Cloud Security: An Oxymoron?
Blog Article Published: 11/29/2011
Written by Torsten George, Vice President of Worldwide Marketing at Agiliance Cloud computing represents today's big innovation trend in the information technology (IT) space. Because it allows organizations to deploy quickly, move swiftly, and share resources, cloud computing is rapidly replacing conventional in-house facilities at organizations of all sizes. However, the 2012 Global State of Information Security Survey, which was conducted by PwC US in conjunction with CIO and CSO magazines among more than 9,600 security executives from 138 countries, reveals that uncertainty about the ability of cloud service providers' security policies is still a major inhibitor to cloud computing. More than 30 percent of respondents identified their company’s uncertain ability to enforce their cloud providers’ security policies as the greatest security threat from cloud computing. With this in mind, is cloud security even achievable or just an oxymoron? In their eagerness to adopt cloud platforms and applications, organizations are neglecting to recognize and address the compliance and security risks that come with implementation. Often the ease of getting a business into the cloud – a credit card and a few keystrokes is all that is required – combined with service level agreements provides a false sense of security. However, shortcomings in the cloud providers’ security strategy can trickle down to the organizations that leverage their services. Damages can range from pure power outages impacting business performance, data loss, unauthorized disclosure, data destruction, copyright infringement, to brand reputational loss. Cloud Computing Vs. Cloud Security A naturally risk-adverse group, IT professionals are facing a strong executive push to harness the obvious advantages of the cloud (greater mobility, flexibility, and savings), while continuing to protect their organization against new threats that appear as a result. For organizations planning to transition their IT environment to the cloud, it is imperative to be cognizant of often overlooked issues such as loss of control and lack of transparency. Cloud providers may have service level agreements in place, but security provisions, the physical location of data, and other vital details may not be well-defined. This leaves organizations in a bind, as they must also meet contractual agreements and regulatory requirements for securing data and comply with countless breach notification and data protection laws. Whether organizations plan usage of public clouds, which promise an even higher return on investment, or private clouds, better security and compliance is needed. To address this challenge, organizations should institute policies and controls that match their pre-cloud requirements. At the end, why would you apply less stringent requirements to a third-party IT environment than your own – especially if it potentially impacts your performance and valuation? Most recent cyber attacks and associated data breaches of Google and Epsilon (a leading marketing services firm) are prime examples of why organizations need to think about an advanced risk and compliance plan that includes their third-party managed cloud environment. Enabling Cloud Security With most organizations beyond debating whether or not to embrace the cloud model, IT professionals should now re-focus their resources on managing the move to the cloud so that the risks are mitigated appropriately. When transitioning your IT infrastructure to a cloud environment you have to find ways to determine how to trust your cloud provider with your sensitive data. Practically speaking, you need the ability to assess security standards, trust security implementations, and prove infrastructure compliance to auditors. As part of a Cloud Readiness Assessment, organizations should evaluate potential cloud service models and providers. Organizations should insist that the cloud service providers grant visibility into security processes and controls to ensure confidentiality, integrity, and availability of data. It is important not only to rely on certifications (e.g., SAS 70), but more importantly document security practices (e.g., assessment of threat and vulnerability management capabilities, continuous monitoring, business continuity plan), compliance posture, and ability to generate dynamic and detailed compliance reports that can be used by the provider, auditors, and an organization’s internal resources. Considering that many organizations deal with a heterogeneous cloud eco-system, comprised of infrastructure service providers, cloud software providers (e.g., cloud management, data, compute, file storage, and virtualization), and platform services (e.g., business intelligence, integration, development and testing, as well as database), it is often challenging to gather the above mentioned information in a manual fashion. Thus, automation of the vendor risk assessment might be a viable option. Following the guidelines developed by the Cloud Security Alliance, a non-profit organization formed to promote the use of best practices for providing security assurance within cloud computing, organizations should not stop with the initial Cloud Risk Assessment, but continuously monitor the cloud operations to evaluate the associated risks. A portion of the cost savings obtained by moving to the cloud should be invested into increasing the scrutiny of the security qualifications of an organization’s cloud service provider, particularly as it relates to security controls, and ongoing detailed assessments and audits to ensure continuous compliance. If at all possible and accepted by the cloud service provider, organizations should consider leveraging monitoring services or security risk management software that achieves
- Continuous compliance monitoring.
- Segregation and virtualization provisioning management.
- Automation of CIS benchmarks and secure configuration management integrations with security tools such as VMware vShield, McAfee ePO, and NetIQ SCM.
- Threat management with automated data feeds from zero-day vendors such as VeriSign and the National Vulnerability Database (NVD), as well as virtualized vulnerability integrations with companies such as eEye Retina and Tenable Nessus.