Archive

Four more security foundations for cloud

Share this post:

In the first part of this series, I discussed the implications of four factors involving foundations for cloud security. Though cloud is great at providing an efficient, scalable and cost-effective way for organizations to deliver business and consumer IT services through the Internet, there are certain concerns about security that should be focused on, as well. Below, you’ll find four more considerations.

1. Infrastructure protection. Although highly virtualized and logically segregated, the cloud environment needs certain controls and technical measures in order to guarantee the availability and integrity of the hosting infrastructure. In a shared cloud environment, providers must ensure that all tenant domains are properly isolated on network and logical levels and that no possibility exists for data or transactions to leak from one tenant domain into the next. To help achieve this, clients need the ability to configure trusted virtual domains or policy-based security zones.

The main purpose of infrastructure security is to ensure perimeter security measurements and preventive controls are in place against threats and vulnerabilities (either internal or external). In that sense, preemptive vulnerability scanning, antivirus and intrusion detection and prevention controls must be deployed to protect the environment. In addition state-full inspection (Dynamic Packet Filtering ) as well as policy based state-full firewall devices should ensure no suspicious events are left unattended or untrаcked. All technical controls should be installed on the host and hypervisor level. At the same time, a well-defined policy, management and mitigations systems should be in place. Because the cloud infrastructure has to be accessed remotely, a secure access with a proper virtual private network (VPN) termination point at the border of the infrastructure is strongly recommended.

2. Data classification and protection. Client data is the most important asset managed on a cloud environment. Therefore, a strong focus on the protection of data at rest or in transit is fundamental for the cloud, and in particular, Personally Identifiable Information (PII). Protecting PII is a core principle of information security. All of the prevalent information security regulations and standards, as well as the majority of industry best practices, require that sensitive information be adequately protected in order to preserve confidentiality. Confidentiality of such data is required no matter where that data is residing in the chain of custody, including the cloud environment. As part of the cloud service it is crucial to develop and implement a policy of data classification and instruction on how confidential and business critical data must be handled. Other controls require the following:

• Implementation of a policy to protect intellectual property
• Developing and applying strong data classification procedures with strict roles and responsibilities
• Protecting encryption keys from misuse or disclosure
• Implementing data loss prevention solutions

3. Systems acquisition and maintenance. Similar to the standard IT environments hosting company systems, the systems installed in the cloud must also comply with certain deployment processes and security specific controls. In order to maintain an intact cloud IT environment, you have to employ different mechanisms ensuring compliance testing and validation. It is mandatory for cloud systems to undergo regular system configuration and vulnerability checks, as well as periodically use and regularly update anti-virus software and images to ensure they include recent security patches and fixes. Strict change control procedures must rule the process of system updates and acquisitions, enforcing well defined security parameters on every production system. In other words, a cloud security policy must be in place to provide a managed process for ensuring the security and compliance of instances after they are provisioned and before they are handed over to the cloud consumer.

4. Physical. Security is also an important aspect of the overall security approach to a cloud. Although the word physical seems to be more and more unlike the cloud concept, cloud is running on a physical infrastructure. The cloud’s infrastructure should be physically secure, including servers, routers, storage devices, power supplies and other components that support operations. Protection for physical access and safeguards includes adequate control and measures using biometric access control measures and closed circuit television (CCTV) monitoring. Access to devices must be prevented by general users and access control devices used to limit access to only those with administrator privilege

From the very beginning, cloud business models brought certain IT security concerns in regards to data confidentiality and integrity. Most of those concerns have been solidly driven with business and reputation risk arguments that make companies anxious about moving to the cloud. In effect, the externalized aspect of cloud computing shifts much of the control and responsibilities over data and operations from the client organization to their cloud providers. Therefore, having a strong security framework and structured approach towards cloud security using industry best practices and foundation controls is a key differentiator that could make migration to cloud a success story.

Have you faced any of security concerns in your own experiences with cloud? Please leave your comment below.

More stories

Why we added new map tools to Netcool

I had the opportunity to visit a number of telecommunications clients using IBM Netcool over the last year. We frequently discussed the benefits of have a geographically mapped view of topology. Not just because it was nice “eye candy” in the Network Operations Center (NOC), but because it gives an important geographically-based view of network […]

Continue reading

How to streamline continuous delivery through better auditing

IT managers, does this sound familiar? Just when everything is running smoothly, you encounter the release management process in place for upgrading business applications in the production environment. You get an error notification in one of the workflows running the release management process. It can be especially frustrating when the error is coming from the […]

Continue reading

Want to see the latest from WebSphere Liberty? Join our webcast

We just released the latest release of WebSphere Liberty, 16.0.0.4. It includes many new enhancements to its security, database management and overall performance. Interested in what’s new? Join our webcast on January 11, 2017. Why? Read on. I used to take time to reflect on the year behind me as the calendar year closed out, […]

Continue reading