Short
Description: "Less hardware, scalable infrastructure, falling prices and maturing
services all make cloud computing very difficult to ignore. Organisations must
ensure they don't also ignore the security challenges of cloud models."
In the rush to take advantage of cloud's benefits,
businesses must properly manage the risks of handing over data, systems, and
infrastructure to a third-party. As with any risk management process this
is a challenge for the board as much as for the technical security team.
Security keeps cropping up as a (if not the)
major obstacle to cloud adoption — whether it’s applications or infrastructure
that is hosted in a private, hybrid or public cloud environment.
But are concerns about security in the cloud
misplaced? Evidence in the 2013 Data Breach Incident Report from Verizon (which
also owns cloud provider Terramark) suggests it is. Based on 47,000 breach
investigations in 2012, Verizon notes that "attacks against virtualisation
were not present, but attacks against weakly configured devices that happened
to be hosted in an external location were common — but not more common than
among internally hosted ones."
Do CIO's agree with these facts? Yes and no. For
every CIO who believes cloud security concerns are overrated, there's another
who believes cloud security issues are very real.
However, whether security concerns about the cloud
are exaggerated or not isn't the question under discussion here. The key issue
for businesses considering moving a workload to the cloud is to quantify and
address risks; from assessing which applications or infrastructure can be moved
to the cloud with an acceptable level of risk, to how they will be protected
once moved.
Cloud
security: Same concept, different implementation
While the same concepts behind on-premise security
management apply in the cloud, there are nuances in their implementation that
may escape the board-level view, but could nonetheless be vital.
For example, customers may find security tools
they're familiar with on-premise are stripped back in the cloud. Network access
controls are just one example.
"Network access controls are typically far
more basic in the cloud compared to physical architectures, and the tools used
to manage the access controls are also more basic. This can lead to poorly
implemented network access controls that lead to unnecessary access to systems
and services," said Ty Miller, founder of security firm Threat
Intelligence.
"Physical security appliances ensure high
performance and can be made highly scalable with low level networking to load
balance packets across multiple security devices. Cloud environments are
designed to be scalable, but some virtual security devices don't have the same
performance as their hardware equivalent."
So how should businesses go about security risk
management when considering cloud service providers? Those considering
the cloud can be confronted by providers that only offer opaque visibility into
how they manage security and data. But isn't that scenario also true when
assessing a provider of closed-source software or an outsourcer that offers
assurances based on service level agreements?
The customer needs to build a framework to assess a
provider and compare them with rivals but not overburden the provider with
assurance requirements. In the end, the rigour of the risk assessment
process comes down to the depth of research a buyer is willing to go into ahead
of making a commitment.
"The first thing we're talking to clients
about is that not all clouds are equal," said Intelligent Business
Research Services security analyst James Turner.
"A prospective buyer should research what the
cloud vendor is prepared to commit to. Most cloud vendors have realised that
committing to SLAs has to be a token gesture that immature buyers will pay
attention to."
Different maturity levels on the buyer-side explain
why, in a recent survey (pdf) by cloud-management vendor RightScale, a third of
'cloud beginners' saw security as the major obstacle to moving to the cloud,
but only 13 percent of 'cloud focused' organisations (those that make
"heavy use' of cloud) shared that view.
"Mature buyers will know that no amount of
service credits can ever replace the business impact of a cloud failure. Cloud
vendors are in the unenviable position of offering to provide outstanding
business service and at the same time, putting themselves on the hook for
protecting their customer's information assets," said Turner.
The mega-bug
outlier and the perennial question of data sovereignty
Last week's discovery of a security hole, dubbed Heartbleed,
in OpenSSL should give pause for thought to anyone weighing up risks in the
cloud. Implementing OpenSSL on a web server should have provided encrypted
communications over the internet, but instead, could be abused to leak user
passwords, private keys and session tokens.
The flaw affected components of on-premise systems,
private clouds and public cloud providers. But it has different ramifications
for the buyer, signs that a service provider supports good security practices
turned out to be a major vulnerability. How does a buyer asses that?
Before Amazon Web Service applied the Heartbleed
patch, its elastic load balancers were vulnerable to the bug.
Microsoft's popular web server IIS is immune to the
bug, but it's not uncommon today to rely on a cloud provider for backup
services, such as Amazon Web Service's (AWS) Elastic Load Balancer.
"There are definitely lessons that have been
learnt via the Heartbleed vulnerability in relation to risks introduced by
cloud providers," Ty Miller, CEO of Threat Intelligence told ZDNet.
"The AWS load balancer could still be
exploited to capture your private SSL certificates, and potentially usernames,
passwords and session cookies."
Fortunately, bugs like Heartbleed don't come along
every day. A more persistent issue has been data sovereignty and the fuzzy
legal risks that come with shifting data to a different jurisdiction. It's a
deal-breaker for many government agencies and some regulated industries,
particularly for those outside the US.
Sweden's Data Inspection Board last year undertook legal
action against one municipality and several schools that migrated from on-premise
systems to Google Apps. In addition to data sovereignty concerns, Google's
standard contract, in the Board's view, gave too much leeway for it to do as it
saw fit, which conflicted with the organisations' duties as a "data
controller".
The Swedish cloud cases occurred against the
backdrop of a much bigger shift within the European Union, which updated its
Data Protection Directive amidst calls by some Members of European Parliament
to cancel the US-Europe Safe Harbour Act that had allowed some US firms to
process data about EU citizens outside the continent.
"As part of any migration to the cloud,
enterprises need to ensure they are aware of and comfortable with the locations
where the data will be stored and the legal implications associated with those
locations," said Craig Searle, head of cyber for BAE Systems' Applied
Intelligence in the Asia Pacific region.
These are weighty issues that go past the technical
and into the legal and management sphere, and demonstrate why it's so important
board level executives are on top of cloud security challenges and exposures.
