Before moving assets to the cloud, CISOs must determine how much security they're willing to contract out, reports Stephen Lawton.
As cloud computing becomes ubiquitous, small and midsize businesses (SMBs) are looking to it as a way of securing their data more efficiently at a potentially lower cost. While service providers tout the cloud as more secure than a corporate data center, experts are not as certain.
At issue is how the company negotiates its security agreement with the cloud provider. Some vendors offering services to consumers or small businesses, such as Amazon Simple Storage Service, write into their user agreement that the provider is not responsible for any data security at all. At the other end are companies such as Carpathia Hosting of Dulles, Va., which provides cloud services to the CIA and the Departments of Defense and Homeland Security. Between these poles are many options.
The question a CISO must address before contracting with a cloud provider is: For how much security is the company willing to contract and how much will remain its own responsibility, says Simon Crosby, CTO and co-founder of security start-up Bromium.
There are no standard service-level agreements (SLA) for corporate-level cloud providers, he says. Rather, CISOs need to perform detailed risk analysis plans to determine how much security they need to buy and how much they must do themselves. Then they need to determine if their provider of choice is willing and able to offer the required security precautions as part of the SLA.
Generally speaking, Crosby says, commercial providers that cater to companies that have regulatory requirements – such as the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Federal Information Security Management Act of 2002 (FISMA) or the Sarbanes–Oxley Act of 2002 (SOX) – will have some security built into their offerings. While selecting such a provider will not guarantee a company will have more secure offerings, these sources generally offer a higher level and better quality of surety than an SMB might be able to, Crosby says.
Too, for a small company, a designated security person can be a significant expense, he says. For a provider, it is already factored in.
“If you don't follow best practices, [your data] will be just as vulnerable locally as in the cloud.”
– Anders Westby, senior manager, Logic20/20
Often, providers will contract with hardware security vendors to have specific products protecting their cloud infrastructure, Crosby adds. CISOs need to ask about which products are being used in order to determine if they meet the company's risk profile. Providers generally do not allow clients to put their own security devices in front of the cloud infrastructure unless the client has dedicated servers at the hosting location.
Cloud security inherently is no better or worse than what is in place at corporate data centers, says Anders Westby, a senior manager for Logic20/20, an IT consultancy in Seattle. The bottom line is the same regardless of the physical location of where information is housed. That is, assets must be defended, hardware and software protection needs to be in place, best practices for data assurance needs to be employed and risk must be mitigated. How that is done, be it by a corporate IT department or a service provider, will depend on the level of expertise of the staff and the amount of money a company is willing to spend on protection based on their risk assessment.
“If you use best practices to secure applications, it doesn't matter where the applications are based,” Westby says. “If you don't follow best practices, [your data] will be just as vulnerable locally as in the cloud.”
It is easy enough to look up a company's corporate address and make educated guesses as to whether or not servers will be onsite, Westby says. Often, and particularly for SMBs, the corporate office is where the data center will be housed. For large companies in general, and cloud providers in particular, a corporate office address is no guarantee that it is the location of the data center. Physical access to the data center could be a major vulnerability, he says, so depositories are generally housed in facilities where greater layers of protection are applied.
If a company employs a cloud or hosting provider, it is nearly impossible to determine on which physical servers a particular company's data resides, even if it is possible to breach the physical barriers. For that reason alone, he says, an offsite data center provides a modicum of defense for an SMB. It's a better bet, he says, than having the center in an office building with poor physical security.Customers need to understand what practices their vendor has in place and what they expect their users to provide, he says. However, providers are often hesitant to disclose their security profile as it might identify a vulnerability. If the provider fails to disclose this, Westby advises, the customer should look elsewhere.
Often, he says, a service provider will offer patch management as part of their offerings for smaller companies because it already offers that service to its larger clients. In those cases, it is not uncommon for a company to roll out fresh, fully patched servers to its corporate clients, then migrate their applications and data from the older server to the new, fully protected system. The provider will then take the server that was not patched, replace it with a fully patched version of VMware, Microsoft Virtual Server or whatever server platform it is using, and use that machine as the migration target for the next server in line. Older systems are then upgraded and with minimal to no downtime become the targets for the next machine inline.
Anton Chuvakin, research director in Gartner's IT security and risk management group, says it is inappropriate for an IT executive to ask, “Is the cloud secure”? Rather, he says, the executive should ask if use of the cloud is secure.
And, that is because cloud providers look at security differently than do their customers. Companies should take nothing for granted when selecting a cloud provider, he says. “You can't assume [the provider] has an intrusion protection system (IPS) in front of its servers,”Chuvakin says. Nor that any IPS that a provider does have will be sufficient for the client's required level of security.
If a cloud provider is unable to guarantee a company that it can meet its needs, or that the level of protection required could be prohibitively expensive, the customer always has the option to choose a different approach, such as a private or hybrid cloud.
For a company that does not have regulatory requirements that dictate their level of assurance, the security manager should select an existing standard, such as PCI DSS, as a baseline since it provides a minimum level of security, Chuvakin says.
There are several questions Chuvakin recommends the security manager ask before choosing a cloud provider: Do I trust the cloud provider with physical security? “You can't put your own armed guard outside the gate,” he says. “They usually won't tell you where the gate is.” If the cloud provider cannot demonstrate that it has the capabilities to secure its physical premises, the customer should not choose that provider.
He also asks, Do I have confidence that the provider has the technical wherewithal to secure the hypervisor? If the client's data will be on the same physical server as other clients' virtual servers, then the security officer requires absolute assurances that the provider can secure the virtualization hypervisor. If a hypervisor is breached, an attacker can compromise and gain access to all of the other tenants on the same server.Finally, he asks, Will the cloud provider guarantee that it will update the operating system and provide other patches as soon as they are released by the provider's software vendors? If not, the client has to determine if they can make their own patches or hire a third party to do patch management, or if they need a cloud provider that will provide that service.
In a recent post to his official Gartner blog, Chuvakin defines two perspectives, the enterprise and the cloud provider. Enterprises tend to focus on two areas, he says: Keep their cloud resources secure and comply with regulations relevant to the customer.
Providers look at cloud services differently. Their focus is: keep cloud infrastructure secure, keep customer resources secure (to the degree sufficient to keep a customer), offer security services to customers (as an additional revenue stream), and comply with regulations relevant to the provider.
As a result, he says, what is important to the enterprise is not necessarily the top priority for the provider.
“Some providers just want to close the deal. They are not necessarily concerned for your best interest.”
– Omar Caban, CEO of Best Growth Stock
Despite the best intentions of a cloud service provider or an internal IT staff, vulnerabilities will not be found if the security team is not looking for them, Chuvakin says. “The cloud customer cannot monitor his/her actions directly (not with our level of cloud platform development today), while cloud provider monitoring “lens” might not focus on some of his actions that a cloud customer would really care about. You can get the best control attestation framework, you can even do continuous control assessment, but unless somebody monitors for such activities and their consequences, the security gap is still there.”
The bottom line is that regardless of whether the data is stored locally or in the cloud, it will be vulnerable if the team designated to protect it is not looking for the attack approach the crooks are using.
Bromium's Crosby takes a more optimistic look at providers, noting that they are incentivized to provide good service. If a provider is hit by a major attack, it could damage the company's brand, perhaps irrevocably. Some large providers automatically roll out updates to all customers simply because of the scale of the cloud infrastructure they support, even if the updates are not part of their contract, he says. By comparison, some companies are much slower to roll out patches because they either do not have the time or are not aware of all of the patches that are available.If done well patches can be applied to cloud-based systems with no downtime, Crosby says. If a company is running its own data center and not using a private cloud-based infrastructure, it might be necessary for the IT department to schedule downtime for some servers to install the patches.
As illustration, Omar Caban, CEO of Best Growth Stock, a Lake Tahoe, Nev.-based company that provides stock market trading analysis, made the decision a year ago to back up his servers to the cloud. He says the choice was made to reduce his company's overall IT costs and enhance the protection of assets. He chose to mirror its Houston-based corporate servers to dedicated servers in the cloud and have customers access their accounts through web applications. Caban says his company also is benefitting from security capabilities in the cloud that it could not afford on its own. In particular, since moving to a cloud provider, he says, the company has eliminated Asia-based denial-of-service attacks that were pounding his corporate servers on a daily basis.
But, dedicated servers, Caban says, have benefits and drawbacks. On the plus side, the company can work closely with the cloud provider to ensure the servers have enhanced security required to meet regulatory or corporate requirements or best practices. And, although the servers are dedicated, the company still can fail over to systems throughout the world should there be issues with the primary systems.
Caban says the company also is benefiting from security capabilities in the cloud that his company could not afford on its own. Since moving to his cloud provider, he says, the company has eliminated Asia-based denial-of-service attacks that were pounding his corporate servers on a daily basis.
However, dedicated servers are more expensive to maintain than hosted servers, he says. In addition, compliance mandates for financial services companies effectively prohibit him from using a multitenant environment.
But, Caban agrees that when it comes to cloud-based security, it is essential for the customer to understand what services the provider will offer and those that are expected of the customer. Many providers fail to talk about their shortcomings, vulnerabilities in their infrastructure, or past successful attacks, he says.
“Some providers just want to close the deal,” he says. “They are not necessarily concerned for your best interest.”If the provider fails to discuss past breaches and how it plans to deal with a successful attack, he says, the customer should look elsewhere. Those providers that are honest about weaknesses and how they plan to mitigate risk, he says, are more likely to be prepared should an attack occur.