Security in the cloud

New buzzword, but the same old challenges and best practices apply, writes Brian Chappell, Director of Engineering, EMEA, BeyondTrust.

  • 11 years ago Posted in

Cloud continues to be one of the hottest topics in the IT world and this is not surprising given the promised benefits: savings, scalability and business continuity. However, like any area of information technology, it is important to understand the security implications of moving any aspect of the business into the cloud and that applies to data centres as much as any other part of the organization.
It is easy to be seduced by the hype around the cloud, but while many non-IT executives may be attracted by the scalability and cost benefits, CIOs are treading more cautiously. The impact of a security breach can be far-reaching, which is why senior managers need to familiarize themselves with what is at stake.

According to a recent research report by IDC, 74 percent of IT executives and CIOs have cited security as the top challenge preventing their adoption of the cloud services model. After all, we are talking about trusting sensitive corporate data – including customer data, intellectual property and other content, such as information on new products - to a third party.

The reality is that wherever data is hosted, vulnerabilities and exploits do not discriminate. The same holes exist for cyber thieves within cloud providers as exist for data storage on-premise, they may just have easier access to them.

Who is responsible for security in the cloud?


It is important to understand that there are several ‘flavours’ of the cloud: the public cloud, the private cloud and the virtual private cloud. With a pure private cloud, the demarcation lines of who is responsible for security is clear and is the same as it has always been: nothing has changed in that respect. The infrastructure and the way in which software is provisioned has morphed into a virtual world but it is still the company’s infrastructure. Whichever department generated the data is generally considered the owner and responsible for where it is and where it is going.
The issue is that when companies move to an external cloud – public, or more frequently for enterprises, virtual private clouds – they assume that the cloud provider responsible for security. To some degree this is true: cloud providers are responsible for securing the cloud management infrastructure, but buyers beware: in practice, this means they might not even know when a breach of a particular cloud server has occurred.

In a 2011 Ponemon study, 42 percent of respondents of cloud service providers indicate they would not know if their organizations cloud apps or data was compromised by a security breach or data exploit.

Of course, any reputable cloud provider is going to have security measures but enterprises do not abdicate responsibility for the data just because it is in someone else’s cloud environment, which is in effect just an extension of the corporate network. For instance, if someone within the enterprise has not changed default passwords, or installed software with vulnerabilities, or does not keep up with patch levels, then it is the organization that is ultimately responsible.

Enterprises must extend their security practices to the cloud environment and ensure that the tools and processes they use are able to address the particular challenges of a virtual environment. For example, that might mean systems that can scan not only the local environment, but also at the virtual server level. Ideally, both the cloud provider and the enterprise need to be securing the data.  So are there special conditions that apply to data centres? Not really: the same basic good practices still apply, because the security challenges are the same that they have always been. Let’s not forget that the cloud is not really new: not much has changed since we had dedicated hosting; cloud is just a better way to expand or contract that capacity. Most public and virtual private clouds are going to be hosted in a data centre somewhere, so yes, data centre owners do need to be aware that they need to provide as secure an environment for their customers are possible.

For internal data centres – in other words, those owned and managed by an enterprise – the same security best practices apply as they do for any other server in the organization. For example, data centre managers should ensure operating systems are appropriately patched, configuration best practice has been used and that privilege management or least privilege practices are applied.

Responsibility for security travels with the data

This brings us to the point that cloud security best practice should focus on protecting the data, not just securing physical machines, because responsibility for those assets travels, regardless of the environment. Wherever a company’s IP goes, it needs to be protected, whether that is in the cloud, on-premise, printed-out, on a mobile device or any number of storage types.

Whatever the type of cloud, the same operating systems – Windows, Linux, etc – are still used, with their associated security challenges. The only real difference is the additional concern of securing the system that is provisioning the cloud environment and that is the responsibility of the service provider. So is having a pure private cloud safer than the public cloud or a virtual private cloud? The reality is that private cloud does not mean attackers will not try to enter. The more sensitive and potentially valuable a company’s assets, the more likely an organisation will encounter a cyber security storm irrespective of where the assets are hosted.

Best practice for security in the cloud

To cover any risk of disconnected security, both the cloud provider and the enterprise overlap to provide as much security as possible. For the enterprise, this means making sure that all individual machines are secured, as well as the entire system. So, if someone manages to knock a hole in the system’s protective wall, all the ‘pieces’ within the corporate network are as robustly protected.

As mentioned earlier, the cloud provider also needs to control security of its infrastructure as much as possible.
So what else can be done to ensure that the business’s cloud environment is secure? Here are five top tips:
- Include assets held in the cloud into your normal security and
privilege access management strategy.
- Regularly assess the state of vulnerability by leveraging zero day
vulnerability management solutions.
- Implement regular detection scans for critical risk access points, or
potential breaches. Don’t wait for the cloud provider to inform
you - it may not do so.
- When employing a cloud service, review terms and conditions
clearly, understanding the end user license agreements.
- Ensure that the tools you use – vulnerability management, intrusion
protection, data loss protection and so on - have virtual connectors
that can extend your security strategy into the cloud environment

The bottom line is that cloud has its pros and cons, but if the right steps are taken, then any data centre provider, or enterprise user of data centres, can leverage the advantages of cloud computing, safely and securely.
 

TMF Group, a leading provider of critical administrative services for global businesses, turned to...
Strengthening its cloud credentials as part of its mission to champion the broader UK tech sector...
Nearly all UK IT managers surveyed (98%) state cloud investment is an organisational priority for...
LetsGetChecked is a global healthcare solutions company that provides the tools to manage health...
Node4 to the rescue.
Commvault provides cloud-first organisations with greater choice and flexibility to protect and...
On the morning of September 20, Executive Director of the Board of Huawei and CEO of Huawei Cloud...
Global IT Business-to-Business (B2B) revenues, coming from data centers, IT services and devices,...