December 2, 2013 | Written by: Ivan T. Ivanov
Share this post:
I was excited when cloud computing kicked off. Suddenly, the IT world and industries started talking about the future and moving their IT systems and business data into these highly automated, highly standardized, flexible and optimized IT environments. In fact, cloud computing provides an efficient, scalable and cost-effective way for today’s organizations to deliver business or consumer IT services over the Internet.
Although the benefits of cloud computing are clear, moving and sharing massive amounts of IT resources among many users and security processes are often hidden behind layers of abstraction. In fact, the flexibility and openness of cloud computing models have created a number of security concerns in terms of privacy, integrity and availability of our data, thus the need to develop proper security and compliance capabilities for cloud implementations.
More to the point, cloud computing is often provided as a service, so control over data and operations is shifted to third party service providers, requiring their clients to establish trust relationships with their providers and develop security solutions that take this relationship into account.
Below I will try to outline key areas where security controls are vital and considered industry best practices. A detailed analysis of the controls will be reviewed in future posts.
1. Strong cloud governance. Regardless of where cloud resources are deployed, a specific organization of information security and cloud governance is required in order to guarantee proper IT security visibility and oversight. The governance model should encompass a set of processes defining the movement of tenant workloads between data centers, countries or geographical regions or track which cloud service providers (private and public) are used and under which conditions (based on the classification of data and ownership in the workload). A set of multi-security domain policies and procedures are also needed in order to govern and define ownership, access and management to tenant workloads by third parties such as cloud service support vendors. A specific example could be that well-structured security plans or policies must include technical specifications above the hypervisor.
2. Risk management and compliance. It is vital for every IT organization to implement a holistic approach to manage risk and leverage information for business benefits. It should encompass information quality, information protection and information life cycle management that could be achieved through strong directives that document and implement strong security policy governance to represent the company’s commitment to security and risk, as well as their ability to secure critical cyber assets. The approach should identify and encompass the necessary policy controls, risk evaluation, testing principals and mechanisms for internal and external oversight.
3. Problem and information security incident management. This directive calls for the process control operations to develop and maintain a security incident response plan, documenting procedures to classify and escalate events and report security incidents to authorities. A well developed and documented workflow with strictly defined roles and responsibilities to respond to expected and unexpected events. The workflow should include a problem/incident identification and severity assessment, followed by respective response paths, log retention and reporting.
4. People and identity. Cloud environments usually support a large and diverse community of users, so these controls are even more critical. A standards-based, single sign-on capability organization needs to make sure only those users with proper authorization have access to systems and tools on the cloud. However, due to their size and physical dispersal, cloud environments are even more difficult when it comes to adopting effective identity and access controls. Measures like “least privilege” in regards to access need user creation and management of identities to be considered. User roles and access entitlement rules for system access need to be enforced in every system by keeping segregation among various tenants’ systems. Every access must be logged, separation of duties should be maintained and provided access monitored. In addition, cloud introduces a new tier of privileged users: administrators working for the cloud provider. Privileged user monitoring includes logging activities and becoming an important requirement. This monitoring should include physical monitoring and background checking.
Organizations need to make sure that authorized users across their enterprise and supply chain have access to the data and tools that they need when they need it, while blocking unauthorized access. Identity federation and rapid on-boarding capabilities must be available to coordinate authentication and authorization with the enterprise back-end or third party systems.
You were introduced to four concrete areas and guidelines for the implementation of cloud security controls that are based on recognized security frameworks and industry best practices. In part two, I will discuss four additional considerations for security. What are your experiences with cloud infrastructure security? Let’s continue the conversation in the comments below.