Virtual machines make it possible to separate hardware acquisition and deployment from software deployment, and can improve delivery within an enterprise to 10, 20, or even 30 times faster. Thomas J. Bittman, VP, Distinguished Analyst, Gartner
In today's economic environment, organizations are focused on reducing costs and doing more with less while still trying to remain competitive. This means that IT departments are facing greater scrutiny to ensure that they match key business needs and deliver intended results in the most efficient and cost-effective manner. To meet these challenges, IT organizations are increasingly moving away from device-centric views of IT, to one that is focused more on the defining characteristics of cloud computing on applications, information, and people.
As an emerging trend that provides rapid access to dynamically scalable and virtualized IT resources, cloud computing promises new and exciting opportunities for organizations to create lean, robust, cost-effective IT infrastructures that better align with business goals. However, certain tradeoffs concerning control, compliance, and security must be addressed before fully realizing those benefits.
This article describes the elements driving data centers migration to the cloud, including the role of virtualization in public cloud infrastructures, and outlines the security and compliance implications of cloud computing to provide insight into the protection of sensitive data in the cloud through two key methods: Administrative access and privileged delegation.
Why would organizations want to move their data center to the cloud? It's simple: The flexibility provided by virtualized servers and the economies of scale of larger private or public clouds create a better economic model for today's computing needs.
Virtualization provides the starting point for the better model: Higher utilization of server and storage hardware when workload varies:
- Add the economies of scale and even higher utilization when resources are shared across business units in a public cloud or across companies in a public cloud and you have a lower cost model.
- Add the flexibility to pay for resources only as used rather than incurring large fixed costs and large chunks of capital expenditures and IT can better match the business requirements in many industries.
However, beyond the simple economics, the cloud model provides significant operational benefits. Virtualization again provides the starting point for a better operation model by reducing the time to provision needed applications and workloads. The cloud model builds on these capabilities by abstracting the end user from the complexity of both the physical infrastructure and the details of the provisioning and management processes making computing as easy to buy and manage as any other business service, as well as providing metering for measured service and service level agreements. Add to that, increased reliability and greater accessibility for mobile or remote users and the cloud becomes a very compelling value proposition.
While the cloud is not in and of itself virtualization, virtualization is a critical component and major enabler of cloud computing. Virtualized servers and storage allow higher utilization of physical hardware when workload varies.
The ability to automatically move workloads whenever required increases reliability without the need to provide redundant (and often underutilized) hardware for every application. Cloud providers build on the economic advantages of virtualization; combining that with economies of scale and advanced automation of routine systems administration is what creates the cost savings that allow cloud-based data centers to be an economically viable alternative or supplement. Still, organizations moving data onto the cloud must consider the risks they face if the virtual environment is not administered properly.
Additionally, virtualization is enabling the IT department itself to be, in effect, a service provider for the business. Virtualization again provides the starting point for a better operation model by reducing the time to provision needed applications and workloads. By abstracting the end user from the complexity of both the physical infrastructure and the details of the provisioning and management processes, server virtualization "helps IT behave more like a cloud provider, and prepares the business to be a better consumer of cloud computing." (From GartnerGroup, "Server Virtualization: One Path That Leads to Cloud Computing", RAS Core Research Note G00171730, Thomas J. Bittman, 29 October 2009.)
So what does this mean for the data center and IT operations? The first characteristic of a heavily virtualized data center is a dramatic increase in the number of servers to be managed. This increasing scale — from hundreds to thousands and thousands to tens of thousands of servers — adds high degree of complexity to data center operations. Change and configuration management become for more important and challenging and automation moves from a nice way to save money to a fundamental requirement.
Because of this additional complexity in virtual and cloud environments, client data is now exposed to security vectors not found in purely physical environments. The addition of a virtualization layer to the IT stack introduces a new point of failure in the established security model and a new attack surface for intruders of malicious insiders. Any breach of security at the hypervisor level undermines all of the security on the stack above it, from the operating system through the data and application layers.
According to an IDC Enterprise Panel survey, the number one concern of companies moving into cloud computing environments is security (Figure 1).
Figure 1. Security is number one concern when moving into the cloud
Silos of dedicated IT infrastructure built around specific applications, customers, business units, operations, and regulatory compliance are often the result of the dramatic growth in scale and complexity of enterprise IT environments.
While cloud computing removes the traditional application silos within the data center and introduces a new level of flexibility and scalability to the IT organization, the support for multi-tenancy compute environments also introduces additional security risks, the most insidious of which is data theft.
While security is a top priority for customers in moving to the cloud, it is not always as important for the cloud provider. A recent study on the "Security of Cloud Computing Providers" by the Ponemon Institute indicated, "The majority of cloud computing providers do not consider security as one of their most important responsibilities." Furthermore, "the respondents overwhelmingly believe it is the responsibility of the users of cloud computing to ensure the security of the resources they provider. "
Many cloud vendors have large-scale operations that offer the potential for more resources and expertise to address the security challenges inherent in the virtualization and cloud model.
Although the cloud helps free organizations from operating their own servers, storage, networks, and software, it also eliminates many of the traditional physical boundaries that help define and protect an organization's data assets and introduces new risks as virtual servers and mobile virtual machines replace physical servers and firewalls. Virtualization eliminates the air gaps that exist between physical servers and the ability to cleanly separate devices into physically isolated networks.
Without that physical and network isolation, it is harder to limit the access routes of system and network administrators. The increased scale and flexibility of cloud environments add a level of complexity to change-and-configuration management that makes it harder to enforce the principals of least privilege and segregation of duties.
For instance, malicious users with admin credentials to the virtual infrastructure could clone virtual machines to gain access to all data contained in the guest machines. They could even clone that virtual machine, delete the clone, and mount the deleted image outside of your normal security's scrutiny.
Since the cloud introduces ever-changing chains of custody for sensitive data and applications, protecting those assets becomes all the more difficult. Sensitive information should not be stored or processed in the cloud without visibility into the supplier's technology and processes to ensure the appropriate level of information protection.
According to the Cloud Security Alliance's "Top Threats to Cloud Computing v1.0" (March 2010), the following are identified as the top security threats to cloud computing (in no particular order):
- Abuse and nefarious use of cloud computing: IaaS providers offer the illusion of unlimited compute, network, and storage capacity with a simple, easy, quite open registration process. Spammers can use this registration process for their purposes. Although PaaS providers traditionally suffered most from this kind of attack, recent evidence shows that hackers are also targeting IaaS vendors. Areas of concern include password and key cracking, DDOS, launching dynamic attack points, hosting malicious data, botnet command and control, building rainbow
tables, and CAPTCHA solving farms.
- Insecure interfaces and APIs: Cloud providers expose a set of software interfaces or APIs that customers use to manage and interact (provision, manage, orchestrate, and monitor) with cloud services. The security and availability of general cloud services is dependent upon the security of these basic APIs. Organizations often build upon these APIs to offer value-added services, thus increasing the complexity by layering the API. Areas of concern include authentication, access control, encryption, and activity monitoring.
- Malicious insiders: This threat is amplified for consumers of cloud services by the convergence of IT services and customers under a single management domain combined with a lack of transparency into a provider's processes and procedures. Areas of concern include how a provider grants employees access to physical and virtual assets, how it monitors these employees, how it analyzes and reports on policy compliance. Hiring standards and practices for cloud providers could also be a concern.
- Shared technology vulnerabilities: IaaS vendors deliver services in a scalable way by sharing infrastructure; the components that make up this infrastructure may not be designed to offer strong isolation properties for a multi-tenant architecture. Virtualization hypervisors are used to mediate access between a guest OS and the physical compute resources, but even hypervisors can have flaws that enable guest OS the ability to gain inappropriate levels of control or influence on the underlying platform. Areas of concern include compute, storage, and network security enforcement and monitoring.
- Data loss/leakage: The threat of data compromise increases in the cloud because of the number of and interactions between risks and challenges which are either unique to cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment. Areas of concern include deletion or alteration of records without backup, unlinking a record from a larger context, loss of encoding keys, and unauthorized parties gaining access to sensitive data.
- Account or service hijacking: Cloud adds a new threat to the landscape; your account or service instances may become a new base for an attacker. Areas of concern include phishing, fraud, exploitation of software vulnerabilities, and often reused credentials and passwords.
The administrative tools used to access the hypervisor/VMM layer a cloud vendor manages must be tightly controlled to maintain a strong security posture. Organizations need to carefully analyze business and security requirements and must evaluate the depth and reliability of security features and cloud service levels.
The impact that malicious insiders can have on an organization is considerable, given their level of access and ability to infiltrate organizations and assets. Brand damage, financial impact, and productivity losses are just some of the ways a malicious insider can affect an operation. As organizations adopt cloud services, the human element takes on an even more profound importance. It is critical therefore that consumers of cloud services understand what providers are doing to detect and defend against the malicious insider threat. Cloud Security Alliance, "Top Threats to Cloud Computing v1.0," March 2010
So, why the seeming disconnect between customer requirements and vendor priorities? Part of the reason may be that cloud security is inherently a shared responsibility. Much of the way we define and implement security is driven by compliance. However, despite a wide number of frameworks from COBIT to PCI, those compliance standards are not very clear, leaving ample room for every auditor to interpret them differently.
According to the Ponemon study, cloud providers are "least confident in their ability to restrict privileged user access to sensitive data." At least part of that lack of confidence can surely be attributed to the lack of a clear definition of privileged access and what the appropriate controls are. This general lack of transparency into provider processes and procedures, such as how its employees are granted access to physical and virtual assets, makes preventing data theft more difficult. The concentration of valuable data from a multitude of customers represents an appealing target for attack from unethical system administrators as well as malicious Internet-based attackers, and should raise concerns regarding privileged user access.
Enterprises who want to use the cloud and need to do it in a secure and compliant way are going to need to think about who is responsible for what:
- Cloud vendors need to do their part by providing a good foundation of security technologies like firewalls, anti-virus and anti-malware, encryption of data in motion, patch management, and log management.
- Cloud customers also need to do their part by using this foundation to secure their operations and ensure the proper policies and procedures are in place.
Therefore, that leaves the complicated stuff — shared responsibilities and the special case of the privileged users in the cloud.
Vendor priorities will be aligned with those of their customers. Today for most cloud users those priorities are reducing cost, workload, and deployment time while providing new levels of scalability. Some of these priorities are at odds with the time and resources required to do proper security.
However, if customers demand it and show they will pay for it vendors, will step up and provide the security that is needed. As a recent report by the Ponemon Institute on the "Security of Cloud Computing Providers" showed "while security as a true service from the cloud is rarely offered to customers today, about one-third of cloud providers in our study are considering such solutions as a new source of revenue sometime in the next two years." That potential will only be fully realized if customers provide the oversight, funds, and service level requirements to make sound, security processes a good business decision for the vendors. This entails security teams getting more involved, companies allowing security to influence buying decisions and insisting on regular reporting on security processes and service-level agreements.
Enterprises who want cloud vendors to be secure enough to protect their corporation's most sensitive data need to insist on it, communicate their requirements, oversee the controls, ask for reports, and ultimately take shared responsibility for the security of the cloud
As an alternative to public clouds, organizations are adopting private cloud infrastructures as a means of gaining more control over their data; however, they still need to take steps to detect and defend against the malicious insider threat.
The majority of organizations today are highly motivated to transition further into a cloud model, but hesitant to put their most mission-critical data in untested waters. There is an entire ecosystem of technologies to facilitate the cloud that is still growing, but needs to be adapted to the unique requirements of cloud environments.
One of greatest challenges for organizations leveraging cloud environments is demonstrating policy compliance. For many business functions commonly run in the cloud, such as hosting websites and wikis, it is often sufficient to have a cloud provider vouch for the security of the underlying infrastructure. However, for business-critical processes and sensitive data, it is absolutely essential for organizations to be able to verify for themselves that the underlying cloud infrastructure is secure.
The use of virtual machines adds further complexity into the mix since creating an identity for an individual virtual machine and tracking that virtual machine from creation to deletion can be challenging for even the most mature virtualized environments. Today's approach to compliance that is based on deploying controls to physical servers needs to be modified to fit a virtual environment. Proving that the physical and virtual infrastructure of the cloud can be trusted becomes even more difficult when those infrastructure components are wholly owned and managed by external service providers.
As a result, enterprises that want to use a cloud need to rethink their existing controls because fortunately, some elements remain the same. Many technical controls are the same and processes like outsourced vendor management are similar. However, the unique aspects of the cloud necessitate some shifts in security strategy including new controls for hypervisor integrity monitoring and additional process-related controls for application and data governance.
Cloud providers must be able to demonstrate that they have tested and can ensure that privileged user access is controlled and monitored. For instance, ISO/IEC 27001 requires an organization to create an Information Security Management System (ISMS). This enables an organization to use a risk-based approach to identifying and satisfying all compliance requirements, justify the selection and implementation of controls, and provide measurable evidence that the controls are operating effectively.
Organizations that claim to have adopted the ISO 27001 standard can therefore be formally audited and certified compliant with the standard. It is already fairly well known and accepted outside of the United States and is slowly gaining awareness and acceptance within the U.S. ISO 27001 requires that management:
- Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities and impacts.
- Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable.
- Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.
Another key regulation is the Payment Card Industry (PCI) Data Security Standard (DSS), a set of comprehensive requirements for enhancing payment account data security in an effort to thwart the theft of sensitive cardholder information. The core group of requirements is as follows:
- Build and maintain a secure network.
- Protect cardholder data.
- Maintain a vulnerability management program.
- Implement strong access control measures.
- Regularly monitor and test networks.
- Maintain an information security policy.
When appropriate, organizations should also ask for a commitment from providers to meet regulatory standards such as PCI DSS, Health Insurance Portability and Accountability Act (HIPAA) in the U.S., and the EU Data Protection Directive.
You cannot secure "The Cloud" ... there is no "The Cloud." If you don't have a robust security program, cloud computing will make it worse. Christopher Hoff, founding member and technical advisor to the Cloud Security Alliance
Managing identities and access control for enterprise applications remains one of the greatest challenges facing IT today. While an enterprise may be able to leverage several cloud-computing services without a good identity and access management strategy, in the end extending an organization's identity services into the cloud is a necessary precursor towards strategic use of on-demand computing services.
The BeyondTrust PowerBroker products comprise a comprehensive enterprise-wide solution for servers, desktops, databases, applications, and devices in heterogeneous IT environments; the products allow companies to extend their existing security infrastructure, policies, and compliance reporting to private, public, and hybrid clouds and implement best practices with fine-grained access controls to rigorously enforce the principal of least privilege and segregation of duties
BeyondTrust PowerBroker products allow companies to completely manage and audit privileged user access to their cloud infrastructure. With PowerBroker, you can:
- Account for all privileged users.
- Manage provisioning/de-provisioning of privileged credentials.
- Implement a "least privilege"-based control system.
- Monitor and reconcile privileged activity.
- Maintain a high quality audit repository.
- Automate compliance reporting.
By extending existing insider security infrastructure to the cloud, companies reduce many of the barriers to cloud adoption. Using PowerBroker to manage cloud security allows systems engineering and admin teams to continue to use tools they know how operate and maintain. More importantly, PowerBroker is a proven solution known to auditors and compliance officers, eliminating the need for additional controls and audit processes for the cloud.
I'll detail the various products I'm discussing.
PowerBroker for Unix/Linux servers enables the delegation of privileges without disclosing the root password and provides a highly flexible policy language to provide fine-grained access control. PowerBroker Servers logs, monitors, and, reports all administrative actions down to the keystroke level to meet the most rigorous security and compliance requirements.
The flexible deployment capabilities of PowerBroker Servers including support for 30 encryption methods for policies, logs, and network traffic, allows companies to deploy their privileged access cloud security to best meet their needs. PowerBroker Servers can be deployed three ways:
- Deploying PowerBroker for Cloud Servers allows you to extend existing data-center-based PowerBroker infrastructure to cloud-based Unix/Linux servers. Sensitive policy information and event logs remains in your data center.
- Fully cloud-based PowerBroker implementations maximize your flexibility to scale up and down to meet changing needs for compute capacity with minimum fixed costs.
- Cloud-hosted PowerBroker implementations can be designed to secure distributed infrastructure in branch offices and retail environments. Keeping key PowerBroker components in the cloud minimizes the infrastructure deployed in remote locations with limited IT support resources.
Centralized identity is a foundation to cloud security and compliance. Enterprises need to find technologies that enable them to extend the enforcement of access rights from their on-premise systems out to their SaaS and cloud environments. This way, users who do not currently have access to protected customer information, or any other sensitive information with on-premise applications, won't inadvertently end up with access on your cloud systems. Not only is this important, but having identities properly managed across these systems means that when your organization is audited, it is straightforward to verify who has access to what data. Irida Xheneti, Security Week
PowerBroker offers two choices to meet the important needs for centralized identify management in cloud, the native LDAP support in PowerBroker Servers' policy language or PowerBroker Identity Services, a complete solution for centralizing user management, authentication, and authorization for Linux and Unix servers through Active Directory. With PowerBroker Identity Services, companies can securely extend an existing, on-premise Active Directory deployment to the cloud to authenticate users to cloud based Linux servers, monitor and report on sign on activity, and define and implement group policies to control your cloud server configurations.
PowerBroker Database Monitor and Audit can be deployed to monitor cloud-based databases, providing the database scanning and monitoring required meeting security best practices and compliance mandates. PowerBroker Database Monitor and Audit provides the detailed logging capability required to review database entitlements and access control on a regular basis.
Linking PowerBroker Database Monitor and Audit with PowerBroker Servers and Identity Services allows closed loop reconciliation of privileged activity with you change management and help desk ticketing systems providing the same controls on critical databases deployed in the cloud as in the data center.
Figure 2. Closed loop reconciliation of privileged activity
Easily configured into separate security zones, PowerBroker allows companies to apply the appropriate level of security to applications sharing the same physical or virtual infrastructure.
In conclusion, I've provided some details on a real-world deployment of the concepts discussed in this article. One of the world's largest financial services firms with a centralized IT organization that provides IT services to its business units with internal cross-charges faced increasing demands for computing capacity, so the firm decided that the most efficient way for the IT organization to meet business units' requirements in a cost-effective manner was to develop a Linux-based private cloud infrastructure capable of scaling to over 100,000 virtual servers to meet peak demand.
Before moving forward with the private cloud infrastructure, the business units had a key concern that needed to be addressed: They wanted to make sure that their confidential data would remain secure and that any requirements around compliance would be upheld in the private cloud infrastructure. Since virtualization would be employed and compliance was a concern, it would be difficult for IT to segregate the infrastructure by business unit while still ensuring authorization levels were in line with compliance mandates.
The IT team developed a comprehensive view of current and future requirements to secure their growing cloud environment:
- A comprehensive vendor-provided solution.
- A scalable, enterprise-grade fabric.
- Seamless integrations with on-premise and cloud directories.
- Allow admins to manage policies, not infrastructure.
- Dynamically react to changes in virtual environment.
- Provide quantifiable performance metrics of how the cloud server is performing.
In order to meet the security and compliance requirements of the business units, the firm deployed BeyondTrust PowerBroker UNIX and Linux Servers to provide unified protection from host to guest operating systems. As a result of using PowerBroker for the private cloud infrastructure, privilege delegation is now centrally governed for both guest OS, as well as the XEN hypervisor. The solution allows the IT organization to centrally monitor and control administrative access and privilege delegation throughout the company-wide infrastructure. The IT organization and discrete business units are also able to produce compliance reports that include the logging and auditing down to the keystroke, as well as event data for ad-hoc drill-down validation of their key SOX, PCI, and FFIEC compliance needs.
The implementation began with manual deployment of PowerBroker to all operating systems launched within the cloud. As scale increased, PowerBroker was added to the standard OS image so it would be automatically deployed.
Working with BeyondTrust, the IT team simplified and standardized their policies to simply administration, acting as an advanced development partner for the development and deployment of more advanced automation and health monitoring.
In this article, I've discussed the needs that drive migration of data centers into the cloud, detailed the role of virtualization in both public and private cloud infrastructures, and outlined the security and compliance implications of cloud computing in order to provide you some insight into how to protect sensitive data in the cloud using administrative access and privileged delegation control methods and have provided a real-world example of an existing, working system that can perform these tasks.
Learn more about the compliance standards mentioned in this article: PCI DSS and ISO/IEC 27001.
Read more details of top security threats to cloud computing in the Cloud Security Alliance's March 2010 paper "Top Threats to Cloud Computing v1.0."
Uncover more security trends of cloud providers in the Ponemon Institute's April 2011 study "Security of Cloud Computing Providers."
In the developerWorks cloud developer resources, discover and share knowledge and experience of application and services developers building their projects for cloud deployment.
See the product images available for IBM SmartCloud Enterprise.
BeyondTrust software provides privilege authorization management, access control, and security solutions for virtualization and cloud computing environments, empowering IT governance to strengthen security, improve productivity, drive compliance, and reduce expense. The company's product goal is to eliminate the risk of intentional, accidental, and indirect misuse of privileges on desktops and servers in heterogeneous IT systems.
Find out how to access IBM SmartCloud Enterprise.
Join a cloud computing group on developerWorks.
Read all the great cloud blogs on developerWorks.
Join the developerWorks community, a professional network and unified set of community tools for connecting, sharing, and collaborating.
Jim Zierick brings more than 25 years of enterprise experience building technology companies in operations and sales to BeyondTrust. He is responsible for directing the company's global initiatives to drive product growth and technical thought leadership in the Privilege Identity Management market, as well as adjacent markets. Jim drives the development methodology, process and management for the entire BeyondTrust product suite.