The cloud offers reliability, cost savings and convenience, but protecting it requires modern-day defenses, reports Jim Romeo.
Some 75 million people use the online cloud-based service Evernote to store everything from notes, photos, clips and personal data. But, the convenience clients had become accustomed to when using this site was disturbed in early 2013. That's when the company required all 50 million of its users to reset their passwords after an intrusion – described as the beginning of a sophisticated attack – was discovered. Fortunately, a major breach was averted.
This is just one illustration of how cloud computing – after a few years of evolution and widespread acceptance – remains a vulnerable terrain for security risk. In fact, Alert Logic's “State of Cloud Security Report” found that web application attacks remain the most significant threat for cloud-hosting provider environments, with 52 percent of customers impacted. The study examined 45,000 security events at more than 1,800 organizations over a six-month period.
“Overall, cloud security is essentially in its adolescence,” says Kevin O'Brien, enterprise solution architect at CloudLock, a Waltham, Mass.-based cloud data security company. The field is beginning to show signs of maturity, but not universally, he says. “There are awkward moments to be worked through as CSOs and CIOs increasingly implement solutions that transition away from legacy on-premise data management strategies,” he says.
Over the past decade, he points out, layered security, often referred to as defense-in-depth, has evolved as a central theme of risk mitigation. By ensuring that no single point of failure can result in the loss of sensitive data or inappropriate access, security professionals can account for the eventual breakdown of individual components in their strategic defense plans. If the firewall fails, for example, there are redundant backups and the information stored behind those firewalls is tightly controlled to prevent even inadvertent open access allowing a complete data loss.
O'Brien says the concept of defense-in-depth remains sound, but its implementation is significantly complicated by a shift toward externalized servers and resources. Defense-in-depth, of course, has always called for a focus on various facets of security. One key is data protection and access controls for customers, as well as other end-users who employ the services of companies which operate in the cloud. This trend has intensified the security focus of many of those who use and provide cloud computing.
“Reliability and security continue to be significant concerns for cloud customers, particularly in light of any major outage or data loss that makes its way into media headlines,” says Dave Frymier, CISO at Unisys, a global information technology company based in Blue Bell, Penn. But, while the risks remain the same, the good news, he says, is that technologies that address these risks have evolved over the past year or two. “In the best implementations, authorization is performed within the customer's enterprise data centers, so the customer retains control of encryption keys,” says Frymier.
Customer computing habits are changing as well. Today's end-users are virtual, continually on the go and expecting anytime-access. Hormazd Romer, senior director of product marketing at Accellion, a Palo Alto, Calif.-based company that provides mobile file-sharing solutions, says there are two areas that have changed over the past year or two. The first, he says, is that with the explosion of tablets and smartphones, the risk of data leakage from mobile content sharing has increased. The second trend he sees is the increasing sophistication of hackers. “With each passing year, hackers get more advanced, and thus have more opportunities to disrupt online activities,” Romer says. “Security departments need to be vigilant against these kinds of attacks and risks.”
Most observers expect a set of standards to be forthcoming as cloud computing matures. This will help align the supply chain of cloud computing with the growing volume of end-users. “Both cloud technology and security within the cloud are still maturing and will take some time to become steady state,” says Len Whitten, director of cloud services product management at SunGard Availability Services, a Wayne, Penn.-based provider of IT availability and business continuity. Most industry experts agree it will take a few years to see official standards and controls as they relate to cloud, he says. Meanwhile, executives need to look at the generally accepted controls for security and risk management, as well as the processes involved, and determine what best fits their security needs. Many companies look today to the standards established – and continually modified – by the Cloud Security Alliance (CSA). Although the group is not designated as a standards body, it is the authority that most look to for cloud security guidance, Whitten says. In particular, he says the CSA's governance, risk and control questionnaire addresses a number of primary cloud concerns.
Other experts point to additional steps an organization should take before migrating operations to the cloud to ensure data can remain secure.
Cost savings and efficiencies are resulting in the proliferation of cloud services, says Jeff Erramouspe, chief revenue officer at Spanning, an Austin, Texas-based backup provider serving the Google Apps Marketplace. And, he says that this growth will only accelerate. “But, just because there will be significant growth doesn't necessarily mean that it will become more rife with security risks,” he says. “Users of cloud services first need to understand the security capabilities of their cloud provider. Do they have the appropriate security audits, such as SSAE 16 Type II, which verifies the company's internal processes that reduce security risks?”
Once that's in place, users of cloud services must ensure that they employ the same type of user security that they would for their own apps, he says. “They need to take advantage of things that cloud providers make available, like two-step verification,” Erramouspe says. “The cloud isn't inherently more risky than internal applications, but you can't become lazy with your own internal security processes.”
A principal risk is the underlying data that passes through the cloud and its many applications. But, strategies are available to mitigate the challenge. “Data security is moving to the forefront, as security teams refocus their efforts in securing the data itself instead of simply the servers it resides on,” says Kyle Wickert, solutions architect at AlgoSec, a Boston-based provider of software for firewall policy management. A greater focus is being put on such efforts as securing data at rest, he says, thus mitigating a reliance on system admins to maintain OS-level controls, often outside the scope of management for information security teams.
Concurrent with the risk of data compromise is a risk of privacy invasion. “Privacy matters most in business-to-consumer (B2C) contexts,” says Andrew Jaquith, CTO at SilverSky, a Milford, Conn.-based provider of cloud security solutions. He sees a trend toward giving customers more control over how their personal data is handled. For example, he says Apple's iOS 6 mobile platform requires customers to authorize each app that needs access to sensitive items, such as device location, calendars, contacts, etc. With respect to the cloud servers themselves, some countries have specific privacy requirements about where information can be stored, sometimes called data sovereignty. “What it means, in essence, is that you need to respect the privacy laws enforced where you do business,” Jaquith says. If one has a German operation, it will probably be required that the cloud vendor have a data center in Germany so that data about German nationals remains local.
Other industry observers say the best defense against security risk may be a good offense. And this requires taking proactive steps to adequately mitigate cloud security risk through precautionary actions. So what specific actions should CIOs be implementing now to strengthen their cloud security?
“Conduct a gap analysis on the current state of security internally,” says JD Sherry, global director of technology and solutions at Trend Micro. “Be sure to include key stakeholders who will have a vested interest in the cloud services in the future.” In addition, he advises companies to leverage the findings to create a go-forward baseline for cloud security migration that includes all the great things one is doing currently, and also areas in which improvements are called for. “Don't go into a cloud ecosystem with less control and security protocols than you have now,” he adds. “It will only make it that much more challenging and increase the overall risk profile of the organization.”
Also, it's important to approach cloud security by looking at the basics of encryption and authentication to control access to a specific cloud application. On top of that, Accellion's Romer says, savvy CIOs should layer more advanced controls, such as data leakage prevention, built-in anti-virus, retention policies, management of encryption keys and more. “What's really important in picking a solution is that each organization has all the security levers and dials to manage data risk according to their specific requirements.”
Solution choices and decisions spotlight the importance of the CIO, their leadership and their commitment to always be vigilant of the best solution for their specific situation and environment. “The role of the CIO in cloud security can't be overstated,” says Gary Loveland, a principal consultant at PwC, a New York-based consulting firm. “The cloud is shifting the role and value of the CIO from one of infrastructure steward to advising the business on how to take advantage of rapidly evolving technology solution alternatives. Organizations need perspective and guidance as they evolve their business models and operations to take advantage of cloud services.”
Perspective and guidance, however, often require a solid collaboration and partnership with other companies and providers that play an important role in the operation of cloud computing. Developing and building such collaboration is key. “The breadth of services now being outsourced has increased, which means more data, both in terms of volumes and type, is now being exposed,” says James Lyne, director of technology strategy at Sophos, a global security solutions company with U.S. headquarters in Burlington, Mass.
The security of such data is paramount. It must be at the forefront of any partnering agreement, along with all the other solid advantages a cloud provider offers. “Too often, content providers push security to the background for functionality,” says Steve Pace, executive VP of worldwide sales and channel for SingleHop, a Chicago-based web hosting provider. “They care about access and ease of use, and figure that security is going to get in the way when, in reality, security must be everyone's responsibility.”
In addition, CIOs and organizations should know exactly where the responsibility lies in case of a breach or a situation from a legal standpoint, Pace says. “Who is responsible for the data: the end-user customer, the hosting provider? Companies must have a comprehensive plan in place with procedures and processes to handle these occurrences should they arise.”
Parsing responsibility should begin early by concentrating on clarifying responsibilities when companies and cloud vendors enter into agreement. “Vendors need to be better about advertising what their practices are,” says Andy Ellis, CSO at Akamai, a Cambridge, Mass.-based cloud platform content delivery network. “Rather than avoiding security conversations, vendors need to tackle them head on, aggressively advertising their security practices so that we, as customers, can make informed decisions about the maturity of the risk management practices and technical implementations.”
Cementing the process
By focusing on security, choosing solutions to mitigate security risk and building responsible and fair partnerships with providers and partners, CIOs and CSOs bolster the security of their cloud apps and build a bulwark that allows its end-users to use the cloud safely. This is the goal, and is of increasing concern to all IT pros who embrace cloud platforms.
“We're seeing a renewed interest in encryption techniques to layer security on top of cloud services,” says Hugh Thompson, program committee chair of the RSA Conference. “Driven primarily by regulatory compliance, we've seen new companies focus on tokenization, format-preserving encryption and cloud proxies to help secure data on both public and private clouds.”
Securing data and preserving encryption need to be a centerpiece. “The security of a cloud environment varies greatly for each implementation, and that is a pervasive problem in this industry,” says Andrew Hodes, director of technology at INetU, a provider of managed cloud and application hosting based in Allentown, Pa.
And, building a more secure perimeter encompasses the basics, says Jerry Irvine, CIO of Prescient Solutions, a Chicago-based IT outsourcer. This includes everything from complex passwords and multiform-factor authentication to access rights management, endpoint anti-virus management, and patch and mobile device management.
When cloud security is hardened, companies are well on their way to ensuring that intrusions are intercepted. But, to achieve this, IT leadership must be continuously improving. This new age of cloud computing must be met with a new age of security.