"Security in the Cloud: A Risk-Based Approach Towards Providers "
Sr. Regional Director- India & SAARC
Vishak Raman, Sr. Regional Director for India & SAARC of Fortinet, comes to the company with over 10 years experience in sales, marketing and business development at security and channels companies such as WatchGuard and Satyam Infoway. Before joining Fortinet, Raman served Country Manager for India at WatchGuard. He was responsible for growing the Watchguard channel strategy in India, and grew sales to more than half a million USD in two years.
Prior to WatchGuard, Raman served as the product manager for Internet and Network Security business for Satyam InfoWay Ltd. where he struck alliances with security vendors and supported the field with solution design & product information.
Raman holds a Bachelors of Engineering in Computer Science from the PSG College of Technology and PGDBM ( Post graduate Diploma in Business Management ) from IIM Ahmedabad (96-98 batch) .
Internet and technology have revolutionized communications, opening the door to a new business environment, in which companies can focus on their core competency by transferring IT to ‘the Cloud’. Does this bring new challenges in securing business critical data? Not really. But, it does require extra vigilance and thorough planning.
Recent stories on network interruptions and system break-ins have made many organizations hesitant about transferring data, applications and/or processes to the Cloud. In 2011, the Amazon EC2 network failed, causing a large number of websites to be unavailable for three days. Around the same time, Sony Corporation was forced to shut down its cloud services after it had become publically known that a hacker had gained access to the private information of more than 77 million users of the online PlayStation Network.
These incidents prompt both experts and customers to wonder whether security becomes a greater issue with cloud computing than it is with other forms of hosting. Not really. Even if the different service models and technologies applied in enabling cloud services do introduce new risks. For an organization, opting for cloud computing means losing control over its IT environment, while retaining the liability for it. And so, even if the responsibility for operations is handed over to a third party.
As far as risks are concerned, cloud services are no more challenging than the average applications in the private datacenter of an organization. In both cases, the level of protection is equal to the security measures taken based on the risk analysis. This includes measures taken for physical, network, system, and information security. It may also involve additional measures, such as access policies and rules of conduct for employees and processes.
The most important question any organization should ask itself prior to stepping into the Cloud is: ‘Is my cloud provider able to match or surpass my own level of protection?’ The profitability resulting from scalability, uniformity and standardization, is one of the most attractive benefits of cloud computing. However, cloud providers must also offer services that are flexible enough to satisfy the largest customer base possible, and consequently, security measures are seen as constraints in reaching such flexibility. This is the main reason why cloud providers are often unable to offer the same level of security as the one found in traditional IT environments.
If cloud providers cannot offer trusted security measures, then sound agreements must be made in regards of responsibility. In Software as a Service (SaaS) environments, security measures and their scope are formulated in contracts. In the Infrastructure as a Service (IaaS) model, the security of the underlying infrastructure, and the layers based on it, come under the responsibility of the IaaS provider. The remainder of the chain, such as the operating systems, applications, and data leveraging the infrastructure, is the responsibility of the customer. The Platform as a Service (PaaS) model is positioned somewhere in between SaaS and PaaS. The security of the platform is part of the responsibilities of the PaaS provider; however, the customer is responsible for securing the applications developed on that platform.
It is important to assign responsibilities in the event incidents or disasters occur, as proved by the disruption of the Amazon EC2 network. In that case, there were no redundant back-up servers at a remote location to maintain operations. There was also no fail-over system to temporarily transfer services to another cloud provider. Amazon learned an old lesson the hard way: a good start is half of the battle. Of course, this not only applies to cloud providers but also to enterprises, which should plan for such risks.
If information security in the private datacenter requires strict rules and measures, same goes for the Cloud. The cost savings of a SaaS application are worthless if data and reputation are compromised. The cloud provider must warrant the security of the Cloud, but also the one of the network and the physical environment. It is therefore important to select a cloud provider with a solid track record, expertise and best solutions in the area of network and operating system security. That one should also be able to demonstrate that all security risks have been reviewed and are considered acceptable, that the system protection has been tested, and that threats can be controlled or averted. In addition, it is important to assess how the cloud provider responds to incidents. For instance, is a security operations center (SOC) in place?
At last, network security should protect all virtual access points to the cloud. Cloud providers must employ well-managed security rules and procedures to block attacks. They should also be able to search and stop emerging threats before these can pose a real danger.
In virtual computing, it is no longer possible to consider physical security measures. However, whether a service provider offers external support through datacenter services, managed services or a cloud service, It remains imperative to assess what physical security measures have been taken within the location where the data is housed. Have access gates been installed, is there surveillance in place? It is also recommended to select a cloud provider, which warrants physical security measures according to the SAS 70 or ISO 9000 certification.
Social engineering is on the rise as a means to break through the physical or network security perimeters. People attempt to obtain the trust of employees by telephone or in person in order to gain access to the datacenter or to lure employees into sharing information they can in turn use to hack data systems. Consequently, in addition to technical measures, the cloud provider must define and enforce rules of conduct and social guidelines for employees. A great way to test compliance with these rules is by hiring the services of an ‘ethical hacker’, who will try to gain access to the physical and digital environments on behalf of the customer.
When thinking about physical security, it is also advisable to look at the specific solutions the cloud provider has in place for disaster recovery. Where is data stored when it is not in use? Is the data encrypted and available in a redundant remote location?
One feature of cloud computing is that multiple users leverage the same application or hardware. This so-called ‘multi-tenant’ environment implies that multiple organizations’ information is present on one physical system. It is therefore critical to ensure that the systems are segmented correctly and that their data and applications are fully separated from each other. However, virtual environments operate differently than traditional servers. The latter monitor all traffic transported on the spot, through a physical Ethernet switch or router. In a virtual environment, data is streamed through a virtual adapter, without ever passing through any physical device. This creates a blind spot in the communication between the datacenter and the end user, and consequently a potential security issue. Setting up a physical or virtual security appliance between the cloud provider and the private organization may prove to be a smart solution, as it will help provide the right mix of performance and control across the traffic streams.
In conclusion, there are many different ways to approach the Cloud: via the SPI service models (Software-as-a-Service, Platform-as-a-Service, of Infrastructure-as-a-Service), the public versus private cloud, internal versus external hosting, and a large number of hybrid solutions in between. Given the number of options, there is no standard list of security measures that covers all possible events exhaustively. So, before moving forward, organizations should apply a risk-based approach towards the Cloud and make sure that the necessary security measures required do not impede the expected efficiency and cost benefits of their cloud solutions.