Should we fear the cloud?

5
SHOULD WE FEAR
THE CLOUD?
It may be the key to security
EBOOK
0 COVER

TABLEOF
CONTENTS
For more information
Legal
+
PREVIOUS NEXT
INTRODUCTION:
IS CLOUD OUR GREATEST
SECURITY RISK OR OPPORTUNITY?
TODAY’S TOP 5
SECURITY THREATS
A NEW SECURITY
PARADIGM
PUT THESE APPROACHES
TO WORK
+
+
+
+
TABLE OF CONTENTS
3
chapter
5
chapter
NEXT-GENERATION
CLOUD SECURITY +
1
chapter
2
chapter
4
chapter
6
chapter
INNOVATIVE SECURITY
APPROACHES +
0 TABLE OF CONTENTS

It’s a fear that many organizations have—
a major breach of security where sensitive
customer data is compromised and the
business faces not only serious liability but
also loss of brand value. It could happen
as an attack on a traditional data center,
or it could happen as an attack on the
cloud. However, the first is a more realistic
scenario. While data breaches can happen
on the cloud, attacks on traditional data
centers are more common.
IS CLOUD
OUR GREATEST
SECURITY RISK OR
OPPORTUNITY?
IS THE CLOUD
INSECURE? OR
ARE WE?
WHAT IS THE REAL
COST OF A DATA
BREACH?
page 1 of 2 PREVIOUS NEXT
Introduction: Is cloud our greatest security risk or opportunity?CHAPTER 1
TABLE OF CONTENTS
BACK TO
1.1 INTRODUCTION (p.1)

IS CLOUD
OUR GREATEST
SECURITY RISK OR
OPPORTUNITY?
IS THE CLOUD
INSECURE? OR
ARE WE?
WHAT IS THE REAL
COST OF A DATA
BREACH?
TABLE OF CONTENTS
BACK TO
The financial cost of a data breach
is rising. The average total cost of a
data breach has increased 15 percent
in the past year—to USD3.5 million.1
Data breaches often cause a loss
of customers—and this abnormal
churn rate is particularly acute in the
pharmaceutical, financial services
and healthcare industries.2
CLOSE X
1,2 Ponemon Institute (sponsored by IBM), 2014 Cost of Data Breach Study:
Global Analysis, May 2014.
$3.5MILLION
1.2 INTRODUCTION - Cost of data breach

IS CLOUD
OUR GREATEST
SECURITY RISK OR
OPPORTUNITY?
IS THE CLOUD
INSECURE? OR
ARE WE?
WHAT IS THE REAL
COST OF A DATA
BREACH?
TABLE OF CONTENTS
BACK TO
Of 250 senior IT and business
decision makers interviewed in the
United Kingdom, only 2 percent said
they’d experienced a cloud-related
security breach.3
CLOSE X
2%
250SENIOR IT AND BUSINESS
DECISION MAKERS
EXPERIENCED A CLOUD-
RELATED SECURITY BREACH.
}
3 The Cloud Industry Forum, “Cloud FUD fails to match up with experiences,
says CIF,” press release, September 2014.
1.3 INTRODUCTION - Cloud insecure

When you’re planning to move to the cloud and
manage a hybrid environment, security is a
top concern. But cloud is not necessarily less
secure than a traditional environment. In fact,
it may be possible to deliver even greater se-
curity in a hybrid cloud environment because
it offers new and advanced opportunities.
In this ebook, you’ll discover how hackers are
using traditional tactics in new ways to attack
the cloud. You’ll also find out how the cloud
can help you increase security with innovative
approaches designed to detect threats long
before they threaten your enterprise.
TABLE OF CONTENTS
BACK TO
1.4 INTRODUCTION (p.2)

Our cloud security fears may have more
basis in the changing threat landscape—
the botnets, advanced persistent threats
and dynamic polymorphic malware of our
world—than in cloud technology itself.
In fact, there’s nothing fundamental in the cloud that
makes it any more vulnerable than a traditional envi-
ronment. With each new innovation in computing,
hackers have exploited new vulnerabilities to launch
attacks, and the cloud is simply their newest target.
As more workloads move to the cloud, more data
follows, and hackers go where the data is. Right
now, they’re using traditional tactics in new ways
to infiltrate a new environment.
FIVE TOP SECURITY
THREATS:
old threats, new environment
page 1 of 7
5
PREVIOUS NEXT
TABLE OF CONTENTS
BACK TO
Today’s top 5 security threatsCHAPTER 2
2.1 TOP FIVE

5 CLOUD
THREATS
5
DATA
BREACHES
DATA LOSS
DENIAL-OF-SERVICE
ATTACKS
INSECURE INTERFACE
AND API
SERVICE TRAFFIC
HIJACKING
We’ve compiled a list of the five top current cloud threats and pro-
vided tips on how to protect against each.
TOP
TABLE OF CONTENTS
BACK TO
01
02
03
04
05
+
+
+
+
+
2.2 CLOUD THREATS

1
TABLE OF CONTENTS
BACK TO
DATA BREACHES
Your cloud provider may not alert you
if your servers are breached
Hackers are using sophisticated tactics to steal data in the cloud just
as they do in other environments, but they’re coming up against sophisti-
cated, cloud-based security approaches. One way thieves steal data is
if it’s encrypted for only one part of its cloud journey. However, this can
be prevented if data is encrypted throughout its cloud journey until it’s
been processed by the authorized application.
Respond quickly
You have to respond quickly to a data breach—speed and skill are critical, and
every minute counts. Yet because breach protection laws vary by state and country,
your cloud provider may not be required to alert you to a security threat. To limit
disruption to your operations, data leakage, compliance complications and damage
to your corporate reputation, you need a data breach response plan that will quickly
assess the source of the problem and immediately begin mitigating further damage.
One possible solution is a plan that deploys a unified data breach response system,
in conjunction with consultants, to minimize the effect of a security incident and
prevent data breaches in the future. This system should be monitoring your IT
environment 24x7.
01
CLOSE X
data
breaches
TIPS
2.2.A CLOUD THREATS (data breaches)

2
TABLE OF CONTENTS
BACK TO
CLOSE X
DATA LOSS
Data may be accidentally deleted
Given that companies can go out of business after a major data loss, the
threat is understandably a big fear in most industries. In the cloud, the
potential causes of data loss can be more expansive than in a traditional
environment, where hardware or system malfunction are often culprits.
Data loss in the cloud may be caused by cloud service provider error,
accidental deletion of virtual machines, file corruption and internal virtual
disk corruption, among others.
Focus on endpoint security
To prevent this, you need a data loss prevention solution that focuses on improving
endpoint security. The solution you choose should protect sensitive data at every
point, whether it’s being accessed, stored or transmitted on your endpoint devices.
A solution that prevents data access when a device is lost or stolen, encrypts e-mail
and instant messages, and blocks unauthorized and abusive behavior will give you
significant protection.
02
x
data loss
TIPS
2.2.B CLOUD THREATS (data loss)

3
TABLE OF CONTENTS
BACK TO
CLOSE X
SERVICE TRAFFIC HIJACKING
Your services can be compromised
A few years ago, a cross-site scripting (XSS) bug gave hackers a free pass
to one website’s credentials, using the trust the company had gained to
hurt its own customers. In the cloud, hackers can create chaos, manipu-
lating data and redirecting customers to illicit sites.
A primary reason for XSS attacks like this is that developers trust users.
Developers may think that users will never perform malicious actions so
they create applications without filtering user input to block them. Another
reason for the frequency of these kinds of attacks is that they have so
many variants. Sometimes, an application that properly tries to filter any
malicious scripts gets confused and allows a script, opening the door
to hijacking.
The solution: contextual output encoding or escaping
The primary defense against XSS is contextual output encoding or escaping.
Several escaping schemes can be used depending on where the untrusted string
needs to be placed within an HTML document, including HTML entity encoding,
JavaScript escaping, Cascading Style Sheets (CSS) escaping and URL (or percent)
encoding. Most web applications that do not need to accept rich data can use
escaping to largely eliminate the risk of XSS in a fairly straightforward manner.
Because encoding can be tricky, a security encoding library is recommended.
03
TIPS
service traffic
hijacking
2.2.C CLOUD THREATS (service traffic hijacking)

4
INTERFACE APIs
TABLE OF CONTENTS
BACK TO
CLOSE X
INSECURE INTERFACE AND APIs
Malicious access on the cloud
If interfaces and application programming interfaces (APIs) aren’t secure,
cloud services won’t be either. Here are just some of the security break-
downs that can happen: malicious or unidentified access, improper
authorizations, and reusable passwords.
You need a secure provider
Access to cloud services needs to be secure on the static and dynamic front, and
that eventually boils down to choosing a secure cloud service provider. A provider
should continuously capture—and provide the full chain of provenance for—access
to any cloud service, starting with hardware root of trust for the runtime environment.
The secure access itself can be established through multilevel security (MLS),
including mandatory access control (MAC).
04
insecure interface
and APIs
TIPS
2.2.D CLOUD THREATS (insecured API)

5
TABLE OF CONTENTS
BACK TO
CLOSE X
TIPS
DENIAL-OF-SERVICE ATTACKS
The black cloud market
It’s not uncommon for cloud service providers to be compromised by
distributed denial-of-service (DDoS) attacks that eat up customers’
time, resources and processing power. In the cloud, virtual machines
are hijacked as zombies and used to launch the attacks. Hackers also
run a “black cloud market” that offers DDoS as a service. One key to
preventing these attacks is comprehensive workload monitoring.
Your best defense: intercept and circumvent
As soon as an attack happens, the outgoing DDoS and the incoming DDoS need
to be intercepted and circumvented. This means providing continuous monitoring
of the cloud environment and issuing early warnings for those bare metal systems
and virtual machines that have been hijacked as zombies. A cloud service provider
should also block the outgoing DDoS attack that might be launched by these
hijacked machines (and suspend them after they have been detected).
05
denial-of-service
attacks
2.2.E CLOUD THREATS (denial of service)

NEXT-GENERATION
SECURITY FROM
THE CLOUD
Even though hackers are using traditional
methods to attack the cloud, traditional
security methods aren’t likely to stop the
attacks. In the past, some cloud providers
have applied static, perimeter-based
controls, such as firewalls and intrusion
protection systems (IPSs), with additional
layers of defense, assuming that multiple
integrated layers provide greater defense.
Next-generation cloud security
TABLE OF CONTENTS
BACK TO
CHAPTER 3
3.1 NEXT GENERATION SECURITY (p.1)

But this is the traditional security model, which
may no longer provide the highest security
possible because it is marred by three key
vulnerabilities:
• Numerous security controls can lead to a
fragmented security posture, overhead in
security management and a never-ending
stream of alerts.
• Security attacks are sophisticated and
can more easily leapfrog the current
generation of static security controls.
• Attackers are able to quickly exploit
platform shifts, such as software-defined
environments, to their advantage.
Next-generation cloud security
TABLE OF CONTENTS
BACK TO
CHAPTER 3
3.2 NEXT GENERATION SECURITY (p.2)

A NEW SECURITY
PARADIGM
To truly combat today’s threats, you need
security measures that eliminate these
shortcomings. As you move high-value,
industry-specific workloads to the cloud,
you need to build in the right security from
the start. Keeping track of who is accessing
data governed by regulations will not only
be critical for regulatory compliance but
also for providing the security assurances
you and your clients expect.
A new security paradigmCHAPTER 4
TABLE OF CONTENTS
BACK TO
4.1 NEW SECURITY PARADIGM (p.1)

New exposures
Public clouds also have certain exposures
that new security approaches need to
take into account. These can raise security
concerns:
• “Black box” sharing in clouds can reduce
visibility and control and increase the risk of
unauthorized access and disclosures.
• Limited compatibility with existing enterprise
security infrastructure may limit adoption for
mission-critical applications.
• Limited experience and low assurance can
raise doubts over cloud reliability (operational
availability, long-term perspective).
• Privacy and accountability regulations may
prevent cloud adoption for certain data and
in certain geographies.
A new security paradigmCHAPTER 4
TABLE OF CONTENTS
BACK TO
4.2 NEW SECURITY PARADIGM (p.2)

INNOVATIVE
SECURITY
APPROACHES
Three new and advanced security approaches
can help you fortify your cloud environments
against traditional and new security threats.
Together, fine-grained contextual security,
provenance and the honey pot can provide
greater visibility; track data, location and
access; and support regulatory compliance.
3
Innovative security approachesCHAPTER 5
TABLE OF CONTENTS
BACK TO
FINE-GRAINED
CONTEXTUAL
SECURITY
PROVENANCE HONEY POT
5.1 INNOVATIVE SECURITY (p.1)

Fine-grained
contextual security
FINE-GRAINED
CONTEXTUAL
SECURITY
HONEY POT
page 2 of 4
360º
PREVIOUS NEXT
TABLE OF CONTENTS
BACK TO
CLOSE X
++
PROVENANCE
HOW IT WORKS
FINE-GRAINED CONTEXTUAL SECURITY
Get a 360-degree view of your cloud threat landscape
Because many cloud security breaches may be the result of poorly monitored work-
loads, fine-grained contextual security, which is designed to provide a 360-degree
view of the cloud workload and threat landscape, is critical to protecting your data
in the cloud. Think of it as perimeter defense for the virtual environment.
HOW YOU CAN BENEFIT
5.2.A INNOVATIVE SECURITY (fine grained diagram)

Monitor and distill. Here, virtually all aspects of workloads are
instrumented, including data, applications and business processes,
to monitor and collect security-related data. These observations
build a 360-degree view of the cloud workload.
Correlate and predict. The security posture is predicted based on
this 360-degree view, the current threat environment, the service level
agreements (SLAs) governing the cloud workload and assessment of
response alternatives. Here, you use techniques such as data mining,
machine learning and cognitive computing to aid security administra-
tors with automated methods to build models, track normal behavior
and flag anomalous activity.
Adapt and preempt. In this phase, security controls are inserted
by leveraging the agility of software-defined compute, storage and
networks to increase the workload of the attacker. This approach
can raise the defender’s stakes in the security arms race.
PHASE 1
PHASE 2
PHASE 3
FINE-GRAINED
CONTEXTUAL
SECURITY
HONEY POTPROVENANCE
TABLE OF CONTENTS
BACK TO
CLOSE X
++
How it works
HOW IT WORKS
HOW YOU CAN BENEFIT
5.2.B INNOVATIVE SECURITY (fine grained - how it works)

• Gives you the security of communication across domains,
knowing it can be trusted and fully logged and audited
• Facilitates fast workload migration with minimal disruption
• Enables you to react to SLA violations; identify long-term
activities caused by low-and-slow threats; and isolate
infrequent, unanticipated device activity
FINE-GRAINED
CONTEXTUAL
SECURITY
HONEY POTPROVENANCE
TABLE OF CONTENTS
BACK TO
CLOSE X
++HOW IT WORKS
How can you benefit
HOW YOU CAN BENEFIT
5.2.C INNOVATIVE SECURITY (fine grained - benefit)

Provenance
page 3 of 4
FINE-GRAINED
CONTEXTUAL
SECURITY
PREVIOUS NEXT
TABLE OF CONTENTS
BACK TO
CLOSE X
++HOW IT WORKS
EXPLORE PROVENANCE
Close the loop on compliance threats
Provenance, a term borrowed from fine art, describes how an object came to be
in its present state. For example, the provenance of the Mona Lisa establishes who
painted it at what time, when it was scratched and restored, and which museums
have held it. In technology, provenance is metadata that represents the ancestry of
an application and shows where it was developed, when it was patched or updated,
and who has used it for what purpose. It can also be the metadata for a piece of
data in terms of when it was created as well as when, how, where and by whom
it was altered.
HOW YOU CAN BENEFIT
5.3.A INNOVATIVE SECURITY (provenance - diagram)

Provenance links log and audit data from all over the map
to provide the complete history of an event. It tracks the
data and processes that travel through your cloud so you
can know the how, what, where, when, who and why of
virtually any threat event.
TABLE OF CONTENTS
BACK TO
CLOSE X
++
FINE-GRAINED
CONTEXTUAL
SECURITY
HOW IT WORKS HOW YOU CAN BENEFIT
How it works
EXPLORE PROVENANCE
it was altered.
5.3.B INNOVATIVE SECURITY (provenance- how it works)

• Empowers you to isolate the correct contextual information
and tune out potential interference from adjacent work-
loads that have nothing to do with your workload
• Helps you manage and facilitate compliance because it
gives you a clear, complete and fully authenticated audit trail
• In an environment where security regulations and standards
change across states and countries, it can help you deter-
mine where your security is breaking down and where it’s
holding up on the data journey
page 3 of 4
FINE-GRAINED
CONTEXTUAL
SECURITY
PREVIOUS NEXT
TABLE OF CONTENTS
BACK TO
CLOSE X
++
EXPLORE PROVENANCE
it was altered.
HOW IT WORKS HOW YOU CAN BENEFIT
How can you benefit
5.3.C INNOVATIVE SECURITY (provenance - benefit)

Honey pot
TABLE OF CONTENTS
BACK TO
CLOSE X
++
FINE-GRAINED
CONTEXTUAL
SECURITY
HONEY POTPROVENANCE
HOW IT WORKS
MEET THE HONEY POT
A decoy that tricks hackers
The honey pot is a decoy, a fake computing environment expressly set up for
trapping hackers and new or unconventional hacking methods. It gives hackers
a playground (that they believe is real) where they can unleash their threats, and
reveal their methods and identities, before they reach your real computing environ-
ment. The result is effectively quarantined malware along with the less tangible
satisfaction (and amusement) that comes from outwitting smug hackers.
HOW YOU CAN BENEFIT
5.4.A INNOVATIVE SECURITY (honey pot - diagram)

The honey pot reroutes traffic to a decoy within a well-
controlled and quarantined environment. It then generates
a detailed report designed to reveal the identity of the target,
files, hackers and threat. Attacks delivered by email or in
unexpected and unconventional ways (such as through a
heating, ventilation and air-conditioning [HVAC] system)
should never reach the network with a honey pot defense.
TABLE OF CONTENTS
BACK TO
CLOSE X
++
FINE-GRAINED
CONTEXTUAL
SECURITY
HONEY POTPROVENANCE
HOW IT WORKS
MEET THE HONEY POT
HOW YOU CAN BENEFIT
How it works
5.4.B INNOVATIVE SECURITY (honey pot - how it works)

• Gives you the peace of mind of knowing that malware
should be quarantined before it reaches your infrastructure
• Makes you less vulnerable to unconventional hacking
methods because this approach spots attacks that other
approaches might not
• Helps you speed up threat analysis with precise informa-
tion in an easy format
TABLE OF CONTENTS
BACK TO
CLOSE X
++
FINE-GRAINED
CONTEXTUAL
SECURITY
HONEY POTPROVENANCE
HOW IT WORKS
MEET THE HONEY POT
HOW YOU CAN BENEFIT
How can you benefit
5.4.C INNOVATIVE SECURITY (honey pot - benefit)

HOW TO PUT
THESE APPROACHES
TO WORK FOR
YOUR ENTERPRISE
When you’re trying to determine which security
approach is right for your enterprise, you’ll likely
be better off by taking a value-at-risk approach,
considering the value of the information and
the value of the infrastructure. Assessment also
needs to be conducted in terms of threat level.
To take advantage of these new approaches, you may also
need to add new tools and skills, including:
• Risk and value assessment methodology and skills
• Provenance generation and capturing, integration,
and fusion
• Proactive probing and monitoring; deep introspection;
and behavior modeling of system, user and workload
• Leveraging your software-defined environment to
dynamically configure, quarantine and define
a fine-grained perimeter
• Closed-loop, continuous auditing; continuous
assurance; and continuous remediation
Put these approaches to workCHAPTER 6
PREVIOUS NEXT
TABLE OF CONTENTS
BACK TO
6.1 SECURITY APPROACHES (p.1)

Go to Steps to Cloud Expertise for more
information on other cloud topics and to start
your journey.
ibm.com/cloud/expertise
PREVIOUS NEXT
TABLE OF CONTENTS
BACK TO
7.1 FOR MORE INFORMATION

© Copyright IBM Corporation 2014
IBM Corporation
Software Group
Route 100
Somers, NY 10589
Produced in the United States of America
November 2014
IBM, the IBM logo, and ibm.com are trademarks of International Business Ma-
chines Corp., registered in many jurisdictions worldwide. Other product and ser-
vice names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the web at “Copyright and trademark information” at
ibm.com/legal/copytrade.shtml
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
This document is current as of the initial date of publication and may be changed
by IBM at any time. Not all offerings are available in every country in which IBM
operates.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY
WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY
WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are war-
ranted according to the terms and conditions of the agreements under which they
are provided.
The client is responsible for ensuring compliance with laws and regulations applica-
ble to it. IBM does not provide legal advice or represent or warrant that its services
or products will ensure that the client is in compliance with any law or regulation.
PREVIOUS
TABLE OF CONTENTS
BACK TO
8.1 LEGAL

Should we fear the cloud?

More Related Content

What's hot

Similar to Should we fear the cloud?

More from Gabe Akisanmi

Recently uploaded

Should we fear the cloud?