December 17, 2013 | Written by: Ivan T. Ivanov
Share this post:
In the first part of this series, I discussed the implications of four factors involving foundations for cloud security. Though cloud is great at providing an efficient, scalable and cost-effective way for organizations to deliver business and consumer IT services through the Internet, there are certain concerns about security that should be focused on, as well. Below, you’ll find four more considerations.
1. Infrastructure protection. Although highly virtualized and logically segregated, the cloud environment needs certain controls and technical measures in order to guarantee the availability and integrity of the hosting infrastructure. In a shared cloud environment, providers must ensure that all tenant domains are properly isolated on network and logical levels and that no possibility exists for data or transactions to leak from one tenant domain into the next. To help achieve this, clients need the ability to configure trusted virtual domains or policy-based security zones.
The main purpose of infrastructure security is to ensure perimeter security measurements and preventive controls are in place against threats and vulnerabilities (either internal or external). In that sense, preemptive vulnerability scanning, antivirus and intrusion detection and prevention controls must be deployed to protect the environment. In addition state-full inspection (Dynamic Packet Filtering ) as well as policy based state-full firewall devices should ensure no suspicious events are left unattended or untrаcked. All technical controls should be installed on the host and hypervisor level. At the same time, a well-defined policy, management and mitigations systems should be in place. Because the cloud infrastructure has to be accessed remotely, a secure access with a proper virtual private network (VPN) termination point at the border of the infrastructure is strongly recommended.
2. Data classification and protection. Client data is the most important asset managed on a cloud environment. Therefore, a strong focus on the protection of data at rest or in transit is fundamental for the cloud, and in particular, Personally Identifiable Information (PII). Protecting PII is a core principle of information security. All of the prevalent information security regulations and standards, as well as the majority of industry best practices, require that sensitive information be adequately protected in order to preserve confidentiality. Confidentiality of such data is required no matter where that data is residing in the chain of custody, including the cloud environment. As part of the cloud service it is crucial to develop and implement a policy of data classification and instruction on how confidential and business critical data must be handled. Other controls require the following:
• Implementation of a policy to protect intellectual property
• Developing and applying strong data classification procedures with strict roles and responsibilities
• Protecting encryption keys from misuse or disclosure
• Implementing data loss prevention solutions
3. Systems acquisition and maintenance. Similar to the standard IT environments hosting company systems, the systems installed in the cloud must also comply with certain deployment processes and security specific controls. In order to maintain an intact cloud IT environment, you have to employ different mechanisms ensuring compliance testing and validation. It is mandatory for cloud systems to undergo regular system configuration and vulnerability checks, as well as periodically use and regularly update anti-virus software and images to ensure they include recent security patches and fixes. Strict change control procedures must rule the process of system updates and acquisitions, enforcing well defined security parameters on every production system. In other words, a cloud security policy must be in place to provide a managed process for ensuring the security and compliance of instances after they are provisioned and before they are handed over to the cloud consumer.
4. Physical. Security is also an important aspect of the overall security approach to a cloud. Although the word physical seems to be more and more unlike the cloud concept, cloud is running on a physical infrastructure. The cloud’s infrastructure should be physically secure, including servers, routers, storage devices, power supplies and other components that support operations. Protection for physical access and safeguards includes adequate control and measures using biometric access control measures and closed circuit television (CCTV) monitoring. Access to devices must be prevented by general users and access control devices used to limit access to only those with administrator privilege
From the very beginning, cloud business models brought certain IT security concerns in regards to data confidentiality and integrity. Most of those concerns have been solidly driven with business and reputation risk arguments that make companies anxious about moving to the cloud. In effect, the externalized aspect of cloud computing shifts much of the control and responsibilities over data and operations from the client organization to their cloud providers. Therefore, having a strong security framework and structured approach towards cloud security using industry best practices and foundation controls is a key differentiator that could make migration to cloud a success story.
Have you faced any of security concerns in your own experiences with cloud? Please leave your comment below.