There are steps security pros can take to achieve greater peace of mind with cloud implementations, reports Alan Earls.
If one went strictly by the numbers, it would seem that there's no looking back for the cloud. According to Gartner, the public cloud services market is forecast to grow 18.5 percent this year, compared to the 4.2 percent rise for worldwide IT spending. But talk to a security professional, and they'll tell that the cloud model presents real vulnerabilities that require effort and focus to bake in defenses.
According to many cloud and security practitioners, those worries are not inappropriate. While the cloud can be safe and secure, it also opens many vulnerabilities. The key is understanding those weaknesses – the issues one's operations bring and those inherent to the provider – and then assessing how cloud might help or hurt.
David Maman, founder and CTO of GreenSQL, a Tel-Aviv, Israel-based database security solutions provider with North American headquarters in Houston, can be categorized as a naysayer. He says those who imagine that cloud services can inherently provide an extra layer of security are mistaken. “There is almost no way whatsoever to even know [that] your sensitive information leaked when you are using any type of shared cloud services,” he says. In fact, Maman says, cloud services are becoming a new target for cyber criminals because targeting cloud management systems lets them attack multiple customers at the same time.
Although going after cloud services requires more knowledge of networking architecture and operations support systems than might be required for attacking a single company, there is a payoff. “The big threat is that once a specific system is breached, the same security mechanism and configuration is being used by thousands of customers hosted on the same cloud, so each and every customer is now in immediate danger,” says Maman. By the same token, he adds, the cloud provides significant opportunities for fraudsters because it offers a much easier way to hide their activity. Nowadays, most attacks are being initiated from the cloud, he says. Criminals can take control of or buy a virtual private server (VPS) in just a matter of minutes, run a one-time attack and then dispose of it. “This is something that happens on an hourly basis,” Maman says.
Rules to live by
But the outlook isn't completely bleak. As worrisome as the cloud may be, practitioners say it can be made less risky with some relatively simple safeguards. For instance, says Trey Keifer, president and CEO of WireHarbor Security, a Chicago-based provider of IT risk management solutions, two things are critically important in verifying the security of a cloud provider. First, he says, designate a person or team with the responsibility. “Too many companies just integrate it into a part of their IS/IT organization, and it falls by the wayside,” he says. So, having a dedicated supplier risk governance group that is both responsible for the initial verification and then any annual follow-up is key. Second, Keifer says, users should ensure that the provider has undergone an independent third-party technical assessment. “You should not trust their internal security teams or a checklist audit of controls. “Make the provider show you a client-facing copy of their reviews,” says Keifer.
He says the “good ones” almost always will have one available, because they get asked for them all the time. And, he recommends avoiding companies that refuse to provide a review because they claim it is confidential information. “This is a smoke screen for poor operational security, or a network that has grown beyond their ability to control,” he says.
Michael Bremmer, CEO of TelecomQuotes.com, an internet and telephone consulting company, offers his own cheat sheet for vetting cloud providers that picks up on Keifer's themes. Specifically, Bremmer recommends inquiring about which certifications one's cloud data center has – SOC I, II or III? SOC III is the best, most comprehensive and most expensive certification, says Bremmer, adding that SAAS 70 TYPE II is acceptable, but is not a true data center certification. “It is a 20-year-old auditing standard that was never designed to be used for data centers,” he says.
In a pinch, this might suffice, but enterprises should not consider placing business data into a co-location facility that doesn't have the latest certifications, Bremmer adds.
It's also necessary to ask whether one's data is duplicated in another data center, Bremmer says. Although this might seem too obvious, he says many companies found out the hard way, in the wake of Hurricane Sandy, that their data wasn't housed in multiple locations. Although Bremmer admits off-site storage “isn't usually free,” compared to the potential cost of data loss it may be a bargain.
Asking how physically secure the facility is another step shoppers must take, as this type of protection also matters. “If possible, ask for a tour and use your own eyes,” Bremmer says. “If you cannot have a tour of the facility you're considering putting your data into, that should be a red flag.”