Addressing Cloud Security Concerns

Embed Size (px)

Citation preview

  • 7/27/2019 Addressing Cloud Security Concerns

    1/8

    SECURITYWEEK NETWORK:

    Information Security News

    Newsletters

    Infosec Island

    Security Experts:

    WRITE FOR US

    Subscribe (Free)

    Security White Papers

    Webcasts

    Contact Us

    Malware & Threats

    Vulnerabilities

    Email Security

    Virus & Malware

    White Papers

    Desktop Security

    Cybercrime

    Cyberwarfare

    Fraud & Identity Theft

    Phishing

    Malware

    Tracking & Law Enforcement

    Whitepapers

    Mobile & Wireless

    Mobile Security

    Wireless Security

    Risk & Compliance

    Risk Management

    Compliance

    Privacy

    WhitepapersSecurity Architecture

    Cloud Security

    Identity & Access

    ressing Cloud Security Concerns: Key Issues and Recommendation... http://www.securityweek.com/addressing-cloud-security-concerns-key-...

    8 15/08/2013 11:37

  • 7/27/2019 Addressing Cloud Security Concerns

    2/8

    1 Tweet Recommend 5

    Data Protection

    White Papers

    Network Security

    Application Security

    Management & Strategy

    Risk Management

    Security Architecture

    Disaster Recovery

    Incident Management

    Training & Certification

    Critical Infrastructure

    Home Cloud Security

    Addressing Cloud Security Concerns: Key Issues and

    Recommendations

    By Mandeep Khera on September 01, 2011

    Security is a Big Issue, But it Shouldn't

    Scare you Away from Utilizing Cloud Computing Services

    Cloud is great for business. The hype seems to be turning into reality. Is it a reincarnation of the old ASP

    (Application Service Provider) model? May be. But, its real and corporations are jumping on the

    bandwagon. With the total market size from various analyst firms ranging from $10B to $25B, the

    numbers are heady. These numbers are forecasted to grow at a double digit compounded growth rate over

    the next few years. Cost and flexibility are certainly key in driving this ferocious appetite for cloud

    computing. But, as we know very well from social networking, security can be a thorn in the rosy outlook.

    But, before we dive into security issues related to Cloud, lets start

    with the basics.

    The word Cloud most likely was derived from the image of Cloud

    that was commonly used for the Internet. So Cloud Computing

    basically means doing all or most of the computing in the Internet

    without relying on physical resources.

    So, lets now look at Cloud. There are many confusing definitions

    floating around but I think probably the clearest definitions have

    been established by NIST and Cloud Security Alliance.

    Software as a Service (SaaS): In case of SaaS, you use the providers applications on a cloud

    infrastructure with little to no control over the infrastructure, network, servers, operating systems,storage,etc. There are many examples of SaaS vendors Salesforce.com, Google Apps, Ning, Cenzic, etc.

    Platform as a Service (PaaS): Customer deploys applications using an application development

    ShareShare 15

    ressing Cloud Security Concerns: Key Issues and Recommendation... http://www.securityweek.com/addressing-cloud-security-concerns-key-...

    8 15/08/2013 11:37

  • 7/27/2019 Addressing Cloud Security Concerns

    3/8

    environment and middleware capabilities for specific languages like java, python, .net etc. and doesnt

    control infrastructure, servers, OS, or storage but has control over the apps. Some examples of PaaS

    vendors include Microsoft Azure, Amazon, Force.com

    Infrastructure as a Service (IaaS): Customer gets processing, APIs, storage, networks, and computing

    resources from the provider using his own OS, applications and may be some networking components.

    Some examples of IaaS vendors include Amazon, Rackspace, CloudFoundry.

    The lower down the stack you go, the more security capabilities customer is responsible for.

    Cloud Characteristics While a lot of people are claiming to be a cloud provider, the key characteristics

    that are important for Cloud are:

    Self-Service Customers must be able to self-service to get the service.

    Network Access Customers have be to be able to access the service over the network versus on an

    on-premise hardware.

    Multi-tenancy The provider must allow for an environment with multi-tenancy i.e. multiple customersare sharing a common environment. Thats what helps in optimizing the costs.

    Scalability Cloud solution has be to scalable with thousands or even millions of customers using the

    service over the network.

    Usage Metrics Usage metrics have to be visible and tracked

    Cloud Benefits

    With so many companies jumping on the bandwagon, there must be some benefit. In fact, Cloud can be

    very powerful and offers many benefits. Cloud leverages Massive Scale, Homogeneity, Virtualization,Low cost software, Service orientation, and Advanced security technologies resulting a lot of benefits for

    the customers some of which include:

    Reduced Cost This is perhaps the biggest benefit from customers point of view. Economies of scale

    allow vendors to reduce the cost dramatically. Currently, servers are used at only 15% of their capacity in

    many companies and 80% of enterprise software expenditure is on installation and maintenance of

    software. Use of cloud applications can reduce costs from 50% to 90%

    More Mobility By definition Cloud can be accessed from anywhere which allows mobility in using the

    information.

    Flexibility to Adjust Flexibility or elasticity to use the service based on your needs and scale up as

    needed is a huge advantage.

    Increased Storage Storage in Cloud is cheap and you are only using what you need to.

    Leverage vendor Expertise Assuming you pick the right vendor, you can leverage the vendor expertise

    and have your IT focus on other critical issues.

    Security Barrier

    In most surveys for Cloud services, top issues continue to be security,

    performance, and availability. These are all good concerns and need

    to be addressed. Performance and availability are big issues because

    ressing Cloud Security Concerns: Key Issues and Recommendation... http://www.securityweek.com/addressing-cloud-security-concerns-key-...

    8 15/08/2013 11:37

  • 7/27/2019 Addressing Cloud Security Concerns

    4/8

    as soon as you move your services from your environment where you

    can touch and feel things to out there literally in the Cloud, there

    could be some impact. Make sure that your Service Level

    Agreements (SLAs) from Cloud providers are very clear on these

    issues.

    Security continues to be the # 1 issue and thats what well address in detail here.

    The key security issues from customers point of view seem to be around security defects in the

    technology itself, unauthorized access to customer information, encryption, application security, identity

    management, virtualization security etc.

    Responsibility for security issues depends on which tier of cloud offering you are using. So, for IaaS,

    vendor responsibility is around physical, environmental, and virtualization security. Every other aspect of

    security in applications, operating system, etc. still needs to be handled by the customer. On the other

    hand if you are using a SaaS offering, the vendor is responsible for all elements of security. Here are the

    key issues to keep in mind with some recommendations:

    Physical Security You want to make sure that physical security around the infrastructure is very

    tight even tighter than in your environment because its not your employees anymore.

    What to do Ask your provider for the physical security policies. Every cloud vendor should

    have a clear architecture related to their physical security. What type of layout they have? Who

    can access what? Are you allowed to do periodic visits to see their physical structure? What

    happens in case of a disaster like Earthquake, hurricane, etc.?

    Insider Abuse When you cloudize your environment, you lose control over whos managing

    that infrastructure with your confidential information. Insider abuse is a common problem where

    information can be stolen and passed on to outsiders or they can collude with hackers.

    What to do Ask your cloud provider what their policy is for background checks of all their

    employees. Who has access to sensitive information? If a lot of employees have access to

    sensitive information, your risk of insider abuse is much higher. Do they have any hacking

    background or past felonies?

    Data Encryption Cloud environments are shared and your data is in the same environment

    alongside data from other customers. Breaches can easily happen from one database to another.

    What to do Find out how do Cloud Providers protect sensitive data in storage infrastructure?

    What kinds of logs are available? How is the data encrypted? Although encryption is not a

    panacea and other issues like access control are very important, its an extremely important

    element of data protection. Data needs to be encrypted at rest, in transition, and for disposition.

    Hows the key management handled?

    Third party Relationships You are as strong as your weakest link. And, in corporate

    environments, your weakest link could be your integration with your partners. In case of Cloud

    providers, this is even more important due to integrations of various third parties and applications

    into the Cloud environment.

    What to do Find out how do Cloud Providers enforce security processes for their integrationswith third parties? Is there a certification process to make sure that third party applications are

    secure and wont allow hackers to get into the Cloud Provider environment through one of these

    partners?

    ressing Cloud Security Concerns: Key Issues and Recommendation... http://www.securityweek.com/addressing-cloud-security-concerns-key-...

    8 15/08/2013 11:37

  • 7/27/2019 Addressing Cloud Security Concerns

    5/8

    1 Tweet Recommend 5

    Network Security In the recent months, aggressive marketing by various Cloud providers have

    made it easier for hackers to get accounts and plant botnets. Cloud is also susceptible to a lot more

    Denial of Service attacks. Cloud Providers need to ensure that their perimeter is secure and barrier to

    attacks is high.

    What to do Find out what devices are the Cloud Providers using to stop bad guys from getting

    in through the perimeter? Do they have strong network firewalls? How are they kept updated?

    Do they have good IDS/IPS systems in place? How do they monitor the events? Do they have aSIEM or Log Management software in place?

    Virtualization Security Almost all Cloud providers use virtualization to provide economies of

    scale and optimal distributed architecture. Virtualization has its own set of security issues.

    What to do Find out what security process do they have for their virtualization environment.

    How are they testing for vulnerabilities and fixing them?

    Access Controls Some of the big issues for Cloud services are around access control,

    authentication, user management, provisioning etc.

    What to do Find out how what types of standards is the Cloud provider following? Hows the

    provisioning of users done? Who manages the credential management process? How much

    control do you have? Is there a dedicated VPN? Is there a federated identity process and hows

    that managed? Can OpenIDs be used for registration and authentication?

    Application Security With over 75% of attacks happening through Web applications, this

    becomes a critical piece in the overall cloud decision making process. Although the exposure is

    similar to what you would have in your own environment, its on a massive scale and you may not

    have any control over it.

    What to do Questions to ask and consider: Does security ownership transfer to the

    infrastructure provider? Whats the impact on security in the SDLC? How do you ensure

    protection against key vulnerabilities like XSS, SQL Injection, CSRF, Session Management etc.?

    What happens in case of a breach? Whos responsible? What are the security issues around APIs

    (integration is very important when you move to Cloud) and what kind of encryption keys are

    used for these integrations? Does the Cloud provider use vulnerability scanning tools and

    services to find vulnerabilities in applications? What is the process of remediating or blocking

    those vulnerabilities? Would the Cloud provider allow you to run your own vulnerability

    assessment tools?

    Cloud Computing offers a lot of benefits. Although Security is a big issue, it should not scare you away

    from using Cloud that can save you a lot of money and resources. The key is to do proper due diligence

    with your Cloud Providers and really understand their Service Level Agreements (SLAs). Ask the right

    questions and take your time in selecting the right provider for you based on your requirements and risk

    appetite. You should definitely jump on this exciting car ride. Just make sure you are secure with your

    seatbelt on.

    Mandeep Khera is the Chief Marketing Officer at LogLogic. Prior to LogLogic, he was at Cenzic, a Web

    Application Security software and Cloud company, where he served as the CMO for 8 years. He has more

    ShareShare 15

    ressing Cloud Security Concerns: Key Issues and Recommendation... http://www.securityweek.com/addressing-cloud-security-concerns-key-...

    8 15/08/2013 11:37

  • 7/27/2019 Addressing Cloud Security Concerns

    6/8

    than 25 years of diversified experience in marketing, engineering, business development, sales, customer

    services, finance and general management for companies such as VeriSign, Hewlett-Packard, Unisys, and

    many start-ups. You can follow him on Twitter at @appsecurity

    Previous Columns by Mandeep Khera:

    PCI DSS 2.0 Compliance Deadlines are Looming - Are you Ready?

    Busting Myths: Why SSL Application Security

    Cyber Security Awareness Month - A Checklist

    Addressing Cloud Security Concerns: Key Issues and RecommendationsDo You Know Your ABCs of Web Application Security?

    Tags:

    INDUSTRY INSIGHTS Cloud Security

    0 comments

    What's this?

    Mac Malware Uses Right-to-Left Override

    Technique to Disguise

    19 Groups Sue NSA Over Data Collection

    iOS Apps Just as Intrusive as Android

    Apps: Research

    Back to the Future - A New Reality in IT

    Security

    Network Solutions' June "Snafu" - Why

    Heads Should Roll

    Cisco to Acquire Sourcefire for $2.7

    Billion

    Researchers Discover KINS a New

    Professional-grade Banking

    US Tech Firms Losing Business Over

    PRISM: Survey

    Best Community Share

    2

    Subscribe to SecurityWeek

    Most Recent Most Read

    ressing Cloud Security Concerns: Key Issues and Recommendation... http://www.securityweek.com/addressing-cloud-security-concerns-key-...

    8 15/08/2013 11:37

  • 7/27/2019 Addressing Cloud Security Concerns

    7/8

    Cisco to Slash 4,000 Jobs

    Unpatch Wednesday: Microsoft Pulls Flawed Exchange Server Patch

    Kaspersky Lab Launches 2014 Security Solutions

    Brazil Moves to Secure Telecom, Internet Systems After US Spying

    CSC Launches Solution to Manage Cybersecurity Compliance

    DHS Awards $6 Billion Cybersecurity Contract to 17 Firms

    IBM Gets $1 Billion to Help Department of Interior Move to the Cloud

    Russia Visit of Snowden's Father to be Kept Under Wraps: Report

    Windows 8.1 Set for October 18 Release: Microsoft

    Thai Villagers Mistake Google Worker for Government Snoop

    Popular Topics

    Information Security News

    IT Security NewsRisk Management

    Cybercrime

    Cloud Security

    Application Security

    Smart Device Security

    Security Community

    IT Security NewslettersIT Security White Papers

    Comments

    Most Read

    InfosecIsland.Com

    Stay Intouch

    Twitter

    Facebook

    LinkedIn Group

    Stuxnet Group on LinkedIn

    RSS Feed

    Submit Tip

    Security Intelligence Group

    About SecurityWeek

    Team

    Advertising

    Events

    ressing Cloud Security Concerns: Key Issues and Recommendation... http://www.securityweek.com/addressing-cloud-security-concerns-key-...

    8 15/08/2013 11:37

  • 7/27/2019 Addressing Cloud Security Concerns

    8/8

    Writing Opportunities

    Feedback

    Contact Us

    Copyright 2013 Wired Business Media. All Rights Reserved. Privacy Policy | Terms of Use

    ressing Cloud Security Concerns: Key Issues and Recommendation... http://www.securityweek.com/addressing-cloud-security-concerns-key-...