global reach, there may be many more of cation scheme with many of those other organiza- them. This means that many conventional tions. Disaster recovery and fault tolerance are the defenses (separated security zones, firewalls, responsibility of the cloud provider, as is disposal of and so on) may have little effect. You’ll need old machines containing your data. to rethink your strategy accordingly. The good news is you’re probably saving a lot of money on IT overhead and getting more out • Say goodbye to the DMZ. In the public of the services you’re paying for. The bad news cloud, there is no DMZ that separates your is you’re giving up a lot of control. This lack of corporate network from the Internet. If the control presents the biggest challenges. DMZ was porous (at best) in the past, it has In a public cloud computing world, IT’s job now completely evaporated. You’ll need to shifts from trying to implement adequate controls forget about establishing a “safe zone” and over your technology to assuring that the CSP think about isolating your domains. (cloud service provider) is implementing adequate controls over its technology. If your CSP cannot • Say hello to a world of providers. assure you sufficient controls are being applied, Although a particular cloud service is often it’s your job to recommend to senior management completely created and provided by a single that the organization take its business elsewhere. vendor, as cloud services mature they are Senior management may not always be aware likely to be represented by four main, possibly of the differences between traditional IT and the separate, symbiotic parties: consumers, public cloud, so you’ll need to be ready to make a network providers, identity/authentication strong case as to why or why not a particular CSP providers, and cloud service providers. should be used. In the past, each cloud provider had its own Cloud security defense assumptions identity and authentication mechanism. This and best practices is quickly changing, with many cloud services Cloud security is an evolving field. To begin with, relying on identity and authentication services cloud solutions are subject to all the conventional provided by other vendors. For example, many attacks a traditional IT network must face: buffer cloud services allow you to log on with a Face- overflows, password attacks, physical attacks, book identity (which relies on the OAuth authen- exploitation of application vulnerabilities, session tication protocol standard). contamination, network attacks, man-in-the- More and more organizations are allowing middle attacks, social engineering, and so on. But users to access applications and data using cloud they also present new challenges and assumptions. identities such as Gmail, iCloud, and Microsoft As a public cloud customer you may lack accounts. That mean if a zero-day vulnerability is basic transparency into the security controls discovered at one authentication provider, many protecting a particular cloud service. That’s why different cloud service customers could instantly the best time to find out what security controls be put at risk. your CSP has in place – as well as the visibility and auditing rights you have into those controls – Cloud security best practices is before you commit. The traditional computer security models spread Defending your data and applications in defenses over confidentiality, integrity, and avail- the cloud will also be a little different than you’re ability. The Cloud Security Alliance spreads used to. You’ll need to start with the following them over governance, risk management, assumptions. and compliance. Both approaches are valid and
CLOUD SECURITY InfoWorld.com DEEP DIVE SERIES 4 Deep Dive should be used, but here we’ll concentrate on structure services, DNS, namespace, databases, practical and applied best practices. routing, etc.) is part of that inventory. A compre- hensive list of assets not only includes the servers Identity and authentication providers and infrastructure involved, but also every client If you thought identity management and authen- workstation that can or will connect to those tication were confusing before, the cloud brings servers and infrastructure devices. a new level of sophistication that makes the old Enterprises are often compromised because models look easy. a single workstation has been compromised. You’ll have a rash of things to consider, ranging So good asset management is essential to good from what types of identities (log-on names, security. With best practices, each inventoried biometric tokens, smartcards, etc.) are allowable, asset item would be well managed through to what authentication mechanisms are required the various phases of its lifecycle: starting with to access a cloud service. You’ll need to know procurement and following through ownership, what processes the CSP uses for provisioning and configuration, deployment, operations, change deprovisioning users, and what level of assurance management, deprovisioning, and finally replace-Best practices the CSP’s authentication providers offer. The size ment. If you don’t have these items documenteddemand that of passwords or PINs, the frequency with which on each asset you manage, you aren’t reallyauthentication they’re updated, how log-on credentials are stored managing them.requirements and protected are all vital parts of the puzzle. With the public cloud, asset managementare documented What processes are in place when an identity becomes much more problematic. It is now up toand followed to is compromised? If the authentication database your CSP to handle all of that, and it is up to youthe letter. is breached, will your CSP tell you? How long will to find out what assets have been deployed on it take them? These answers need to be obtained your behalf and all the interconnections between not only for you but also for your engineering, them. Because your CSP may be unwilling or operations, security, and auditing teams. unable to share this information with you, you Best practices demand that authentication need to do your best to determine if the service requirements are documented and followed to provider has a serious asset management plan the letter. Elevated system access should always that is governed across the entire product lifecycle. require two-factor or better authentication. Iden- tity and authentication providers should provide Let’s get physical transparency on guaranteed security assurances Computer security is also physical security. Just as and the security practices they follow. Passwords you wouldn’t let some stranger wander into your should be a minimum of 12 characters and be corporate data center, you need to ensure your changed at least once a quarter. PINs should be CSP has adequate physical security protecting its at least five characters and only be used as part of data centers, as well as sufficient power, redun- two-factor authentication or with strict lock-out dancy, and environmental controls. mechanisms. When the authentication system No one should be able to assess any critical has been compromised, you should be notified assets at your CSP without multiple levels of within a reasonable amount of time. authentication and authorization. Elevated The answers to all of these questions are access, remote or on-site, should require two- among the most important any CSP can provide. factor authentication. Remote access should be limited and possible through a minimum of Covering your assets connection points and programs. You can’t manage what you don’t know you The CSP should also document the physical have. In a traditional IT world, asset management requirements of each asset, with power and is fairly straightforward. You track the hardware environmental controls that exceed the specs. The and software your organization maintains, as well best organizations provide fault tolerance with as the details of different service offerings. Every separate power and environmental facilities, dual item used to provide a particular service (infra- pathways, and SLAs with related providers.
CLOUD SECURITY InfoWorld.com DEEP DIVE SERIES 5 Deep Dive Availability Application security and With a public cloud service, availability is every- vulnerability testing thing. An outage at a critical moment could Most websites are not compromised because of cost a large organization millions of dollars in operating system or Web server software vulner- lost transactions and damage its reputation. But abilities. Security holes within applications easily availability also entails adequate resource plan- account for the biggest percentage of successful ning, fault tolerance, hardware and software exploits. Although all enterprises need to follow redundancy, disaster recovery plans, and busi- best practices in terms of vulnerability testing, you ness continuity procedures. also need to make sure your CSP isn’t exposed in Your CSP should provide anti-DoS protections, a way that could compromise your data. which can include both asset hardening, fail-over The Open Web Application Security Project resources, and external service protections. You’ll (OWASP) Top Ten list is considered by many to be want a SLA on all critical services, including guar- the most concise list of the top causes of website antees on the time needed to do complete (or at hacking. All cloud providers should know the list least acceptable) service-level restoration. well and create controls to offset the risks.You should ask What are the minimum downtimes during Try to ensure your CSP designed its websitesto see security service updates? How long does it take to recover using security design lifecycle techniques and thataudit reports from a service update failure? What procedures the sites undergo internal and external vulner-that detail the are executed to ensure quality testing before an ability and penetration testing at least once a year.efforts your CSP upgrade? The answers to these questions should Ideally, your CSP’s developers will have used strongtakes to avoid be part of your documented business require- and secure programming languages, checked forvulnerabilities. ments and included in the SLA. known weaknesses, and used vulnerability testing tools during all phases of any project. Even though Backup and restoration you will likely have little control over this, you Though technically part of a comprehensive should ask to see security audit reports that detail availability plan, backup and restoration deserve the efforts your CSP takes to avoid vulnerabilities. special consideration. There are many stories of data forever lost because the cloud provider failed Patch management to perform adequate backups or restore data to a After application vulnerabilities, the second customer’s satisfaction. biggest source of security breaches is unpatched What data does your CSP back up and how software. You want to be sure your CSP regression frequently? How do you request a backup? Are tests critical security patches and applies them the backup sets encrypted? How long are they as quickly as possible – ideally within a week of kept and where are they stored? What techniques the patch’s availability, and even faster during an does the CSP use to restore data? How often does aggressive “in-the-wild” malware campaign. it test restorations, and how thoroughly does it Find out how your CSP performs patch manage- test data integrity? ment and verifies patch status. Ideally mission-crit- You’ll want to spell all of that out in your busi- ical servers will have patches applied first, followed ness requirements and make them part of your by less-critical assets. Regression testing must be SLA. In general, your CSP should test its restores done aggressively to assure the least amount of at least once a year, if not more often, and docu- downtime, and your CSP should scan all systems ment the results. When testing, it should examine on a daily or weekly basis to check patch status. each restoration for completeness and integrity. You also want to make sure that all involved assets All backups should be encrypted (using industry- identified by the asset management program are accepted crypto and key sizes) during the backup regularly patched – not just operating systems. process, with the encryption key known by only the individuals needed. You’ll want to ensure Data handling your backup sets are well managed and kept in a Everything we do in computer security is really to secure location. protect the data, so it’s no surprise that this area is
CLOUD SECURITY InfoWorld.com DEEP DIVE SERIES 6 Deep Dive particularly important when it comes to choosing the impact should be encrypted when stored and right CSP. Public cloud providers should have particu- transmitted. All data must be properly disposed of larly strong requirements due to multitenancy. when it becomes inactive or your CSP is no longer You want to know how your service provider authorized to have it. will protect your data. Is your data separated into Another fundamental question: Who owns different classes, and if so, is the security different the data? There have been several instances for each? Does your CSP encrypt the data? How of public CSPs closing and the customer’s data does it ensure data integrity and privacy? becoming inaccessible or – worse – sold to You’ll also need to know how data is sepa- whoever acquires the service provider’s assets. rated and protected between the CSP’s different Make sure your SLA spells out that you own the tenants, how it prevents unauthorized leaks, and data and that only you have the right to access it. how long it takes the CSP to notify you if your data has been compromised. Encryption Best practices dictate all data be classified, You know you need to encrypt your data in usually with three to four levels of sensitivity the cloud. The question becomes what kind (high business impact, medium business impact, of encryption algorithms does your CSP use, low business impact). Data classification should and how are they applied? Is data encrypted be a documented business requirement and the at rest and in transit? Are all Web connections data marked, either electronically and/or physi- protected? What key sizes are used? How often cally, so all stakeholders are aware of how the are keys renewed and replaced? Who has access data should be treated. to what keys? Are keys shared between different Likewise, your CSP should encrypt critical data tenants’ data? These are all questions you need to using industry-accepted algorithms and key sizes. settle before you hand your data to any CSP. Data with a medium business impact should be Best practices dictate service providers use encrypted when stored. Data with a high business industry-accepted algorithms and key sizes, Additional resources: Secure Cloud Computing Cloud computing is a new paradigm that requires new security defenses. The material included here covers only a small portion of the considerations you need to weigh when preparing a holistic cloud defense. The following Web assets are excellent sources of additional information: NIST’s cloud section. A Cloud Security Alliance. Cloud Security Alliance Cloud Threats and great PDF to quickly get up to Site represents a good collection IT Certification Security Measures. speed on cloud terminology point for enterprise-level cloud- MSDN, J. Meier without reading a book. related security. Look under the New Research section.
CLOUD SECURITY InfoWorld.com DEEP DIVE SERIES 7 Deep Dive though the latter may vary depending on the Anti-malware value of the data being protected, strength of the Of course your CSP scans its systems for malware. cipher, and the security of the key management But what software does it use? How often are system. In general, RSA-style asymmetric key sizes scans performed and anti-malware definitions are generally believed to be strong if they are updated? Are the scans performed on demand or 2.048 bits long. Symmetric keys are considered on a fixed schedule? How much do scans delay strong if they are at least 256 bits long. service transactions? In general, your CSP needs Industry-accepted algorithms can be found in to scan every server and workstation, with new several locations, including the National Insti- data inputs scanned in real time and full disk and tute of Standards and Technology. Readers memory scans performed at least once a week. unfamiliar with recommended key sizes should They should use anti-malware software with a read the Wikipedia explanation. You can calcu- proven track record for accuracy and update their late industry-accepted key sizes here. definitions at least daily, if not continuously. The scans should never affect performance enough to Network security impact SLAs.Networks How does your CSP secure its own network? Whatneed to meet wireless security does it use and how are unman- Event management andor exceed aged computers detected, prevented, or used? intrusion detectiondocumented You’ll want to know what devices and soft- You want to get an understanding of how matureSLAs, including ware are used and how often they are patched. your CSP’s event log management and intrusionperformance, In general, network devices should receive critical detection systems are. What systems does theavailability, and security patches within one week. Computers cloud provider use to detect, record, and alertsecurity. These that don’t meet the required security configura- on security events? How many of the involvedrequirements tions should be prevented from connecting using systems are covered? What events create alerts?are the same network access controls. All systems involved in critical service deliverieswhether consid- Networks need to meet or exceed documented should have event log management enable andering public or SLAs, including performance, availability, and configured to provide relevant security events.private cloud security. These requirements are the same whether Security event messages should be collected, eval-projects. considering public or private cloud projects. uated, and generate timely incidence responses when appropriate. Domain isolation According to the Verizon Data Breach Traditionally, most computing environments were report, each year most security incidents were split between internal, external, and DMZ. Unfor- recorded in event logs, but did not incur timely tunately, cloud computing really doesn’t fit into incident responses because the affected compa- those convenient categories. The best you can do nies were not doing appropriate management. is make sure your CSP employs security domain Make sure your cloud provider is not one of isolation to ensure that only devices and users those companies. that need to connect to each other can do so. Domain isolation can be enforced using any Incident response available method, including physical separation, Each cloud provider should have an appropriately router, firewall, proxies, switches, IPSec, applica- trained incident response team that responds tion-level firewalls, etc. quickly to critical events. If a security event is All computer systems should be prevented from noted, how long does it take the cloud provider’s making successful connections (the lower in the team to respond? How long does it take the CSP network OSI model the better) to computers they do to notify you after a related data compromise is not have a business requirement to connect to. Obvi- noted? You want to make sure the cloud provider ously this is easier to implement when you control has a dedicated and trained incident response the computers, so with a public cloud provider you’ll team and that the procedures and guarantees are need to ask how domain isolation is done. part of your SLA.
CLOUD SECURITY InfoWorld.com DEEP DIVE SERIES 8 Deep Dive Transitive trusts Governance and compliance Every external link, piece of infrastructure, or soft- Before you sign on the dotted line, you’ll want to ware component used to support a service estab- know what governing and regulatory rules the lishes a “transitive trust” – and thus can become a cloud provider falls under, and whether an inde- potential hacking point or service disruption. The pendent third party has certified those compli- problems inherent in this were made clear by a ance standards. recent Facebook error that disrupted service for Besides the normal regulatory compliance thousands of sites simply because they had Face- standards, such as HIPAA, SOX, PCI-DSS, etc., book links on one of their pages. This is a huge, there are some developing cloud standards. relatively new field of computer concern, one that The most notable and mature standards have clouds surely complicate. been published by the Cloud Security Alliance. Transitive trusts include not only Web links, Detailed controls and auditing questions can be but also any dependencies outside the main cloud downloaded here. No single document can be service, including namespaces, programming perfectly inclusive, but the security best practices languages, identity/authentication providers, listed are a good start to understanding andThe time when third-party vendors, consultants, and other improving cloud security.cloud computer service providers. Hackers are becoming more When dealing with a public cloud serviceproviders were sophisticated and will use the weakest link in your it can be very difficult to get detailed, specificgiven a pass dependencies to attack you. answers. Try your best. If you can’t get specificon security All developers (program, site, content, and answers, see if your cloud provider offers resultsissues is distributors) should understand the concept of or public attestation letters from regulatorycoming to close. transitive trust. Every external link should be justi- or accreditation authorities. If you don’t get fied, and the transitive trust implications debated. enough answers, don’t go with the service. In a Site developers should build in test and recovery very true sense, the trust you are extending to plans for each external link. an external cloud vendor is the biggest transitive Transitive trust issues are harder for public trust you have. cloud customers to understand. It would be great The time when cloud computer providers if all customers communicated their transitive trust were given a pass on security issues is coming concerns to cloud providers and sought reassur- to close. Customers want assurance that basic ances that the vendor is familiar with the issue. The security controls are in place, and the more a CSP use of a public cloud product is in itself a big transi- can transparently show that assurance, the more tive trust issue that a CSP’s customers must consider. you can trust it with your data. n
CLOUD SECURITY InfoWorld.com DEEP DIVE SERIES 9 Deep Dive Cloud Security Resources Report Market Trends: Collaboration Suites Enhance Team Relationships Through Virtual Interactions Collaboration software helps improve the connectedness of workers to capture and diffuse formal and informal knowledge. View this Gartner report on the disruptive forces and growth opportunities impacting the secure collaboration and file sharing market. Read White Paper Protecting Sensitive Information in Increasingly Distributed and Complex Value Chains Businesses need to collaborate more closely with third parties with more agility than ever before. Yet, in the rush to collaboration, the secure sharing of informa- tion can be neglected. This white paper explores strategies and tactics – ranging from culture-based methods to new and emerging technologies – to securely enable the information sharing that leads to collaborative success among value chain members. Download White Paper Sharing Sensitive Corporate Documents Without Compromising Security and Governance SaaS-based (Software as a Service) collaboration and information sharing repositories are paramount for secure file/document sharing, yet, not all GCs are truly aware of the benefits they can bring to an organization. In this white paper, discover the value these solutions create in terms of security and compli- ance with a focus on how they dramatically enhance the legal department’s oversight, while simplifying e-discovery and making the e-discovery process more efficient than in other models. Download