December 2, 2011 | Written by: Turgut Aslan
Share this post:
IT security concerns are one major hindrance why IBM’s commercial customers hesitate to embrace emerging cloud technologies. A good method to address those concerns is to evaluate each IBM global IT security process one by one and to compare the process execution in the traditional IT environment with the same in the cloud environment: If the processes are executed in a similar fashion or as documented deviations with correct acceptances of the related risks, there is no objection from the IT security process perspective to use cloud solutions. This blog entry gives an overview about the scope of the applicable IT security processes with the process framework only, which is relevant to all IT environments managed by IBM. The details of some IT security processes will be discussed in separate blog entries.
IT Security continues to form the nucleus of concerns of some of potential users of cloud offerings. Basically, the introduction of cloud does not change the fundamental IT security policies and processes. There are generally accepted best practices frameworks in the industry such as ITIL V3. Companies might have created their versions of ITIL implementation. Those frameworks, policies, and processes are applicable to cloud also. But, because cloud is about automation and standardization next to virtualization, the question is what to do with the parts of IT security processes, which cannot be automated and where standardization is hard to reach, for example because of contractual obligations. Effective risk management is one response to that challenge, next to keeping those parts outside of cloud.
Which important IT security processes are out there, which are applicable to all cloud vendors?
Physical security: IT security starts with physical security first. Definition of access areas, and where resources and access to them is granted, needs to be protected and controlled. The physical security of the area itself is also a topic, such as fire prevention, cooling, and a means to avoid damage from a physical attack. Uninterrupted power supplies or server cooling is also a topic to be ensured in this area.
Logical security: This is one of the most extensive, but also important areas in IT security. Who has access to which OS, middleware, and applications? Are there regular validation of employees of a company and their business needs to access those items? Do we have privileged accesses that needs further focus? Do we have shared user IDs; are any passwords shared?
Storage media, backup, and recovery: Those processes deal with restoring data in case it is destroyed, lost, modified, or corrupted either intentionally or by accident. Appropriate means have to be in place to recover data from any disaster.
Security patch management: Each OS, middleware, and application will get security patches by the vendors to fix known vulnerabilities. How are they to be applied in an automated fashion, if the process requires customer notifications and agreed change records? Predefined automated customer notification methodology and pre-agreed maintenance windows with appropriate customer risk acceptances will help a lot with automation, so establishing cloud solutions while still satisfying the process will be possible.
Health checking: Customer policies have agreed security settings that have to be in place all the time and need regular checking. Many of the settings can be verified in an automated manner. The parts that cannot automatically be checked have to be covered by risk acceptances or the automation might have an issue to be addressed prior to adopting cloud solutions.
Risk and issue management: A robust risk and issue management process is essential when automation comes into place. The process will cover any deviation situations during running of the cloud solution. An effective customer communication channel has to be established.
Vulnerability scanning: This is no different from what is in place in traditional environments. A “hacker’s eye” view on the cloud is established through this process, and potential security holes and vulnerabilities become visible and must be fixed.
Other processes: Other processes exist, such as service activation and deactivation, security incident, server build, intrusion detection, threat and risk management, key controls over operations (KCO) defect identification, root cause analysis, and others, which are applicable on cloud solutions too.
Any global vendor of cloud offerings should be able to provide a solid set of IT Security Processes that are implemented, controlled, and audited regularly to address customers’ security and privacy concerns.