How to manage security in the cloud

Share on facebook
Share on twitter
Share on linkedin
Share on email

By Jun Pecho Cloud is a computing model and a proven delivery platform for providing IT services over the Internet, and the good part of it, from a capital expenditure to acquire the solution, it turns into operational expense as subscription costs to implement cloud solutions. Companies build cloud infrastructures to increase their business service agility and streamline their IT group to efficiently support the business requirement as it becomes dynamic in rolling out their new services. The benefits that companies get from cloud computing are concrete and so is the potential danger of exposing their customer?s data if the cloud infrastructure is not properly secured. Cloud computing offers many advantages including economies of scale, greater business agility, and improved cost controls. But the recent spate of high-profile security breaches raises serious concerns about how vulnerable clouds can lead to compromises if companies don?t cover all their bases. According to the Identity Theft Resource Centre (ITRC), in the period between January 2010 and May 2011, there were 130 cloud breaches leading to the exposure of 9.5 million records. Some of the recent harrowing accounts include hackers breaking into RSA in March 2011 and stealing SecurID tokens for accessing sensitive corporate systems in companies such as Lockheed Martin, Bank of America, and various others. Sony also encountered major hacks in May 2011, which affected several of its gaming systems, and possibly compromising tens of millions of credit card numbers; while Citigroup had 360,000 credit card numbers accessed by hackers. These incidents serve to highlight that worrying trend of businesses rushing into the cloud at the expense of security ? one of the biggest mistakes in an era of collaboration and connectivity. Aside from the rush to create cloud infrastructures, the move to ?outsource? and entrust IT operations and its data to a third party cloud provider, makes it harder for companies to maintain data privacy. Mistakes of cloud adoption As a relatively new technology, cloud computing holds many challenges that were initially overlooked by early adopters. They include ensuring proper protection of sensitive data, managing access control and identity, meeting regulatory compliance, and overcoming the complexities associated with running a multi-tenancy platform. Without a holistic cloud security strategy, typical mistakes include: Mistake #1: Going for a one-size-fits-all solution The tendency, particularly in an economic downturn, is for companies to seek the lowest cost option. This often means a one-size-fits-all solution that caters to the lowest demands. To boost security in their cloud implementations, businesses must choose the right cloud for their workloads. For example, while the public, multi-tenanted cloud is the most prevalent type of cloud, it is not always the most appropriate for all business needs . Workloads running sensitive information such as identity or credit card details require private access and customized private or hybrid clouds to reduce chances of leaks in a public platform. Mistake #2: Relying on add-on security features Most clouds are built in a way such that additional security measures are added later ? on top of a basic cloud infrastructure. This results in a patchwork that is not holistically secure. Instead, security should be the foundation of a cloud?s reference architecture ? built as part of the cloud deployment?s design rather than as an add-on. To ensure a water-tight security plan, companies must look at their business needs, regulatory requirements, and the type of workload ? to design a data-centric cloud model for utmost security. Mistake #3: Not closely managing responsibilities as a data owner Whether using public or private clouds, businesses need to apply the same precautions that they would for a traditional data centre. Too often businesses forget ? while it is a vendor?s responsibility to protect its servers, the data owner is still ultimately responsible for its own data. As cloud shifts control from client organizations to vendor, it is vital that organizations conduct thorough assessments to understand how providers implement, deploy, and manage security on their behalf. Responsibilities including recovery procedures must be clearly documented and managed through contracts and service level agreements, and made traceable for compliance. Keys to better cloud security There is no one-size-fits-all model for security in the cloud. But by ensuring cloud providers implement end-to-end security measures, organizations can significantly improve their security posture. Strong cloud security should encompass the following aspects: ? Rules and Compliance — Companies need to have strict rules and must have the capability to implement and monitor adherence such rules. They must have extensive audit trails or logs and must have capability to send alarms if breaches are committed. Taking into account a company?s goals, a comprehensive security program will prioritize security attributes, enable accountability, and provide recommended responses in the event of a breach. To ensure better regulatory or internal compliance, organizations need to have the capability to define when, how, and where to log and audit information, to capture and document how data is stored and used. ? Employees and their corresponding access levels — Companies need to make sure that only authorized users across the enterprise have access to confidential data. They must have the tools to access it, when they need it and to which device the data will be accessed. Access and Identity management is must in a cloud infrastructure. They limit access to data and applications to authorized users and can prevent internal data leaks. ? Application and Process ? Typically securing at the operating system level is very common. What is commonly overlooked is, securing the application as well. A centrally managed cloud can be easily automated when it comes to provisioning and managing applications. It also facilitates better intrusion detection and prevention to protect servers, networks, infrastructure, and endpoints. ? Data and Information ? Encrypting and managing encryption keys while data is in transit or is stored in a cloud system is critical to protect data privacy and comply with company regulations. Robust data confidentiality rules and policies must be developed for the origination, capture, handling, transmission, and disposal of confidential data including personally identifiable information (PII), encryption keys, and intellectual property. ? Network, workstations or Endpoints and Infrastructure — Based on an understanding of the legal, regulatory, industry, and customer-specific requirements; a secure cloud infrastructure needs to include firewalls, controlled administrative access, patch and change-management systems, and multiple encryptions for different systems. As data is transferred from the client?s workstations to the cloud infrastructure, there should be intrusion prevention and detection systems in place. Not only on each domain but in-between domains as well. ? Physical Infrastructure Security — The Cloud infrastructure from servers to storage, network devices and power supplies have to be physically secured. Adequate control eg. Biometrics for door access, and monitoring to CCTVs should be in place ? Testing ? For a more robust cloud environment, companies should implement a secure application development and testing program to ensure proper change management procedures, and comprehensive scanning of stored data. Promise of clouds Without performing due diligence, cloud can potentially introduce new security risks ? but if implemented correctly ? cloud computing can, in fact, offer many opportunities to create more secure operations than an onsite deployment by isolating key processes. By enabling features such as standardization, automation, and infrastructure management in their cloud, businesses can dramatically boost security. In addition, certain cloud features can provide security advantages such as: ? Resource Availability: Clouds help businesses expand their capabilities by harnessing converged resources. When the number of users increases, secure computing resources can be easily provisioned to boost capacity. ? Skills Availability: Public clouds and security services allow organizations to leverage on the skills and expertise of a vendor and get the support to handle and resolve issues whenever they occur. ? By engaging the right third-party consultant or vendor with specialist expertise and experience, organizations can leverage the advantages of cloud and build a more secure environment. The advantages of cloud computing are undeniable. However, the massive amounts of IT resources shared among many users present serious security challenges. At the same time, cloud computing is often provided as a service, moving control over the data and operations from businesses to their cloud service vendors ? thereby making the choice of service providers a vital one. Instead of relying on common cloud solutions, organizations must adopt a data-centric cloud security strategy to protect their data end-to-end?from creation, processing, storage, to purging. As a global leader in software-as-a-service, IBM offers comprehensive cloud solutions to help organizations build or tap into secure clouds designed specifically around their business needs. Furthermore, IBM developed a security framework that defines resources that needs to be protected and how it will be secured, and it looks at cloud security from a business point of view. The author is the cloud computing leader of IBM Philippines ]]>

Facebook Comments

Join Our Newsletter! Zero spam, unsubscribe anytime!






Latest Posts

Archives