Cloud: What Information Security has been waiting for?
The advantages of cloud computing are clear: low running costs, little capital expenditure, no capacity issues, fewer depreciating assets and much more. The question, then, is why aren’t we all leaping in? The answer is simple: pure FUD.
because there have been so many computing panaceas over the years that have delivered little and cost much.
over what the cloud really is: is it cluster computing, grid computing, virtualisation, SaaS, PaaS, IaaS, public, private, community, hybrid, all or none of the above? And
fear of the unknown, and especially fear over security issues.
According to IDC research published in August 2008 (IDC Enterprise Panel, n=244) security is ranked as the major challenge for cloud computing. Little has changed since then. In a more recent Osterman Research survey commissioned by Proofpoint to examine professional attitudes towards the cloud (August 2009), fifty percent of the IT professionals surveyed believe that sensitive data held in the cloud is inevitably at a higher risk of compromise, or likely to be in violation of government data protection laws, than that same data held on their own servers. “Because the public cloud is outside the firewall, there are concerns over security, data access, and privacy for enterprise customers. Public clouds also find it difficult to meet auditing, regulatory, and compliance requirements.” (Platform Computing, Enterprise Cloud Computing: Transforming IT, July 2009)
Security is clearly a genuine concern. But is it a valid concern, or more the result of that FUD that sticks to any new technology, nevermind the huge paradigm shift that is a move from the local computer room to the remote and nebulous cloud? And yet most of us are already users of cloud computing. We happily use Googlemail or Hotmail to handle our email. We use Facebook to maintain links with our friends, and we use LinkedIn to manage our business contacts. In each of these cases we have moved a personal computing requirement onto the internet (that is, into the cloud) in order to leverage the power of the internet, to reduce our costs, and to improve the performance of the function. Security is, as it should always be, an issue. We know, for example, that Facebook is visible to the world, so we take care over what information we put on it. We know that email providers scan our emails; we know that our emails are stored on their servers – and yet we choose to trust them. If the email is particularly sensitive, we have the option of encrypting it. In both cases we weigh the risk with the threat and take the appropriate action.
The question is, if we move more and more of our business computing requirements onto the internet, can we weigh the risk with the threat and come up with a suitable response? To answer this, we need first to examine the threats. This is simple. They are the same threats we already face: data loss, insider threats, compliance requirements around data protection and privacy, hackers and so on.
Let’s consider the hacker threat first. In July 2009 there was a widely reported password hack into Twitter – or more specifically, the Googlemail account of one of its senior executives. This allowed the hacker access to sensitive messages and all of the executive’s Google Apps. Both Google and Twitter can be considered cloud applications, so the question is ‘does this prove the insecurity of the cloud?’
The solution is not to abandon the cloud, but to improve your password security.
It does not. It was a simple password breach that could have happened anywhere. If you have weak password security, you’ll get hacked, whether it’s on your desktop, in the computer room, or in the cloud. The solution is not to abandon the cloud, but to improve your password security. And the same basic principle applies to all security threats in the cloud.
As it happens, Gary Wood (research consultant at the Information Security Forum and co-author of a new ISF report called Security Implications of Cloud Computing) believes that direct password cracking is more rare than most people think. “If the hacker doesn’t have access to the back-end store or personal knowledge of the target, and provided it’s been set up to block access after three failed attempts, it’s near impossible to break into an account.” ‘Password hack’, he believes, is a term commonly used for a wide variety of password breaches; not the least being password-stealing malware dropped onto the desktop after visiting a poisoned website. This, however, is a problem that cloud computing can help mitigate, and one we’ll come back to it later.
What about the insider threat. Clearly, if you don’t have control over who is employed, you have no real control over this threat. But while a valid concern, this doesn’t really examine the true situation. Do you, for example, have full control over your existing employees? The answer can only relate to the care and concern with which you vet your staff and the quality of your security policy. But if you move to the cloud, then you effectively outsource that care and concern to the cloud provider.
It is almost invariably true that this cloud provider will have greater security expertise than your own organization. If you are a large corporation, this is still probably true. If you are an SME or start-up, this is most definitely true. The secret to security in the cloud therefore starts with your relationship with the cloud provider. You need to leverage his expertise to your advantage. The starting point is due diligence. You need to make sure that your preferred provider has all the ability and expertise to provide you with the trust you need for a secure operation. And then you need to cement that into a clear service level agreement. “The cloud is not a one-menu shop,” says Gary Wood. “If the menu isn’t what you want, you can go to a different restaurant. If you’re big enough, you could even persuade them to change the menu. And if you’re a small company and can’t change the menu it will still be better than the one you can get at home.”
Having chosen a provider that will suit, you should next examine the potential for data loss, and any difficulties in legal compliance. Are these problems or opportunities? Eric Baize (Senior Director, Secure Infrastructure Group, EMC Corporation) has no doubts. He is excited by the cloud. “It is an opportunity to build security into the framework, rather than bolt it on from the outside as we have had to do in the past.” He uses content-aware storage as supplied by EMC’s Atmos, as an example. Many people fear that local data protection laws will be difficult to obey in the cloud. Baize believes that it is an opportunity to build security consciousness into systems at the data rather than hardware level. With Atmos, different rules can be applied to different categories of data. Specific rules could be applied, for example, to personally identifiable information. EU data could be forced to reside on virtual servers that are physically located within the EU to conform with EU regulations. Indeed, the whole concept of data loss prevention and compliance can be designed into the structure of the system at the data level.
Peter Shillito, Lead Security Architect for cloud services provider Fujitsu, takes a similar view. “For years we have talked about ‘de-perimeterizing’ security. The cloud gives us the opportunity. Consider security and event management (SIEM). Traditionally, it is all about gathering and interpreting data triggered by security devices such as firewalls.”
Traditionally, firewalls have been situated between our own servers in our own data centres and the internet on the outside. Really, they have been protecting routes into the room rather than the data, leaving the data itself exposed to anyone who finds a different way into the room. But the physical location of the data held within the cloud is not so easy to specify. While firewalls remain important, the development of cloud computing offers the opportunity for us to consider protecting the data rather than just its location.
“SIEM principles,” says Shillito, “can be expanded to manage data behaviour as well as security incidents.” For example, if we look at content aware storage we can specify where certain data should reside. But with cloud-based SIEM, we can also monitor who is looking at that data, and from where. The SIEM could traditionally warn us of an external hack attempt; but we can now develop a system that tells us if somebody inappropriate is accessing the data even if they are not triggering a traditional security event. By moving our storage into the cloud, we are forced to look at the data itself rather than it’s physical location, and this in turn gives us the opportunity to design security from the base up.” In other words, cloud development gives us the opportunity to monitor events at the data level rather than the perimeter level, and this will provide greater flexibility in our security options.
But there is an even easier way to ensure compliance within the cloud: encryption. Encryption is, of course, already available; but it is so rarely used. Time and again we hear new cases where even government loses unencrypted data. Perhaps the problem is that encryption is too obvious; it has become familiar and we treat it with contempt. But in the cloud, encryption is not merely obvious, it is essential. “In [the de-perimeterized cloud] world, there is only one way to secure the computing resources: strong encryption and scalable key management… Safe harbor provisions in laws and regulations consider lost encrypted data as not lost at all.” (Security Guidance for Critical Areas of Focus in Cloud Computing, Cloud Security Alliance, 2009) Compliance becomes so much easier if you cannot lose the data!
In our earlier example of the threat to data via password hacks, we said we’d come back to the threat from the desktop. The desktop is a bigger nightmare for the majority of system administrators than is the hacker, because it is usually the desktop (or more specifically, the behaviour of the desktop user – that is, you and me) that let’s the hacker in. We break the rules. We don’t patch our PCs. We go where we shouldn’t go, and we do what we shouldn’t do. In short, we catch infections and then pass them on to the body corporate.
Hosted virtual desktops put full control in the hands of the IT administrator.
Once again, a move to cloud computing can help. “A hosted virtual desktop environment enabled by platforms such as VMware View,” explains Eric Baize, “separates the corporate desktop from the underlying hardware giving almost real-time control to the desktop administrators on desktop images. Furthermore, end-user data does not leave the data center even when it is used by the end-user, and virtualisation isolation characteristics ensure that the non-corporate use of the desktop does not interfere with its corporate use, thus greatly reducing the risk posed to corporate assets by infected desktops. Hosted virtual desktops do not change the end-user behavior but they put full control and visibility of the corporate desktop back in the hands of the IT administrator.”
It seems that everywhere we look at the challenges for security in cloud computing we find relatively easy solutions that don’t merely meet the challenge, they provide a level of security greater than we currently have. Security is not a problem in cloud computing, it is an opportunity. And here’s one, courtesy of Gary Wood, that is the icing on the cake. “Patching is one of the big headaches for administrators.” Doing it interferes with the users; not doing it leaves us insecure. The solution? Use the cloud. “Hire a few extra servers for a couple of days, mirror your system, install the patches without interfering with the users, test, and then flip.”
This article was written in the cloud using Google Docs. It meant that the author could continue research and writing whether at home with the iMac, in the office with the Dell, or on the road with the Netbook. Telephone interviews were conducted through the cloud with Skype. It required no additional hardware, nor any costly word processing or telephone software. Just access to the cloud.