Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Join AT&T Cybersecurity in Chicago to learn top 2024 resilience tactics on May 21st!

Cloud Security: Confident, Fearful, or Surprised

Home
Industry Insights
Cloud Security: Confident, Fearful, or Surprised

Blog Article Published: 11/04/2011

By Ken Biery

This two-part guest blog series explores the topic of cloud security. Part one of the series focuses on the questions enterprise IT decision makers should ask when considering moving business applications to a cloud-based computing environment.

There is no shortage of information about cloud security. There are those that say cloud security is inherently more secure because of its ability to create and maintain a more hardened centralized environment. Others claim, because of multi-tenancy, virtual systems and data will never be even modestly secure.

The big surprise about cloud security may be that there are not really any big surprises. The good security practices that work in a traditional network also work for cloud-based IT. The key is understanding how to apply security practices to a cloud environment and to develop a security strategy that uses known and sound security foundations to address various cloud environments.

A more secure cloud is the product of careful planning, design, and operations. This begins with understanding the type of cloud (public, private, hybrid) that is being used and then its model, whether it be software-as-a-service (SaaS), platform-as-a-service (PaaS) or infrastructure-as-a-service (IaaS.) These two factors will determine the type and amount of security controls needed and who is responsible for them.

Public and Private Clouds

Public clouds typically tend to have a limited number of security measures, providing a more open and flexible computing environment. These clouds usually have a lower cost since their security features are basic. While this may be perfectly acceptable for some circumstances, such as non-critical or non-sensitive environments, it will not usually meet the requirements of most enterprise users.

Public clouds also generate the most concern about using a shared virtualized environment. These are mainly centered on how to properly segment systems and isolate processing resources. Segmentation and isolation can be challenging to accomplish and measure, especially for an auditor or assessor looking at these primary security control areas. Another factor is that many public cloud providers do not, or cannot, sufficiently support the types of controls required by enterprises to meet security and compliance requirements.

When considering a public cloud, it is important to ask the provider about their security measures, such as segmentation, firewalls/intrusion protection systems, monitoring, logging, access controls, and encryption. Their responses and transparency about the details of their environment’s security measures speak volumes of what to expect. Also, you may want to do some searches on the provider as they may have a reputation for harboring “bad neighborhoods”, which tend to host botnets or malware sites.

Private clouds can be internally hosted or located at a service providers’ facility. For internally hosted clouds, just like traditional environments, the security design and controls can be highly customized and controlled by the organization. If hosted at a service provider, the number of controls can vary considerably depending on the model selected. This is not to say that a service provider cannot provide a good set of default and optional security controls. Obviously, this is why having a good understanding of the provider’s cloud design and its features, as well as your own requirements, is crucial.

Multi-tenancy, Segmentation, and Isolation

Multi-tenancy is one of the major issues when it comes to security and compliance in the cloud. In some cases, multi-tenancy may require that an environment’s controls be set to the lowest level to support the broadest set of requirements for the largest number of potential users. One of the main concerns around multi-tenancy is that, due to the use of a shared resource pool of computing resources, one entity’s virtual machine (VM) could compromise another entity’s VM. A lack of proper segmentation between the two entities’ environments could make this possible.

This lack of separation can also create compliance challenges for multi-tenancy environments. Assessors and auditors are looking for sufficient controls to help prevent information leakage between virtual environment components. Improperly configured hypervisors, management interfaces, and VMs have the potential to become a leading cause for non compliance and risk exposure. In a traditional network, if a system is misconfigured, it can be compromised. If a virtual environment is misconfigured, it can compromise all of the systems within it.

It is important to note that there has not been any major publically disclosed compromise of hypervisors. However, it is only a matter of time. The virtualization layer is too tantalizing of a target for hackers not to pursue aggressively.

One of the cleanest ways to show separation within a virtualized environment is to have VMs with compliance or higher security requirements run on dedicated physical hardware. Yes, this is contrary to one of the benefits of cloud computing until the effort and cost of compliance and robust security is considered. This approach can be easier to establish and maintain since only a smaller number of systems may need to have advanced protection.

Isolation needs to be performed at the operating system (O/S) layer and no two VM operating systems should be shared. Specifically, the rapid-access memory (RAM), processor and storage area network (SAN) resources should be logically separated, with no visibility to other client instances. From a network perspective, each entity is separated from the next by use of a private virtual local area network (VLAN.)

The second part of this blog series will explore the cloud security best practices that can be employed to create a multi-layered defense for cloud-based computing environments.

About the Author

Ken Biery is a principal security consultant with Terremark, Verizon’s IT services subsidiary, focused on providing governance, risk, and compliance counsel to enterprises moving to the cloud. With extensive knowledge in the area of cloud computing, he enables companies around the globe to securely migrate to the cloud and crate more efficient IT operations.

Share this content on your favorite social network today!

Latest from CSA
Virtual Cloud Trust Summit 2024
AT&T Cybersecurity in Seattle
CSA's STAR: The Key to Cloud Security & Compliance
Trending This Week
#1 The 5 SOC 2 Trust Services Criteria Explained
#2 What You Need to Know About the Daixin Team Ransomware Group
#3 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#4 Cybersecurity 101: 10 Types of Cyber Attacks to Know
#5 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
Enhance your cloud security skills with CSA's online training options.