Archive

Four security foundations for cloud infrastructure (Part One)

Share this post:

I was excited when cloud computing kicked off. Suddenly, the IT world and industries started talking about the future and moving their IT systems and business data into these highly automated, highly standardized, flexible and optimized IT environments. In fact, cloud computing provides an efficient, scalable and cost-effective way for today’s organizations to deliver business or consumer IT services over the Internet.

Although the benefits of cloud computing are clear, moving and sharing massive amounts of IT resources among many users and security processes are often hidden behind layers of abstraction. In fact, the flexibility and openness of cloud computing models have created a number of security concerns in terms of privacy, integrity and availability of our data, thus the need to develop proper security and compliance capabilities for cloud implementations.

More to the point, cloud computing is often provided as a service, so control over data and operations is shifted to third party service providers, requiring their clients to establish trust relationships with their providers and develop security solutions that take this relationship into account.

Below I will try to outline key areas where security controls are vital and considered industry best practices. A detailed analysis of the controls will be reviewed in future posts.

1. Strong cloud governance. Regardless of where cloud resources are deployed, a specific organization of information security and cloud governance is required in order to guarantee proper IT security visibility and oversight. The governance model should encompass a set of processes defining the movement of tenant workloads between data centers, countries or geographical regions or track which cloud service providers (private and public) are used and under which conditions (based on the classification of data and ownership in the workload). A set of multi-security domain policies and procedures are also needed in order to govern and define ownership, access and management to tenant workloads by third parties such as cloud service support vendors. A specific example could be that well-structured security plans or policies must include technical specifications above the hypervisor.

2. Risk management and compliance. It is vital for every IT organization to implement a holistic approach to manage risk and leverage information for business benefits. It should encompass information quality, information protection and information life cycle management that could be achieved through strong directives that document and implement strong security policy governance to represent the company’s commitment to security and risk, as well as their ability to secure critical cyber assets. The approach should identify and encompass the necessary policy controls, risk evaluation, testing principals and mechanisms for internal and external oversight.

3. Problem and information security incident management. This directive calls for the process control operations to develop and maintain a security incident response plan, documenting procedures to classify and escalate events and report security incidents to authorities. A well developed and documented workflow with strictly defined roles and responsibilities to respond to expected and unexpected events. The workflow should include a problem/incident identification and severity assessment, followed by respective response paths, log retention and reporting.

4. People and identity. Cloud environments usually support a large and diverse community of users, so these controls are even more critical. A standards-based, single sign-on capability organization needs to make sure only those users with proper authorization have access to systems and tools on the cloud. However, due to their size and physical dispersal, cloud environments are even more difficult when it comes to adopting effective identity and access controls. Measures like “least privilege” in regards to access need user creation and management of identities to be considered. User roles and access entitlement rules for system access need to be enforced in every system by keeping segregation among various tenants’ systems. Every access must be logged, separation of duties should be maintained and provided access monitored. In addition, cloud introduces a new tier of privileged users: administrators working for the cloud provider. Privileged user monitoring includes logging activities and becoming an important requirement. This monitoring should include physical monitoring and background checking.

Organizations need to make sure that authorized users across their enterprise and supply chain have access to the data and tools that they need when they need it, while blocking unauthorized access. Identity federation and rapid on-boarding capabilities must be available to coordinate authentication and authorization with the enterprise back-end or third party systems.

You were introduced to four concrete areas and guidelines for the implementation of cloud security controls that are based on recognized security frameworks and industry best practices. In part two, I will discuss four additional considerations for security. What are your experiences with cloud infrastructure security? Let’s continue the conversation in the comments below.

More stories

Why we added new map tools to Netcool

I had the opportunity to visit a number of telecommunications clients using IBM Netcool over the last year. We frequently discussed the benefits of have a geographically mapped view of topology. Not just because it was nice “eye candy” in the Network Operations Center (NOC), but because it gives an important geographically-based view of network […]

Continue reading

How to streamline continuous delivery through better auditing

IT managers, does this sound familiar? Just when everything is running smoothly, you encounter the release management process in place for upgrading business applications in the production environment. You get an error notification in one of the workflows running the release management process. It can be especially frustrating when the error is coming from the […]

Continue reading

Want to see the latest from WebSphere Liberty? Join our webcast

We just released the latest release of WebSphere Liberty, 16.0.0.4. It includes many new enhancements to its security, database management and overall performance. Interested in what’s new? Join our webcast on January 11, 2017. Why? Read on. I used to take time to reflect on the year behind me as the calendar year closed out, […]

Continue reading