Security in the Cloud
As we get into 2011's spend/invest/harvest IT cycle in earnest, CIO's and CTO's of most medium to large corporations are certain to be grappling with the challenges of addressing increasing use of Cloud based infrastructure to accomplish Enterprise goals. It is not unusual in these Cloud obsessed times for Senior IT management to be presented with a hobsons choice: They can choose every which way of implementing large systems as long as they choose Cloud. Since this trend is only accelerating, we can choose to embrace it and be prepared or ignore it (at great personal and corporate cost).
One of the most pressing challenges IT faces in dealing with Cloud based infrastructures is Security.
When looking at Cloud providers, it is helpful to break down the Security domain into groupings:
As we get into 2011's spend/invest/harvest IT cycle in earnest, CIO's and CTO's of most medium to large corporations are certain to be grappling with the challenges of addressing increasing use of Cloud based infrastructure to accomplish Enterprise goals. It is not unusual in these Cloud obsessed times for Senior IT management to be presented with a hobsons choice: They can choose every which way of implementing large systems as long as they choose Cloud. Since this trend is only accelerating, we can choose to embrace it and be prepared or ignore it (at great personal and corporate cost).
One of the most pressing challenges IT faces in dealing with Cloud based infrastructures is Security.
When looking at Cloud providers, it is helpful to break down the Security domain into groupings:
Cloud Data Center
Ultimately, Cloud providers maintain their own( Salesforce.com, Microsoft) or lease one from ISPs or very large infrastructure providers like Google, Microsoft or Amazon. Since all data centers are not created equally, it is quite helpful to turn to third party standards to benchmark how these compare against each other and against generally accepted best practices.
The key tools to use accomplish in this area include SAS 70 Audits, which are an industry standard way of looking at physical (such as access cards, biometrics at the data center), network security (perimeter and host based) as well as access control etc. Just being having a SAS 70 Audit done signals some respectability among providers. These are generally done by well known audit firms. One step further is getting access to any findings generated by the SAS 70 audit. These are rarely shared given the sensitive nature of the findings and may come into play only when large contracts are involved.
Additional tools to verify the integrity of the data center and its basic architecture is to hire or access third party Vulnerability and Penetration Testing reports. These involve controlled probing of the network and host infrastructure to find weaknesses by a third party that specializes in this technology and may employ specialized "White Hat" hackers to execute their tests. Much like the SAS 70 situation, having these done at a data center signals confidence, having access to specific reports makes it far more useful but are very hard to get access to for obvious reasons.
Data in Transit
As Data traverses the corporate networks as well as the Internet, it needs to be kept secure. Most often this is accomplished through point to point HTTPS(SSL) connections. It is worthwhile to check if the protocols to be used for communicating between your corporate networks and the Cloud provider use SSL connections. Occasionally the provider is on the cusp of widespread adoption and has little experience with carrying sensitive data and may be using the HTTP protocol and may therefore intend to send your data over clear text. Hopefully as the decade advances these instances will be far and few in between. However it doesnt hurt to be careful and ask before contracts are signed.
A new generation of Cloud providers now allow VPN directly into their Cloud Infrastructures, creating secure tunnels over the internet dispensing with the need for secure protocols in the application itself.
Data at Rest
While HTTPS covers transport of data and for most providers will be easy to comply with, some of the more thorny issues involve what happens to your data as it sits in the Providers cloud databases or file systems.
Your company may be one that deals with sensitive data that must not escape your premises or you may be simply not willing to take the risk with data in the cloud. In such cases, you can attempt to screen sensitive data by means of automated search and replace mechanisms that for example can look for known patterns of data in Social Security Numbers, Dates of Birth, Telephone numbers etc and replace them with filler characters to signify the data was obfuscated.
For large enterprises one of the most difficult issues to deal with Cloud providers is Multi-Tenancy. For reasons of economical scale, it is very likely that your provider is hosting your data along with several of your potential or real competitors on the same infrastructure. It is then critical that the risk that this represents is mitigated through well thought of approaches. Some of the more common strategies to deal with this include: (i) Encrypting data fields with strong encryption, so that only your application knows how to decrypt it for consumption. As it sits in the database it is unreadable to a Systems Administrator of the Cloud Provider. This is a good solution except that it consumes resources and will slow your application down if you over use them. (ii) Very granular access control, locking down access to fields based on roles.
Once you work your way through the data encryption and access control policies, you still have to work on resolving questions of (i) Who owns the data (usually the client corporation, very rarely the Cloud provider (ii) How will the data be backed up and made available outside the Cloud (in case your Cloud provider ceases operation or has a catastrophic crash (iii) What happens to the data after your contract terminates with the provider (usually data and data backups are verifiably erased )
Monitoring
The best Cloud providers already have well regarded logging and monitoring suites, but your corporation may choose to use a centralized logging or SIEM strategy and have the security events such as logins, record deletions etc logged to a central platform on your premise or in the cloud to act as a central resource for forensics when things go wrong.
It is also vitally important to have access to incident logs generated by the Cloud provider that are specific to your corporation.
Regulations
Outside of the security controls you will put into place as part of your strategy of securing data for your Enterprise, you may have to comply with a variety of Regulatory regimes depending on where you do business and what kind of data you process.
When doing business with European countries, having Safe Harbor compliance signals general compliance with the principles of Data Privacy law in the EU. Safe Harbor is part of the framework agreed to by the EU and the US Department of Commerce to harmonize the differing data privacy regimes in their respective geographies.
PCI is a standard adopted among financial services company with particular focus on those who process credit card transactions on behalf of their customers.
Finally, HIPAA, is a Data Privacy law that covers medical records in the US that is broad in its scope and reach. Companies that deal with other Healthcare companies may be forced to comply with its requirements.
Conclusion
As you can see, Security in the Cloud is less a specific technology and more a family of technologies, policies and strategic choices. However, there is no doubt whatsoever that it is one of the critical areas for IT investment in 2011.
No comments:
Post a Comment