Securing the Cloud
Published: October 15, 2010
Author: Mary Landesman - Microsoft MVP, Consumer Security
Security challenges faced by modern corporations have never been greater. Once viewed as hard on the outside and soft and chewy on the inside, widespread adoption of social media, smartphones, and mobile devices has caused today’s enterprise borders to be far more porous and malleable than in years past. And as network perimeters erode, the lines between insider threat and outsider threat have become increasingly blurred.
Contributing to the challenge is increased interest in and adoption of cloud-based technologies and services. According to the National Institute of Standards and Technology, cloud computing is defined as "a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."
Cloud computing, at its most basic, is merely offloading the software or hardware tasks to someone else’s resources. This “shared pool” can result in fewer up-front costs for the enterprise, and can minimize or eliminate long-term commitments and risk to capital expenses. Additionally, the very nature of the service model gives enterprise IT access to greater innovation, infrastructure, processing speed, and capability than it might be able to procure in-house.
Indeed, the majority of enterprises might already be in the cloud, whether they bargained for it or not. Webmail, Facebook, Twitter and LinkedIn are all examples of cloud-based services that make today’s enterprises “partly cloudy.” Today’s consumers have come to expect always-on ease-of-access, and these expectations find their way into the workplace.
Adapting to these changes might require IT to give up some control over the how, where, and when of applications and services; however, IT still needs to help ensure that security and compliance requirements are met.
As Rob Juncker, Vice President of Technology at Shavlik explains, “Without question, IT managers will be held to the same standards for security and compliance whether or not the solutions they choose—or are handed down to them—are on premises or in the cloud. As a result of this, it is imperative IT managers develop a cloud strategy that takes into account their security requirements as they evaluate vendors.”
Juncker also cautions, “Organizations that are required to deliver to regulatory requirements such as HIPAA [Health Insurance Portability and Accountability Act], or government standards should be especially aware of these requirements.”
Having a basic understanding of cloud structure can help you determine where various responsibilities will lie—including which security and compliance concerns you can offload and which ones you cannot.
Top Down, Bottom Up
Various service and deployment models exist within cloud computing, the combination of which must be considered when assessing security needs and controls. The three basic service models are as follows:
Regardless of the type of service, IT must also consider the deployment model. These models include private on-site deployments available only to members of a particular organization, public hosted deployments equally available to all, community-based deployments shared among similarly oriented consumers, and a hybrid model that combines two or more of these.
The level of deployment will greatly impact the degree of hands-on security required by IT; for example, a private in-house cloud service will require far more internal resources to maintain than will an externally managed service. On the plus side, an internally managed service provides greater opportunity for custom security controls and forensics.
One Size Does Not Fit All
Within the SaaS model, the service provider is not only concerned with securing the infrastructure, but also the applications (and access to those applications). Patching for security vulnerabilities, as an example, would fall under the jurisdiction of the service provider (assuming, of course the vulnerabilities resided in their applications or service).
SaaS providers generally have a strong vested interest in maintaining the security and integrity of their software and service infrastructure. Your role will be in evaluating and balancing the SaaS provider’s ability to secure its service, as well as its ability to satisfy your own enterprise’s security needs.
If your organization is subject to governmental or regulatory requirements, you will want to ensure the SaaS solution provider under consideration contractually addresses these requirements—and if not, that these requirements can be adequately addressed on your end. Additionally, you will want to examine whether the security controls offered by the provider are chiefly to protect the service itself or whether they also address the security of the data and of the users of that service.
With the Platform as a Service model, you will need to consider the same regulatory compliance, forensics, and ownership issues as with the SaaS model. However, the PaaS model has an additional set of security evaluations to be considered because security is not generally extended to the applications developed or deployed via the PaaS framework.
On the plus side, with PaaS you can integrate additional security controls within the applications themselves. However, that also means greater onus will be put on IT resources not only to ensure security controls are provided within the applications, but also to assess and address any vulnerabilities that might be discovered in those applications. Additionally, regulatory and compliance requirements for those applications will fall under your domain.
With IaaS, security controls are typically focused on the infrastructure itself. Security for hosted applications, including virtualized operating systems, is typically considered the province of the organization contracting for IaaS solutions. This is also largely dependent on the type of IaaS offering. As an example, cloud-based data storage solutions typically include redundancy, encryption, sharding, and other security controls to help ensure the intellectual property stored is kept highly secure.
Once again, regulatory compliance, forensics, and ownership should all be evaluated when considering an IaaS offering. Pay particular attention to disclosure requirements and agreements surrounding any data leaks that might occur on the service providers’ infrastructure but which might, in turn, impact your customers or employees.
In summary, while moving to the cloud can offer important cost, resiliency, and support benefits, moving to the cloud does not change your core security requirements. It simply might, depending on the model, shift some of the responsibility for meeting those requirements. It is up to you to evaluate the security benefits and challenges unique to each requirement as pertains to your own organization. The Cloud Security Alliance, a nonprofit conceptualized in 2008 and formed in 2009, offers an abundance of resources dedicated to promoting awareness of the security benefits and challenges unique to cloud computing.
About the Author
Mary Landesman is an antivirus professional and senior security researcher for Cisco. In 2009 and 2010, she was recognized as a Microsoft MVP for her work in consumer security. Mary is also the guide to Antivus Software at antivirus.about.com.