IT security is the set of processes that ensures data and information meet the confdentiality, integrity, and availability objectives of the business. Today's security environment is more complex given stronger industry standards and the suite of regulations. The ideal CSP would work collaboratively with their clients to build custom, tailored, and highly secure cloud architectures.
IT security is the set of processes that ensures data and information meet the confdentiality, integrity, and availability objectives of the business. Today's security environment is more complex given stronger industry standards and the suite of regulations. The ideal CSP would work collaboratively with their clients to build custom, tailored, and highly secure cloud architectures.
IT security is the set of processes that ensures data and information meet the confdentiality, integrity, and availability objectives of the business. Today's security environment is more complex given stronger industry standards and the suite of regulations. The ideal CSP would work collaboratively with their clients to build custom, tailored, and highly secure cloud architectures.
by Matt Stamper, MPIA, MS, CISA Collectively, IT security is the set of processes that ensures data and information meet the confdentiality, integrity, and availability objectives of the business. InTRodUCTIon Concerns over security in the cloud are frequently cited as an impediment to cloud service adoption. These concerns are legitimate when Cloud Service Providers (CSPs) avoid transparency and make necessary security due-diligence as complex as the Large Hadron particle collider. Indeed, the concerns and confusion related to cloud security mirror the overall apprehension that organizations face as they consider migrating enterprise IT workloads to the cloud. CSPs have historically been responsible for this confusion by failing to disclose the location of their data centers and being unclear on the underlying infrastructure of servers, storage, and networks. Theyve also been criticized for not providing guarantees as to the location of client data, nor SLAs around availabilitynecessary requirements for many regulations. The ideal CSP would work collaboratively with their clients to build custom, tailored, and highly secure cloud architectures that ft each clients unique needs. Clouds should be built on recognized infrastructure platforms and leverage internationally recognized standards such as ITIL for IT service management and ISO27001 for security. SECURITY BASICS The easiest way to think about security is to focus on the outcome of what ideal security provides: confdentiality, integrity, and availability of information (CIA). Confdentiality is the end-state of ensuring that information is only viewed and acted upon by those individuals (internal or external), organizations, or systems that are authorized to see such information. Integrity is the end-state of information and its processing such that the information is believed to be complete, accurate, valid, and subject to restricted access (CAVR)essentially un-tampered or otherwise modifed by unauthorized activity. Availability is simply thatthe information is available for its required use without delay or loss. Collectively, IT security is the set of processes that ensures data and information meet the confdentiality, integrity, and availability objectives of the business. Todays security environment is more complex given stronger industry standards and the suite of regulations that are enforced at the international, national, and state levels to ensure privacy. So, how is security impacted by the cloud? SECURITY In ThE CloUd Cloud computing represents the logical extension of important IT advances, most notably in the areas of virtualization, network connectivity, and data storage. Collectively, these underlying components provide dynamically scalable IT resources such as compute cycles, storage, and network bandwidth. Knowing how the cloud has evolved from these underlying IT infrastructures will help organizations understand that securing workloads in the cloud is similar to securing traditional IT, with some important adjustments to strategy, approach, and execution. Good security practices tend to apply whether they are handled in the cloud or in the traditional data center. Before addressing how to evaluate and mitigate risks from various threat vectors, its important to understand why information security is so important. Information is the lifeblood of todays organization, and ensuring its confdentiality, integrity, and availability is the primary responsibility of IT security. Not all information, however, is created equal. Security approaches should be customized based on the type of data that is being protected. Certain types of information such as credit card, healthcare, and personally-identifable information are subject to prescriptive security controls. These controls range from data encryption to the use of advanced security appliances such as web application frewalls. The implications are clearsecurity controls should be tailored to the information they are designed to protect. Just how customized the approach will be depends upon the information at hand. ABSTRACT This paper discusses cloud security and suggests how Cloud Service Providers (CSPs) can signifcantly improve an organizations security by leveraging the economies of infrastructure, process, and technologies.
Security in the Cloud 3 2 The ideal CSP would work collaboratively with their clients to build custom, tailored, and highly secure cloud architectures that ft each clients unique needs. dATA ClASSIFICATIon Information provides the basis for organizational decision-making, so its important that it be treated as a valuable corporate asset. The frst step to any good security effort is to defne and map corporate data. Failing to understand the type of data and associated data workfows within an organization is one of the key reasons why we fnd so many security breaches today. Simply put, if organizations dont know the structure of their data, its type, its location, and its lifecycle, mapping appropriate security tools to mitigate breaches becomes impractical. Because so few organizations have adequately developed this intimate knowledge of their information, security fxes tend to be reactive and misaligned to the actual threats at hand. Here are a few basic items to keep in mind with respect to data management and how this will impact security practices, whether in the cloud or in traditional IT settings. data Structure: Structured data is dependent upon a higher-level application, such as a database, to make the data meaningful. Structured data, such as information in SQL tables, can often be secured using native tools in database applications or with other complementary tools. Unstructured data consists of those items that typically live in fle servers or the desktop, such as documents, diagrams, Word & Excel fles, etc. Its not uncommon to have a signifcant amount of intellectual property in unstructured data. As the name implies, unstructured data presents challenges from a security standpoint. Most attempts to secure unstructured data stop at domain authentication and fle and folder level permissions. Information subject to standards and regulatory control is often hard to identify in unstructured fles. For example, personnel fles may be a Microsoft Word document containing the employees social security number, phone number, and address. data Type: Corporate data should be classifed to determine if it is subject to standards such as PCI-DSS, state privacy laws, HIPAA/HITECH, etc. Managing this type of information is obviously easier when youre dealing with structured data with database tools that can control and limit access to tables. Unstructured data is more challenging, but data loss prevention (DLP) tools can often be used to help determine when data is being accessed and whether it has been moved or leaked out of the organization. data location: Its important for companies to understand where their data resides, be it in motion, in process, or at rest. This means talking to CSPs about where their facilities are located, to ensure appropriate security measures are taken at every step of the data transmission process, as well as any underlying third- party vendors they may use to deliver service. Its also important to monitor distribution of data within the company, as copies of fles can quickly multiply and propagate to be found both inside and outside the organization. data lifecycle: Data tends to have a life of its own. Knowing the lifecycle of company data is a key element to developing a security strategy that ensures data is secure throughout its lifecycle. This understanding should capture when data is archived, sent off-site for vaulting, or destroyed. Good data management practices are a requisite for addressing security, whether that security takes place in the cloud or within the four walls of your organization. Time invested in mapping company data and knowing its dependencies on applications, infrastructure, and locations will have tremendous benefts to an organizations overall security management. ThREAT VECToRS Organizations face security challenges on a variety of fronts (threat vectors). Knowing what type of data your organization has, how this data is controlled through its lifecycle, and who has access to such data is a critical frst step to good security practices. Beyond data-specifc threats, here are some additional threat vectors that need to be evaluated and adequately secured. Its important to note that threats are dynamic and change on a frequent basis. Frequent vulnerability scans can help organizations keep current on the changing threat landscape. With careful implementation, cloud services can actually improve an organizations level of security. Applications Poor application coding, coupled with security appliances that are not application aware or mis-confgured, are a hackers dream come true. CSPs typically leverage more advanced security capabilities including web-application frewalls, which are designed to prevent application specifc attacks such as SQL injection and cross-site scripting. They also utilize next generation frewalls that combine application awareness and network frewall functionally to deliver robust IPS. CSPs can further enhance application security by engraining multiple layers of protection into the service. As part of this effort, CSPs will often perform procedures to harden operating systems and provide frequent vulnerability scans to evaluate exposure to new threats. They can also employ tools to provide event correlation and log management across multiple infrastructure components, including the application. SeCurITy In The Cloud hereS why ultimately, security in the cloud is based on a better, more intelligent use of resources. CSPs can dramatically improve security for most organizations, provided they offer fexible approaches to addressing security challenges across multiple threat vectors. Superior CSPs leverage mature service practices, beneft from the latest technology, and utilize deep economies of skills and infrastructure to build custom security solutions for clients. while reducing an organizations exposure to so many challenging threat vectors can seem like a daunting task, leveraging cloud services is an exceptionally viable and frequently overlooked strategy for improving security. Ultimately, security in the cloud is based on a better, more intelligent use of resources. networks One of the key exploits of networks is the Distributed Denial of Service (DDoS) attack where compromised hosts (commonly referred to as zombies) are instructed to send frequent requests to targeted systems. If there is a large enough number of compromised hostsmany botnets number in the thousandsthese requests can quickly saturate system resources and network lines, effectively denying legitimate service. Organizations that do not have suffcient network capacity can easily see their systems grind to a halt as a result of even a relatively small DDoS attack. CSPs are far better equipped to address these threats. They often utilize multiple Internet Service Providers (ISPs) connected from disparate fber routes to protect against such attacks. CSPs also beneft from continuous network management by sophisticated network operations centers (NOCs) and security operations centers (SOCs), which allows them to quickly detect and take appropriate action against DDoS attacks to minimize exposure. Equally important, CSPs have developed best practices for hardening network access, closing all but essential ports, segmenting network traffc, and employing rigorous change-management controls to core network infrastructure. Malicious Insider Many statistics point to malicious insiders and disgruntled employees as the source of the majority of attacks. CSPs can help minimize this exposure by limiting the threat vectors that malicious insiders have access to, and providing tools to log and analyze this access. In typical infrastructure as a service (IaaS) deployments, the CSP will be responsible for many of the core elements that support an application. This includes server and operating system administration, network administration (including frewalls, intrusion prevention appliances, etc.), and backup & storage administration. CSPs also bring mature processes for on-boarding new technical staff that include extensive background checks, training, and on-going skills enhancements documented in SSAE 16 audit reports. CSPs that follow ITIL best practices employ procedures that maximize segregation of duties covering confguration and implementation responsibilities. They also closely monitor release management to ensure that the underlying application infrastructure is as stable as possible. Depending upon the nature and extent of the services provided, CSPs can signifcantly reduce the threat of malicious insider activity by limiting the exposure to core systems. Physical Security Limiting physical access to IT systems can be a challenge for organizations that dont have secured computer rooms or data centers. A lack of physical access controls coupled with a high turnover rate among employees can frequently lead to social engineering attacks. Many attacks occur by simply putting viruses and other malware on USB drives and leaving them in a companys offce or internal computer room. Cloud computing signifcantly reduces this threat vector by deploying IT services in highly secured data centers that control and limit physical access. Equally important, such facilities also help establish a chain of custody over IT assets by logging access and recording data center activities on closed-caption TV cameras. Dual factor authentication, 24x7 network operations, and physical rounds of the facility all help to ensure that physical access is limited to only authorized individuals. CSPs who control their own data center facilities clearly have optimal control over physical security. with careful implementation, cloud services can actually improve an organizations level of security. About redIT redIT supports the global IT community with private, customizable cloud services and data centers in the southwestern U.S. and Latin America. redIT enables its clients to focus resources on what drives their competitive advantage not the distractions of owning and managing IT. For clients such as Oracle, McDonalds, Bloomberg, and Carl Zeiss, among others, redIT customizes an IT strategy thats scalable for the long term, delivering lower total cost of ownership. About the Author Matt Stamper serves as Vice President of Managed and Professional Services at redIT, where he oversees the design and development of the companys cloud-based managed services and security solutions. As a Certifed Information Systems Auditor (CISA) with extensive public-company experience, Matt brings a depth of understanding of IT best practices, managed-services technologies, and compliance requirements to redITs clients. He can be reached at matt.stamper@redit.com or 858-836-0200. Security in the Cloud 3 2 The ideal CSP would work collaboratively with their clients to build custom, tailored, and highly secure cloud architectures that ft each clients unique needs. dATA ClASSIFICATIon Information provides the basis for organizational decision-making, so its important that it be treated as a valuable corporate asset. The frst step to any good security effort is to defne and map corporate data. Failing to understand the type of data and associated data workfows within an organization is one of the key reasons why we fnd so many security breaches today. Simply put, if organizations dont know the structure of their data, its type, its location, and its lifecycle, mapping appropriate security tools to mitigate breaches becomes impractical. Because so few organizations have adequately developed this intimate knowledge of their information, security fxes tend to be reactive and misaligned to the actual threats at hand. Here are a few basic items to keep in mind with respect to data management and how this will impact security practices, whether in the cloud or in traditional IT settings. data Structure: Structured data is dependent upon a higher-level application, such as a database, to make the data meaningful. Structured data, such as information in SQL tables, can often be secured using native tools in database applications or with other complementary tools. Unstructured data consists of those items that typically live in fle servers or the desktop, such as documents, diagrams, Word & Excel fles, etc. Its not uncommon to have a signifcant amount of intellectual property in unstructured data. As the name implies, unstructured data presents challenges from a security standpoint. Most attempts to secure unstructured data stop at domain authentication and fle and folder level permissions. Information subject to standards and regulatory control is often hard to identify in unstructured fles. For example, personnel fles may be a Microsoft Word document containing the employees social security number, phone number, and address. data Type: Corporate data should be classifed to determine if it is subject to standards such as PCI-DSS, state privacy laws, HIPAA/HITECH, etc. Managing this type of information is obviously easier when youre dealing with structured data with database tools that can control and limit access to tables. Unstructured data is more challenging, but data loss prevention (DLP) tools can often be used to help determine when data is being accessed and whether it has been moved or leaked out of the organization. data location: Its important for companies to understand where their data resides, be it in motion, in process, or at rest. This means talking to CSPs about where their facilities are located, to ensure appropriate security measures are taken at every step of the data transmission process, as well as any underlying third- party vendors they may use to deliver service. Its also important to monitor distribution of data within the company, as copies of fles can quickly multiply and propagate to be found both inside and outside the organization. data lifecycle: Data tends to have a life of its own. Knowing the lifecycle of company data is a key element to developing a security strategy that ensures data is secure throughout its lifecycle. This understanding should capture when data is archived, sent off-site for vaulting, or destroyed. Good data management practices are a requisite for addressing security, whether that security takes place in the cloud or within the four walls of your organization. Time invested in mapping company data and knowing its dependencies on applications, infrastructure, and locations will have tremendous benefts to an organizations overall security management. ThREAT VECToRS Organizations face security challenges on a variety of fronts (threat vectors). Knowing what type of data your organization has, how this data is controlled through its lifecycle, and who has access to such data is a critical frst step to good security practices. Beyond data-specifc threats, here are some additional threat vectors that need to be evaluated and adequately secured. Its important to note that threats are dynamic and change on a frequent basis. Frequent vulnerability scans can help organizations keep current on the changing threat landscape. With careful implementation, cloud services can actually improve an organizations level of security. Applications Poor application coding, coupled with security appliances that are not application aware or mis-confgured, are a hackers dream come true. CSPs typically leverage more advanced security capabilities including web-application frewalls, which are designed to prevent application specifc attacks such as SQL injection and cross-site scripting. They also utilize next generation frewalls that combine application awareness and network frewall functionally to deliver robust IPS. CSPs can further enhance application security by engraining multiple layers of protection into the service. As part of this effort, CSPs will often perform procedures to harden operating systems and provide frequent vulnerability scans to evaluate exposure to new threats. They can also employ tools to provide event correlation and log management across multiple infrastructure components, including the application. SeCurITy In The Cloud hereS why ultimately, security in the cloud is based on a better, more intelligent use of resources. CSPs can dramatically improve security for most organizations, provided they offer fexible approaches to addressing security challenges across multiple threat vectors. Superior CSPs leverage mature service practices, beneft from the latest technology, and utilize deep economies of skills and infrastructure to build custom security solutions for clients. while reducing an organizations exposure to so many challenging threat vectors can seem like a daunting task, leveraging cloud services is an exceptionally viable and frequently overlooked strategy for improving security. Ultimately, security in the cloud is based on a better, more intelligent use of resources. networks One of the key exploits of networks is the Distributed Denial of Service (DDoS) attack where compromised hosts (commonly referred to as zombies) are instructed to send frequent requests to targeted systems. If there is a large enough number of compromised hostsmany botnets number in the thousandsthese requests can quickly saturate system resources and network lines, effectively denying legitimate service. Organizations that do not have suffcient network capacity can easily see their systems grind to a halt as a result of even a relatively small DDoS attack. CSPs are far better equipped to address these threats. They often utilize multiple Internet Service Providers (ISPs) connected from disparate fber routes to protect against such attacks. CSPs also beneft from continuous network management by sophisticated network operations centers (NOCs) and security operations centers (SOCs), which allows them to quickly detect and take appropriate action against DDoS attacks to minimize exposure. Equally important, CSPs have developed best practices for hardening network access, closing all but essential ports, segmenting network traffc, and employing rigorous change-management controls to core network infrastructure. Malicious Insider Many statistics point to malicious insiders and disgruntled employees as the source of the majority of attacks. CSPs can help minimize this exposure by limiting the threat vectors that malicious insiders have access to, and providing tools to log and analyze this access. In typical infrastructure as a service (IaaS) deployments, the CSP will be responsible for many of the core elements that support an application. This includes server and operating system administration, network administration (including frewalls, intrusion prevention appliances, etc.), and backup & storage administration. CSPs also bring mature processes for on-boarding new technical staff that include extensive background checks, training, and on-going skills enhancements documented in SSAE 16 audit reports. CSPs that follow ITIL best practices employ procedures that maximize segregation of duties covering confguration and implementation responsibilities. They also closely monitor release management to ensure that the underlying application infrastructure is as stable as possible. Depending upon the nature and extent of the services provided, CSPs can signifcantly reduce the threat of malicious insider activity by limiting the exposure to core systems. Physical Security Limiting physical access to IT systems can be a challenge for organizations that dont have secured computer rooms or data centers. A lack of physical access controls coupled with a high turnover rate among employees can frequently lead to social engineering attacks. Many attacks occur by simply putting viruses and other malware on USB drives and leaving them in a companys offce or internal computer room. Cloud computing signifcantly reduces this threat vector by deploying IT services in highly secured data centers that control and limit physical access. Equally important, such facilities also help establish a chain of custody over IT assets by logging access and recording data center activities on closed-caption TV cameras. Dual factor authentication, 24x7 network operations, and physical rounds of the facility all help to ensure that physical access is limited to only authorized individuals. CSPs who control their own data center facilities clearly have optimal control over physical security. with careful implementation, cloud services can actually improve an organizations level of security. About redIT redIT supports the global IT community with private, customizable cloud services and data centers in the southwestern U.S. and Latin America. redIT enables its clients to focus resources on what drives their competitive advantage not the distractions of owning and managing IT. For clients such as Oracle, McDonalds, Bloomberg, and Carl Zeiss, among others, redIT customizes an IT strategy thats scalable for the long term, delivering lower total cost of ownership. About the Author Matt Stamper serves as Vice President of Managed and Professional Services at redIT, where he oversees the design and development of the companys cloud-based managed services and security solutions. As a Certifed Information Systems Auditor (CISA) with extensive public-company experience, Matt brings a depth of understanding of IT best practices, managed-services technologies, and compliance requirements to redITs clients. He can be reached at matt.stamper@redit.com or 858-836-0200.