Before moving assets to the cloud, CISOs must determine how much security they are willing to contract out, reports Stephen Lawton.
As cloud computing becomes ubiquitous, small and medium-sized businesses (SMBs) are looking to it as a way of securing their data more efficiently and, potentially, cheaply. However, while service providers tout the cloud as more secure than a corporate data centre, some experts are not so certain.
At issue is how a company negotiates its security agreement with the cloud provider. Some services for consumers and small businesses, such as Amazon's Simple Storage Service, state in their user agreements that the provider is not responsible for data security. At the other end of the scale are companies such as Carpathia Hosting in the US, which provides cloud services to the CIA and the American government's defence and Homeland Security departments. Between these poles are many options.
Simon Crosby, CTO and co-founder of security start-up Bromium, says CISOs must ask themselves how much security they are willing to contract out. There is no standard service-level agreement (SLA) for corporate-level cloud providers, he says. Rather, CISOs need to perform detailed risk analysis to determine how much security they need to buy in and how much they must do themselves – then they need to determine if their provider of choice is willing and able to offer the required security precautions as part of the SLA.
Generally speaking, Crosby says, commercial providers that cater to companies with regulatory requirements – such as PCI DSS and, in the US, Sarbanes-Oxley – will have some security built into their offerings. While selecting such a provider will not guarantee greater security, they generally offer a higher level and better quality of surety than an SMB might be able to achieve by itself, Crosby says.
What's more, for a small company a designated security person can be a significant – and perhaps prohibitive – expense, Crosby points out, while this cost will already be factored in to the outsourced provider's offering.
Often, providers will use the products of hardware security vendors to protect their cloud infrastructure, Crosby says – and CISOs need to find out which are being used to determine whether they meet their company's risk profile. Providers generally do not allow clients to put their own security devices in front of the cloud infrastructure unless they have dedicated servers at the hosting location.
Where and how
Cloud security inherently is no better or worse than what is in place at corporate data centres, argues Anders Westby, senior manager at US consultancy Logic20/20. The outcome is the same regardless of where information is housed. That is, assets must be defended, hardware and software protection needs to be in place, best practices for data assurance must be followed and risk mitigated. How that is done, be it by a corporate IT department or a service provider, will depend on the expertise of the staff and the amount of money a company is willing to spend on protection based on its risk assessment.
“If you use best practices to secure applications, it doesn't matter where the applications are based,” Westby says. “If you don't follow best practices, [your data] will be just as vulnerable locally as it is in the cloud.”
It is easy enough to look up a company's corporate address and make educated guesses as to whether or not servers will be onsite, Westby says. Often, and particularly for SMBs, the corporate office is where the data centre will be housed. However, for large companies in general, and cloud providers in particular, a corporate office address is no guarantee that this is the location of the data centre. Physical access to the centre could be a major vulnerability, Westby says, so depositories are generally housed in facilities where greater layers of protection are applied.
If a company employs a cloud or hosting provider, it is nearly impossible to determine on which physical servers a particular company's data resides, even if it is possible to breach the physical barriers. For that reason alone, Westby says, an offsite data centre provides a modicum of defence for an SMB. It's a better bet, he says, than having the centre in a building with poor security.
Companies also need to understand what practices their vendor has in place and what the vendor expects its users to provide, Westby says. However, providers are often hesitant to disclose their security profile as doing so might identify a vulnerability. Nevertheless, if the provider does fail to disclose this information, Westby advises, a CISO should look elsewhere.
Often, he says, a cloud service provider will offer patch management to smaller companies because it already does so to its larger clients. In those cases, it is not uncommon for a provider to roll out fresh, fully patched servers to its corporate clients, then migrate their applications and data from the older server to the new, fully protected system. The provider will then take the server that was not patched, replace it with a fully patched version of VMware, Microsoft Virtual Server – or whatever server platform it is using – and use that machine as the migration target for the next server in line. Older systems are then upgraded and, with minimal to no downtime, become the targets for the next machine in line.
Ask the right questions
Anton Chuvakin, research director in Gartner's IT security and risk management group, says it is inappropriate for an IT executive to ask whether the cloud is secure. Rather, he says, the question should be: “Is use of the cloud secure?” Why? Because cloud providers look at security differently from their customers. Companies should take nothing for granted when selecting a cloud provider, Chuvakin says. “You can't assume [the provider] has an intrusion protection system (IPS) in front of its servers,” he explains – nor that any IPS that a provider does have will be sufficient for the client's required level of security.
If a cloud provider is unable to guarantee a company that it can meet its needs and that the level of protection required will not be prohibitively expensive, the customer always has the option to choose a different approach, such as a private or hybrid cloud.
For a company that does not have regulatory requirements that dictate their level of assurance, the security manager should select an existing standard, such as PCI DSS, as a baseline – the indication of a minimum level of security – Chuvakin says.
There are three questions Chuvakin recommends the security manager ask before choosing a cloud provider.
First: Do I trust the cloud provider with physical security? “You can't put your own armed guard outside the gate,” he says. “They usually won't tell you where the gate is.” If the cloud provider cannot demonstrate that it has the capabilities to secure its physical premises, the customer should not choose that provider.
Second: Am I confident that the provider has the technical wherewithal to secure the hypervisor? If the client's data will be on the same physical server as other clients' virtual servers, then the security officer requires absolute assurances that the provider can secure the virtualisation hypervisor. If a hypervisor is breached, an attacker can compromise and gain access to all the other tenants on the server.
Third: Can the cloud provider guarantee that it will update the operating system and provide other patches as soon as they are released by its software vendors? If not, the client has to determine if they can make their own patches, hire another third party to carry out patch management, or if they need a cloud provider that will provide this service.
On his official Gartner blog, Chuvakin defines two perspectives: that of the enterprise and that of the cloud provider. Enterprises tend to focus on two areas, he says – keeping their cloud resources secure and complying with regulations relevant to them – while providers are more concerned with keeping cloud infrastructure secure, keeping customer resources secure (to the degree sufficient to keep a customer), offering security services (as an additional revenue stream) and complying with regulations relevant to them. As a result, Chuvakin says, what is important to the enterprise is not necessarily the priority of the provider.
Despite the best intentions of a cloud service provider or internal IT staff, vulnerabilities will not be found if the security team is not looking for them, Chuvakin says. “The cloud customer cannot monitor his actions directly, while the provider's monitoring might not focus on what the customer really cares about. You can get the best control attestation framework, you can even do continuous control assessment, but unless somebody monitors for such activities and their consequences, the security gap is still there,” he explains.
The bottom line is that regardless of whether the data is stored locally or in the cloud, it will be vulnerable if the team designated to protect it is not looking for the attack approach the crooks are using.
Bromium's Crosby takes a more optimistic look at providers, noting that they are motivated to provide good service. If a provider is hit by a major attack, it could damage the company's brand, perhaps irrevocably. Some large providers automatically roll out updates to all customers simply because of the scale of the cloud infrastructure they support, even if the updates are not part of their contract, Crosby says. By comparison, some companies are much slower to roll out patches because they either do not have the time or are not aware of all the patches that are available.
In competent hands, patches can be applied to cloud-based systems with no downtime, Crosby says. However, if a company is running its own data centre and not using private cloud-based infrastructure, it might be necessary for the IT department to schedule downtime for some servers to install the patches.
For example, Omar Caban, chief executive of Best Growth Stock – a US provider of stock market trading analysis – decided last year to back up the company's servers to the cloud. He says the aim was to reduce overall IT costs and enhance the protection of assets. Best Growth Stock mirrored its Houston-based corporate servers to dedicated servers in the cloud, with customers accessing their accounts through web applications.
Caban says his company is also benefiting from security capabilities in the cloud that it could not afford on its own. In particular, since moving to a cloud provider, he explains, the company has eliminated Asia-based denial-of-service attacks that were pounding its corporate servers daily.
Caban, however, stresses that there are drawbacks, as well as benefits, to the use of dedicated servers.
On the plus side, the company can work closely with the cloud provider to ensure the servers have the enhanced security required to meet regulatory or corporate requirements and best-practice guidelines. And, although the servers are dedicated, the company still can ‘fail over' to systems throughout the world should there be issues with the primary systems.
However, dedicated servers are more expensive to maintain than hosted servers, Caban reveals. In addition, compliance mandates for financial services companies effectively prohibit Best Growth Stock from using a multi-tenant environment.
Caban agrees that it is essential for the customer to understand what services their provider will offer and what is expected of them. Many providers fail to talk about their shortcomings, vulnerabilities in their infrastructure, or past successful attacks, he warns.
“Some providers just want to close the deal,” he says. “They are not necessarily concerned for your best interest.”
If the provider fails to discuss past breaches and how it plans to deal with a successful attack, Caban argues, the customer should look elsewhere. Those providers that are honest about weaknesses and how they plan to mitigate risk, he says, are more likely to be prepared should an attack occur.
This article originally appeared in the US edition of SC Magazine.