ControlNow SecurityExpertsGuidetotheCloud FINAL (2)

ControlNowTM Ebook

security experts Guide

to the cloud

Table of Contents

FOLLOW US & SHARE Security experts guide to the cloud | 2

DDoS attacks still run rampant across the web 4By Frank J. Ohlhorst

Why the cloud is more trustworthy than you think 7By Nick Cavalancia

Making cloud storage secure 10By Deni Connor

Considerations for running security software in the cloud 12By Brien M. Posey

Keeping cloud-based data safe from prying eyes 15By Ed Bott

Identity crisis in the cloud 17By Debra Littlejohn Shinder

Cloud security: You can never stand still 20By Dana Gardner

Compliance and the cloud 23By David W. Tschanz

Securing a hybrid cloud 27By Ricky Magalhaes


Cloud and security are two terms that were rarely uttered in the same sentence: For many sceptics, the two did not go together. That viewpoint has changed considerably over the past couple of years with cloud-based solution providers beefing up security to the extent that it is more reliable than what a small to mid-sized business can ever muster.

In this ebook, tech influencers share their views on security and the cloud and give advice on how to marry both into your business.

Introduction


DDoS attacks still run rampant across the web

DDoS (distributed denial of service) attacks are still a major threat to enterprises seeking to keep their websites and web applications up and running, leaving IT managers to fight an uphill battle against what has become an all too common threat.

By Frank J. Ohlhorst

Frank is an award-winning technology analyst and author with more than 25 years of experience in the technology arena.

Frank has held senior editorial positions with several leading technology publications, including CRN, VarBusiness, eWeek and Channel Insider. As a freelance editor and analyst, Frank authors reports, reviews, white papers and news articles for several publications, including GigaOM, eWeek, EnterpriseNetworking Planet, Toms Hardware, Network Computing, and TechRepublic. Frank has also contributed to multiple technology books and has written several white papers, case studies, reviewers guides and channel guides for leading technology vendors.

Email: [email protected]


In a perfect world, network managers would never have to experience application performance problems or deal with security issues. However, todays networking environments are anything but perfect they are open to attack, traffic surges and a plethora of other problems. Yet, end users (and customers) demand perfect availability, perfect security and perfect performance.

Those demands have led to the rise of technologies that are tasked with optimizing application delivery using load balancing techniques, as well as compression, caching and so forth. Many vendors have quickly come to market with robust appliances and services that not only speed applications, but do much more as well.

While those so-called application delivery controllers (ADCs) offer performance enhancements, there is still a dark side when it comes to ADCs and what they may introduce into enterprise networks namely in the form of attacks and compromises.

Take, for example, the all-too-common DDoS attack, where hundreds if not thousands of zombified systems flood a website (or application server) with illegitimate traffic, causing operations to crawl to a stop.

If an ADC (or application performance management (APM) platform) is not configured properly, and most are not, DDoS becomes a problem that can escalate exponentially. Simply put, if the ADC cannot detect and block a DDoS attack, it becomes an unwitting accomplice and assists the attacker by scaling up application operations and attempting to balance the traffic load across resources effectively consuming the resources available.

DDoS is not the only security problem that can be magnified by APM solutions; other concerns include SQL injection, brute force and blended

attacks. Network managers need to come to the conclusion that when deploying APM solutions, security should be the first consideration and the deployed ADCs should become part of the security infrastructure, and not just be treated as a means to an end accelerating application traffic.Whats more, connectivity, security and packet traffic should be monitored, normalized and reported, making it easier to identify when something goes wrong. Knowledge of how the network is expected to operate becomes the primary path to preventing DDoS from seizing control of resources.

So, what exactly does this mean when delving into APM solutions? It simply means that those evaluating the technology should follow some common best practices:

Choose a software-only solution, which enables administrators to deploy an ADC however they may wish.

Choose an APM platform that enables externalized control over the ADCs. That way, administrators can manage during runtime and deploy multiple ADCs to handle a single application without experiencing downtime. If an ADC fails, the management platform keeps running.

Make sure the APM solution has self-healing capabilities. If a component or application becomes unreachable, the control system should detect and mitigate the problem.

See if the solution has integrated clustering support (which it should). That provides multiple options for building resilient systems that can scale with load.

Integrate caching and web content optimization. Those features further speed content delivery, without requiring additional scale-up.

Using the cloud to help manage infrastructure


Integrate security in the form of a web application firewall (WAF), where the firewall is aware of normalized traffic and can take steps to block extraneous traffic and application calls.

Use application layer DDoS protection, enabling the ADC to better understand traffic flow and detect traffic floods or storms at the application level, and use that information to block illegitimate traffic.

That checklist raises another question: Should APM security be based in an enterprises internal data center, or is the cloud a better way of addressing those issues?

To address those concerns, as well as many others, network managers need to implement comprehensive network management platforms, as well as regularly audit packet flow. Correlations between demand, capacity provided and seasonal traffic deviations will prove to be a powerful ally for those looking to harden networks, while also improving performance. Network managers can no longer expect to just plant some magic beans into their infrastructure, and expect security to bloom and performance to grow.

Using the cloud to help manage infrastructure


Why the cloud is more trustworthy than you think

Dont bunch the entire cloud industry into one giant bucket of negativity; youll find reputable and dependable companies to partner with.

By Nick Cavalancia

Nick is an accomplished executive, consultant, trainer, speaker, and columnist with more than 20 years of enterprise IT experience.

Nick has authored, co-authored and contributed to more than a dozen books on Windows, Active Directory, Exchange and other Microsoft technologies. Nick has held executive positions at ScriptLogic, SpectorSoft and Netwrix and now focuses on the evangelism of technology solutions as Chief Techvangelist at Techvangelism. Twitter @nickcavalancia | @techvangelism



Everyone brings up the cloud when theres some salacious piece of news this cloud provider has a security breach, that one had an outage, etc. But no one talks about the cloud when it is secure, available and providing value to the customer. Its just not interesting enough. So is the cloud as bad as the news makes it out to be or is it far more trustworthy than it appears? Lets take a look at some reasons why its time to put some trust in the cloud and how that trust can pay off.

1. Plenty of well-established providers - Like anything you purchase, its important to keep in mind that the vendor you choose is as important as the cloud service you use. You can always find a cheaper alternative, but the highest risk of using the cloud is the provider going out of business along with your data. But nobody gives a second thought to putting all their customer data into Salesforce. Why? Because they have a proven track record as a company. So, dont bunch the entire cloud industry into one giant bucket of negativity. Do your research on the company as well as the service before making a choice and, youll find reputable and dependable companies to partner with.

2. More redundancy and availability First and foremost, cloud providers are experts at building highly available, scalable, world-class data centers that make your most advanced SAN look like your first software-based mirror in NT 3.5. If youre not building your own desktop computers, why are you building your own redundant storage?

3. Better products than on-premise Its worth considering that since youre probably looking at the cloud for more than just storage, the product that

runs in the cloud may just be better than something on-site. Ive already mentioned Salesforce; its not the leading provider of customer relationship management (CRM) just because it stores everything in the cloud. Its a solid product that provides value to sales teams around the globe.

4. Durability like youve never seen before Think of durability like Federal Express never losing your package. Cloud providers simply dont lose your data. In fact, its a bit surprising how little goes wrong when you read about providers like Amazon, whose S3 cloud service provides 99.999999999% durability, which translates to losing 1 file out a 100 trillion. Yeah I think your data will be there when you need it.

5. Tons of security The cloud industry provides a mature security stance, including encrypted access (SSL), military-grade encrypted data, firewalls, identity and access management, private subnets, intrusion detection, even 24-hour security with foot patrols! They are serious about keeping your data secure from anyone other than you. So, ask yourself, how much security do you place on your data? Id suspect for most of you, its far less than what cloud providers are doing.

6. Its (sometimes) your fault The glaring problem with cloud-based services lies in the question What if my Internet connection goes down? But look at that question again: Its your connection that goes down. And that is the clouds fault how? Having a redundant connection at your office is the answer.


7. The cloud may be your best option Take backups as an example. Youd have specific criteria around durability, availability, redundancy, and an ability to have data off-site in case of a disaster. If this was you, youd have some kind of duplicate tape with an off-site storage company thing going or youd be looking at a hybrid-cloud backup and recovery solution. And the hybrid cloud solution would cost less, provide greater availability and redundancy, and at a faster speed of recovery than tape backups.

Granted, the last reason doesnt make the cloud trustworthy, but it certainly makes the case that given the other six reasons, its worth a serious look. Its time to elevate your expectations, elevate your security, elevate your service level, and elevate where you look for solutions to include the trustworthy cloud.



Making cloud storage secure

Google blames software update for lost Gmail data, backup data lost in transit.

By Deni Connor

Deni is a founding analyst of SSG-NOW, an Austin, Texasbased storage analyst and consultancy firm.


These are not the type of headlines that inspire confidence in cloud storage. They cause hesitation in adopting the cloud as a means of storing your organizations data for disaster recovery, data protection, or simply archiving purposes and could, in fact, delay deployments of cloud storage.

The issue of security of cloud-stored data is huge. According to a study from SSG-NOW of 235 respondents, 70 percent cited security of data and compliance as their top concern in adopting cloud storage.

Many security concerns can be defrayed by careful planning when selecting a cloud storage or cloud-based data protection provider. In the Amazon Web Services (AWS) instance cited above, deployment and use of availability zones would have solved the problem for the organizations that lost their data in the outage. For customers who lost Gmail emails, local on-premise backup of that data would have gone far in lessening their concerns. And, in the case of backup tapes lost in transit, that the tapes were not encrypted is certainly a cause for concern.

There are many ways to secure your cloud storage. They include:

Encryption of data in flight and at rest The use of availability zones or duplicated

cloud storage sites among different cloud storage providers

Multi-tenant storage at the cloud storage provider

Storage in secure, accredited data centers On-premise backup of data

Lets discuss each of these methods before deciding that cloud storage or cloud-based data protection isnt the best of choices for your organization.

Encryption of data is essential in cloud storage, whether it is in flight or at rest at the cloud storage provider. Encryption may be as simple as password protection or as rudimentary as 128-bit SSL encryption to ensure against interception in transit. In storage, encryption with 128- or 448-bit Blowfish or 256-bit AES encryption may occur and users may also have the option of holding their own encryption keys to ensure against accidental deletion or unintended or intentional decryption of data.

Some cloud storage providers offer the placement of data in several locations. Called availability zones, these locations are isolated from failures in another region. These availability zones, or the duplication of data in different geographic regions, can be accomplished by mirroring data to both zones at once or by replicating data from one zone to the next.In the cloud, it is important that the cloud storage provider protects data it stores by placing it in a multi-tenant environment. This enables the using organization to share applications (such as data protection) with other clients, customers or tenants, while providing a secure and exclusive virtual computing environment for their data. For instance, in Salesforce, more than 100,000 customers share a common database schema, while their individual data is stored in a multi-tenant instance.

Further, data should be stored in SSAE 16 certified data centers. This certification, which stands for Statement on Standards for Attestation Engagements, replaces SAS 70, and refers to the audit of data centers and includes assessments of physical, environmental, logical and network security.

Finally, in protecting against loss or interception of cloud-based data, it is best to adopt a strategy of on-premise data protection. Often called hybrid data protection, by protecting data on-site as well as in the cloud, this is often one of the best and least expensive methods in protecting against loss of cloud-based data. You protect it up front before it ever reaches the cloud.

Making cloud storage secure


Considerations for running security software in the cloud

Security can behave differently in a cloud environment than in a traditional data center environment. Always take into consideration how the cloud might impact your security initiatives.

By Brien Posey

Brien is a freelance technical writer who has recieved Microsoft MVP award six times for his work with Exchange Server, Windows Server, IIS, and File Systems Storage.

Brien has written or contributed to about three dozen books and has written more than 4,000 technical articles and white papers for a variety of printed publications and web sites. In addition to his writing, Brien routinely speaks at IT conferences and is involved in a wide variety of other technology-related projects. Prior to freelancing, Brien served as CIO for a national chain of hospitals and healthcare companies. He has also served as a Network Administrator for the Department of Defense at Fort Knox, and for some of the nations largest insurance companies.


One aspect of the transition to the cloud that is sometimes overlooked is that security software that you may take for granted could behave very differently in a cloud environment. As such, administrators must consider what impact the cloud will have on their security infrastructure.The way in which your cloud initiatives will impact the organizations security ultimately depends on the types of security software that you are trying to run and on the type of cloud service that you are using. After all, cloud services offer varying capabilities and restrictions.

Take software-as-a-service (SaaS) clouds, for example. These types of clouds enable a vendor to provide customers with access to a remotely running application. The problem with SaaS clouds is that SaaS customers have no control over security. This isnt to say that there is no security. There is. The SaaS provider typically puts a great deal of effort into making sure that the cloud remains secure. However, the providers security usually resides on the back end and is transparent to customers.

There are two reasons why this type of security may prove to be problematic for SaaS customers. The first reason is loss of control. SaaS customers cannot use their preferred security software to protect their cloud-based applications. Take Office 365, for example. It is common for administrators who operate on-premise Exchange server deployments to run antivirus (AV) and anti-spam software on their Exchange servers. However, if an organization chooses to move its Exchange server mailboxes to Office 365, it loses the ability to run third-party AV and anti-spam software on the mail server. At best, the organization might be able to run security software on the client computers, but even that is not always an option.

The other reason why the inability to run third-party security in a SaaS environment may prove to be problematic has to do with manageability. Often, organizations use security software that

offers centralized reporting capabilities. Such a feature may give the organization a way to monitor security and health through a single pane of glass. The introduction of SaaS means that there will likely be cloud-based applications that cannot be monitored using the organizations preferred software.

Although SaaS clouds certainly present security challenges, the opposite can also be true. There are security software vendors that offer cloud-based versions of their wares. Running security software in the cloud was once ill-advised because cloud-based security software simply could not deliver the same level of protection as security software that was installed locally. Today, things have changed. Some cloud-based security products are every bit as good as locally-installed security software maybe better. Cloud-based security software has one very distinct advantage over security software that runs locally: isolation.

When an attacker attempts to compromise a system, one of the first goals is to disable any security or auditing software. If this software is running remotely (e.g., in the cloud), then it can make bypassing security a lot tougher. Of course, not every cloud-based application runs in a SaaS cloud. Infrastructure-as-a-service (IaaS) clouds, both public and private, are another popular option. IaaS clouds typically act as a platform for hosting virtual machines.

Although IaaS clouds are known for their flexibility, there are still potential issues when it comes to running security software. One such issue is that of compatibility. Some clouds are incapable of running standard Windows applications. The cloud might be Linux based and may require applications to be compiled in a way that enables them to run on the cloud.



Another challenge of IaaS clouds is that of security blind spots. Whether public or private, IaaS clouds are specifically designed to provide tenant isolation. This isolation helps to ensure each tenants privacy and it helps to keep one tenants workloads from interfering with anothers. The problem with this isolation is that security software can only monitor what it can see. An environment that is specifically designed to obscure specific resources can present a major challenge for security software.

This isolation does not typically pose a huge problem in a public cloud environment because subscribers only need to monitor their own cloud resources not those belonging to other tenants. However, things are different in a private cloud. All of the resources belong to the organization and need to be monitored. The solution to the problem is to use security software that is virtualization-aware. For instance, there are security applications that can latch onto the Hyper-V virtual switch as a way of gaining insight into virtual machine networks.

Since security can behave differently in a cloud environment than in a traditional datacenter environment, it is important to consider how the cloud might impact your security initiatives.



Keeping cloud-based data safe from prying eyes

Implementing the proper mix of security features can go a long way toward giving you the convenience of the cloud without exposing you to undue risk.

By Ed Bott

Ed is an award-winning technology writer with more than two decades experience writing for mainstream media outlets and online publications.

Ed has served as editor of the US edition of PC Computing and managing editor of PC World; both publications had a monthly paid circulation in excess of one million during his tenure. He is the author of more than 25 books on Microsoft Windows and Office, including Windows 7 Inside Out (2009)and Office 2013 Inside Out (2013).


Cloud storage is probably the purest example of the tension between convenience and security in modern computing. When you move your data to the cloud, you make it possible to access those files from virtually anywhere. But that flexibility comes at a steep cost: Anyone who can sneak into that cloud server can access all your secrets, and you might never know.

The stakes are especially high for files that contain financial information, trade secrets, and legal briefs.

So how do you protect yourself from the risks of unauthorized access? The basic tools arent that different from those you might use to protect data on a local area network (LAN). But thenature of the cloud means asking a few tough questions:

Who has access?In the aftermath of disclosures that global intelligence agencies are able to tap into Internet traffic with impunity, you might think that spies are lurking around every corner and tapping every wire. In reality, the lesson of Edward Snowdens NSA disclosures is more mundane. The biggest threat is from a rogue employee misusing his trusted position. The best cloud providers have excellent physical security and strict auditing that significantly reduces the likelihood of an insider getting away with data theft.

Are you protected from password theft?The first line of defense for most cloud services is a password. Even if you insist on complex, random, hard-to-guess passwords, thats still a weak barrier for a determined thief, who can use social engineering, phishing emails or Wi-Fi sniffing to steal passwords. You can effectively shut down those attacks by using multi-factor authentication. This method which requires a second form of identification, typically tied to a physical device, such as a code sent via text message or generated by an app on a mobile phone.

Is your data fully encrypted?Any cloud service worth its salt should protect your data using strong encryption. But not all encryption is created equal. Ideally, you want encryption at rest and in transit. Encryption at rest protects the data from unauthorized access if an attacker is able to access the contents of the cloud server. Encryption in transit prevents an attacker from eavesdropping as you transfer files between a local device and a cloud server. The latter scenario is especially likely if you routinely access files over unsecured networks in coffee shops, airports, hotels and other public places.

Who holds the keys?The science behind encryption is simple: Your data files are encoded using a mathematical algorithm in combination with a complex private key. Anyone who tries to access the contents of the file without the key sees the cipher text, which is, for all intents and purposes, gibberish. If your files contain especially valuable information, you need to think long and hard about how to manage those keys. In most cloud services, the service provider manages the encryption keys.

Thats convenient, but it also means your secrets can be unlocked if a law enforcement agency shows up with a subpoena. For maximum security, narrow the list of potential cloud providers to those who let you manage the keys, encrypting data locally so that it never reaches the server in an unencrypted format.

That architecture prevents anyone but you from unlocking your secrets.

A word of warning, though: If you lose the key, theres no way to recover your files!

Implementing the proper mix of security features can go a long way toward giving you the convenience of the cloud without exposing you to undue risk. And be prepared to review that list of questions again, at least annually. Cloud storage is an incredibly competitive marketplace, and a provider that falls short today could be a perfect fit in the future.

Keeping cloud-based data safe from prying eyes


Identity crisis in the cloud

The basis of all computer security is controlling access limiting the ability to view or change data or settings to only those persons and/or devices that are authorized to do so. That control begins with properly identifying everyone who attempts access.

By Debra Littlejohn Shinder

Debra is a former police officer criminal justice instructor who now makes her living as an IT analyst, author, trainer and speaker.

She has written or contributed to 26 books, published more than 800 articles and has been living online, along with her husband Tom (whom she met via the Internet), since the mid-1990s.


Identity management is a concept that has plagued organizations since the beginning of the computer age and especially as computers became connected through networks and those networks were connected to other networks through the grand mesh of the Internet. As the computing paradigm morphs again, to a cloud-based model, identity takes on even greater importance.

A corporate network may have thousands of users. A cloud service may have millions. Microsofts Office 365 Home Premium service passed the one million user milestone only 100 days after its release. Google claims five million businesses use Google Apps. Gartner predicts that by 2022, there will be 695 million users of cloud-based office productivity services such as these. And office productivity is just the tip of the iceberg.

Software as a service (SaaS) of all kinds is steadily gaining traction, although recent reports show cloud adoption isnt quite living up to all of the predictions. Interestingly, those same reports indicate the number one reason that companies of sizes are holding back has to do with concerns over security. Despite the proclamations of some industry experts that the fears related to cloud security have been overblown, many organizations are still uncomfortable with the idea of putting sensitive data in the cloud. With stories about cloud-related security breaches and NSA spying constantly making headlines, its no wonder theyre wary.

Companies in regulated industries have additional worries; for them, security is not just smart business its legally mandated by the government or their industry oversight bodies. Going to the cloud requires the assurance that they can still meet compliance requirements.

The basis of all computer security is controlling access limiting the ability to view or change data or settings to only those persons and/or devices that are authorized to do so. That control begins

with properly identifying everyone who attempts access. Centralized identity management systems based on directory services have been in place for a long time within organizations, and have grown to span multiple organizations in the form of identity federation. Now identity management has expanded its scope again, to encompass cloud services with a global user base.

The basic problems of managing user identities can grow in complexity when enterprises combine cloud services with their own on-premise network services. Such examples in include:

Assigning the proper rights and access permissions to users (following the principle of least privilege for best security)

Updating those rights and permissions when needed

Revoking permissions when users leave the organization or change jobs

Yet many sources indicate that the majority of enterprises see the hybrid cloud model, mixing private and public clouds, as the future toward which they are moving.

Users dont like complexity (IT pros arent crazy about it, either, but theyre paid to deal with it). And ultimately, simplifying the process for users to access the resources they need will reduce headaches for admins and support personnel, too. Its tough enough for many users to keep up with one password; handling multiple passwords for cloud and in-house applications can be a nightmare. Single sign-on (SSO) is the Holy Grail, and there are a number of ways to achieve this. The key is standardization, and cloud providers need to support such standard protocols as SAML, OAuth and OpenID so that users can access multiple cloud accounts through a single set of credentials.



One way that this can be accomplished is by leveraging group membership in Active Directory/LDAP, for example. Users in specific AD groups are allowed to access specific cloud-based applications, as well as internal applications. This makes it easier for admins to provision and de-provision users, and it is more transparent to the users themselves.

Numerous companies offer cloud SSO and federated identity solutions that can use organizations existing identity stores for authentication and authorization. Selecting the right one is an important part of your cloud strategy.



Cloud security: You can never stand still

Never let your guard down when it comes to security and cloud security. Remaining vigilant will help lower the risks.

By Dana Gardner

Dana has been in the IT industry for 15 years.

Dana is Principal Analyst at Interarbor Solutions and host of the BriefingsDirect blog and podcast, has been an IT industry analyst for 15 years. Twitter @Dana_GardnerLinkedIn www.linkedin.com/in/danagardner



Cloud security is not a new topic, but its one that remains both under the microscope and in the headlines. Theres good reason for that, given the damage todays cyberattacks are known to cause.

Now, a new report from Skyhigh Networks is offering a sobering look at rising security risks, including massive malware exposure and government spying. According to the Skyhigh Cloud Adoption and Risk Report, theres been a 33 percent increase in the number of cloud services in use and a 21 percent increase in cloud service usage overall.

At the same time, the percentage of cloud services that are enterprise-ready has dipped from 11 percent, which wasnt strong to begin with, to a mere 7 percent. The bottom line, says the report, is a majority of new cloud services used by employees are exposing organizations to risk.

It means users themselves must remain vigilant and never let their guard down, even as they may assume they are outsourcing security along with IT services to the cloud providers.

Against this backdrop, were seeing companies like HP work to ease enterprise IT cloud fears and risks with such new solutions as Helion, a new indemnified cloud infrastructure distribution built on OpenStack. HP is betting that many enterprises will want to retain control and assurance of security (among other key performance indicators) by first adopting private cloud, and then moving to hybrid cloud services as they gain trust and verification before jumping too deeply into the public clouds. To help prove its point, HP is investing at least $1 billion in its new portfolio of cloud services. And cloud security startups are raising millions in cash even while the fallout from Heartbleed continues with news that nearly 400 enterprise cloud apps are vulnerable to the malware.

The high cost of unwanted intrusion and malware across corporate networks is well known. Less talked about are the successful ways that organizations are thwarting ongoing, adaptive and often-insider-driven security breaches. These would also hold true for private cloud deployments. Intrusion technologies are one way to tackle the problem, regardless of the types of infrastructure and networks.

TippingPoint technology, for example, is an appliance-based technology. Its an inline device. We deploy it inline and on-premises, says Jim OShea, Network Security Architect for HP Cyber Security Strategy and Infrastructure Engagement. It sits in the network, and the traffic is flowing through it. Its looking for characteristics or reputation on the type of traffic, and reputation is a more real-time change in the system. This network, IP address, or URL is known for malware, etc. Thats a dynamic update, but the static updates are signature-type, and the detection of vulnerability or a specific exploit aimed at an operating system.

Thats one tactic, which combines the best of cloud to access updates while being deployed locally. Heres another: Businesses need to gain a better sense of the state of their operations and the risks posed to them.

That was the gist of a recent panel discussion from The Open Group. To gain a fuller grip on such risk and complexity, The Open Group is shepherding a series of standards and initiatives, including the Trusted Technology Forum, to provide better tools for understanding and managing true operational dependability.

In an organization, risk is a board-level issue, security has become a board-level issue, and so has organization design and architecture, says Allen Brown, President and CEO of The Open Group. Theyre all up at that level. Its a matter of the fiscal responsibility of the board to make



sure that the organization is sustainable, and to make sure that theyve taken the right actions to protect their organization in the future, in the event of an attack or a failure in their activities. So where do we go from here? Paul Muller, Chief Software Evangelist at HP, says the burgeoning strengths of big data analysis can be used to improve security and provide insights into whats going on within systems and across the cloud divide.

I increasingly find that one of the greatest sources of potential intelligence about an imminent threat is through the operational data, or operational logs. By sharing that situational awareness between the operations team and the security organizations, you can not only get better hygiene, but an improved security outcome through a heightened sense of whats actually going on, within the infrastructure regardless of where it resides, said Muller.

HPs Brett Wahlon sees a need to overcome the lack of security resources. If we look back on how we used to do security, trying to determine where our enemies were coming from, what their capacities were, what their targets were, and how were gathering intelligence to be able to determine how best to protect the company, our resources were quite limited, says Brett Wahlin, Global Vice President and Chief Information Security Officer at HP. Weve found that through the use of big data, were now able to start gathering reams of information that were never available to us in the past. We tend to look at this almost in a modern-warfare type of perspective, says Wahlin.


Compliance and the cloud: Making a structurally dysfunctional marriage work

Compliance and the cloud may never make a perfect match, but they can work together if a business follows a few basic rules and tips.

By David W. Tschanz

David has been writing about IT technologies and their role in business for the past 20 years, starting as a regular contributor to MCP Magazine (now Redmond).

He is also the co-author of Mastering SQL Service 2005 and authored Exchange Server 2007 Infrastructure Design: A Service Oriented Approach, which integrated business models and server design for IT professionals. He has also written several webinars and white papers on compliance, monitoring and other legal aspects of IT. After 23 years in Saudi Arabia working for an oil company, he returned to the US and currently resides in Venice, Florida.



In the real world, clouds are fluffy wisps of air that look pretty and allow anything to penetrate them, their most important byproducts being rain, sleet and snow.

In the IT world, the cloud has been touted as a game-changer and it is. Cloud computing is simple in concept; and simplicity of operation, deployment and licensing are its most appealing assets. Businesses can work more efficiently becoming more agile, efficient and competitive.

But when it comes to questions of compliance, once you scratch the surface youll find more questions than you asked in the first place, and more to think about than ever before. Compliance professionals develop migraine headaches when awake and nightmares while asleep trying to get a handle on the issues and answers and in some cases, asking the right questions.

In a nutshell, the cloud and compliance dont naturally work well together and compliance in the unfettered cloud may be impossible. Both cultures have entirely different agendas and the chances they will become friends for life are pretty slim. The cloud is designed to propela business forward, while compliance restrains it and this restriction is not what the cloud is about.

Companies in highly regulated industries, such as financial services and healthcare, must comply with numerous regulations, including PCIDSS, SOX, GLBA, HIPAA and HITECH, andmany others. These data compliance regulations offer specific guidance on handling personal information and cloud compliance for sensitive data, and companies are bound to ensure that their information security policies and IT systems comply with the guidelines.

Examples of US industry regulations that encompass information related to cloud compliance standards include:

PCI Data Security Standards (PCI DSS) are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The Council is responsible for managing the security standards, while the payment card brands enforce compliance in the cloud. The standards apply to all organizations that store, process or transmit cardholder data with guidance for software developers and manufacturers of applications and devices used in those transactions.

The federal Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations to maintain the confidentiality of electronic health information that can be linked to an individual patient (electronic protected health information, or ePHl). Penalties and criminal enforcement of the HIPAA Security Rules were made stronger via several provisions in The Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. The HIPAA Security Rules require healthcare organizations to adopt the appropriate safeguards to protect the confidentiality, integrity and availability of patients protected health information.

The FBIs Criminal Justice Information System (CJIS) is responsible for providing many critical pieces of data that criminal justice organizations and contractors need to conduct business



every day - including fingerprint records, sex offender registries and criminal histories. There are understandably strict regulations and standards for anyone accessing CJIS data and this applies to any cloud application provider or vendor providing products or services related to this data.

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to establish standards for protecting the security and confidentiality of their customers non-public personal information.

In the US, requirements for personal information protection extend to the education field and student personal information. The Family Educational Rights & Privacy Act of 1974 (FERPA) is a federal law that gives students access to their education records, the ability to seek to have the records amended and control over the release of the information to third parties. With some exceptions, schools must have a students consent prior to disclosure of personal data including grades, enrollment status, and billing information. The law applies to educational agencies and institutions that receive funding from the US Department of Education.

A 2013 research report commissioned by NTT Com Security found that perhaps unsurprisingly, when it came to being compliant, businesses around the globe were wary of the using the cloud. A worrying 86 percent said issues around data protection, legislation and regulation are responsible for cloud computing being adopted more slowly than they would like.

Thats a position many businesses and their IT staffs find themselves in today. They want to adopt cloud computing in a way that preserves their good standing in regulatory compliance while, of necessity, moving to a public cloud infrastructure platform, a cloud- based application suite or something in between. For the compliance team that also means surrendering some controls to the cloud service provider (CSP).

As they do, the main questions that should be asked are:

Where is the data going to reside? Who is going to look after it? Who is going to be able to see it? Is it going to be the people that manage

the infrastructure for the business?

Is it going to be internal and external people?

How secure is the cloud platform for us?

There is no one answer, or even set of answers but these are a few things businesses should keep in mind to keep tabs on compliance in the cloud.

The first and most important is to classify data into what is suitable for the cloud and needs to be kept internally. Its important to understand that for security and compliance reasons, a business may decide that some highly confidential data will always remain on an internal network and will not move to the cloud. Or, if moved to a cloud infrastructure it will be a private cloud that will be hosted on the premises, where they have access to both the physical and logical infrastructure even though it is still based on cloud computing, and will still bring them the benefits from an operational cost and management perspective.



When choosing a CSP, assess the presence or absence of the following capabilities:

1. A proven record of delivering secure, reliable, cloud services built to enable privacy and data protection

2. Sound practices and strategies for user identity and access management, data protection and incident response including data location, multi-tenancy, de- provisioning and encryption which is required by HIPAA

3. Transparency about cloud compliance capabilities, and which responsibilities are owned by customers?

4. Demonstration of leadership by participating in the development and continuous improvement of industry standards that are relevant to cloud services?

5. Ability to assist your business to achieve and maintain their own compliance requirements?

Carefully examine the service level agreement (SLA). Never assume your CSP vendors standard terms and conditions will fit your requirements examine the vendors contract as the first step of due diligence. You can follow this up with an internal risk- benefit analysis to see if the vendors standard contract is sufficient for your compliance needs. If not, determine what you need to negotiate to increase your comfort level. It doesnt end there, of course even with a perfect SLA you need to watch the CSP closely if the CSP cloud goes down, what happens to business continuity? There may come a day when it might be necessary to use multiple clouds for backup assurance.

Making security a priority is self-evident. Engaging the business security team early helps assure that security and compliance issues are considered together. Moving to the cloud may offer an opportunity to align security with corporate goals in a more permanent way by formalizing therisk-assessment function.

Compliance and the cloud may never have a marriage made in heaven, or even a close friendship, but they can work together if a business remembers to do the following as it transitions. First, classify data as to whether cloud or internally held. Secondly, select a trustworthy reliable CSP and negotiate the right SLAs and contracts for the business needs.


Securing a hybrid cloud

Following best practices closely, organizations can take advantage of hybrid cloud strategies while maintaining data compliance, privacy and security.

By Ricky Magalhaes

Ricky is an international information security architect, working with a number of high-profile organizations.

Ricky has more than 16 years of experience in the security arena covering all 10 domains including best practice and compliance. Ricky is a strategist on security and innovating creative ways to achieve compliance and mitigate risk, and serves on advisory boards to many organizations worldwide.



Organizations migrating to the hybrid cloud model sometimes struggle due to concerns surrounding compliance, privacy and security. Hybrid clouds can be better secured through best practices applied on-premise and in other clouds. The fundamentals of securing data in the cloud are no different from those of securing data on-premise. Physical security, data integrity, confidentiality, availability, access control, compliance, auditability, strong service level agreements (SLAs), risk assessment and security policies should all be addressed in the cloud. The difference is in hybrid clouds data is mobile, transient and spans multiple networks.

Start with considering three critical elements up front. They include risk analysis, your providers security stature and, standards and compliance:

Risk analysisA risk analysis of the critical asset, its value and vulnerability will distinguish areas of higher risk from those of lower risk. The outcome enables conclusive risk comparison of data in its current state compared with that of migrating data to a hybrid cloud. Remember to keep legal and compliance and regulation obligation in mind when undertaking the risk analysis.

An informed decision can be taken whether to accept the risk, mitigate the risk or to avoid the risk completely by opting not to move certain data to the cloud. Proactively managing the risk will help to rule out negligence. Data type and sensitivity will determine its secure position in the cloud. For this, its useful to categorize data.

Provider choice and security statureThe provider should be transparent with regards to the security controls embedded in its offerings; a mature provider with an enduring track record is a better choice.

An organization and its provider share responsibility for data in hybrid clouds. It should be ensured that the following criteria are met when securing hybrid clouds:

Regulations, compliance and audits: Ensure that providers are compliant and ensure coordination between environments. Compliance must be achievable and maintainable.

Cloud management: The management system should be compatible with all environments. A consolidated view of environments and resources should be available.

Security management: Security controls must be compatible within all cloud environments. One approach is to replicate security controls (authentication, authorization and identity management) in all clouds and keep security data synchronized.

Data encryption and key management is essential. This protects data from intrusionand against forced access to data, especially in data location/jurisdiction.

Encrypt data in transit and at rest. Using virtual private networks (VPNs) to the cloud can enable your systems to communicate over secure encrypted channels between the cloud environments, alleviating security issues in transit.

Portability and Interoperability: Technologies must be flexible and interoperable within a hybrid cloud to alleviate issues associated with integration and migration between environments.

Clearly defined SLAs: Detailed procedures for business



continuity and disaster recovery should be in place. Incident response and remediation procedures should be agreed upon. Service provision and security standards should be covered.

Identity and access management: By setting up a single set of access controls and policies to extend across all the cloud environments, the risk of inconsistencies can be alleviated.

Multi-tenancy: The risks associated with multi-tenancy in a hybrid system should be addressed. You require complete visibility of storage, and sensitive data should be isolated within a multi-tenanted cloud.

Data center: This should meet security standards for data storage and include multiple layers of physical security (biometrics, cameras, access control, and people on-site).

Standards and complianceStandards are necessary to enhance security in hybrid clouds and do so in accordance with regulatory bodies.

Unfortunately, cloud specific standards, although under development, are sometimes a challenge. Mature, dependable cloud standards are somewhat lacking in certain areas (cloud governance and assurance in particular Traditional pre-cloud computing standards like the ISO27000 series used globally are not cloud-specific, but are currently being adapted by providers where necessary to make them fit for purpose. Legalities and jurisdiction surrounding cloud computing escalates the complexities of creating standards that accommodate global legal requirements. Emphasis is being placed on the necessity for understanding how the provider anticipates achieving and maintaining compliance levels in the cloud, rather than only accepting the list of certifications. The anticipated migration to hybrid clouds should not be to the detriment of business, security and privacy. Following best practices closely, organizations can take advantage of hybrid cloud strategies while maintaining data compliance, privacy and security.

Disclaimer

2014. LogicNow. All rights reserved. All product and company names herein may be trademarks of their respective owners. The information and content in this document is provided for informational purposes only and is provided as is with no warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. LogicNow is not liable for any damages, including any consequential damages, of any kind that may result from the use of this document. The information is obtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of the data provided, LogicNow makes no claim, promise or guarantee about the completeness, accuracy, recency or adequacy of information and is not responsible for misprints, out-of-date information, or errors. LogicNow makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any information contained in this document.

If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as practical.

USA, Canada, Central and South America4309 Emperor Blvd, Suite 400, Durham, NC 27703. USA

Europe and United KingdomVision Building, Greenmarket, Dundee, DD1 4QB, UK

Australia and New Zealand2/148 Greenhill Road, Parkside, SA 5063

www.controlnow.com/contact

Documents

ControlNow SecurityExpertsGuidetotheCloud FINAL (2)