WHI TE PAPER

SECURITY In ThE CloUd

by Matt Stamper, MPIA, MS, CISA
Collectively, IT security is the set of
processes that ensures data and information
meet the confdentiality, integrity, and
availability objectives of the business.
InTRodUCTIon
Concerns over security in the cloud are frequently cited as an
impediment to cloud service adoption. These concerns are legitimate
when Cloud Service Providers (CSPs) avoid transparency and make
necessary security due-diligence as complex as the Large Hadron
particle collider. Indeed, the concerns and confusion related to cloud
security mirror the overall apprehension that organizations face as
they consider migrating enterprise IT workloads to the cloud. CSPs
have historically been responsible for this confusion by failing to
disclose the location of their data centers and being unclear on
the underlying infrastructure of servers, storage, and networks.
Theyve also been criticized for not providing guarantees as to the
location of client data, nor SLAs around availabilitynecessary
requirements for many regulations. The ideal CSP would work
collaboratively with their clients to build custom, tailored, and highly
secure cloud architectures that ft each clients unique needs. Clouds
should be built on recognized infrastructure platforms and leverage
internationally recognized standards such as ITIL for IT service
management and ISO27001 for security.
SECURITY BASICS
The easiest way to think about security is to focus on the outcome of
what ideal security provides: confdentiality, integrity, and availability
of information (CIA).
Confdentiality is the end-state of ensuring that information
is only viewed and acted upon by those individuals (internal or
external), organizations, or systems that are authorized to see
such information.
Integrity is the end-state of information and its processing such
that the information is believed to be complete, accurate, valid,
and subject to restricted access (CAVR)essentially un-tampered
or otherwise modifed by unauthorized activity.
Availability is simply thatthe information is available for its
required use without delay or loss.
Collectively, IT security is the set of processes that ensures data
and information meet the confdentiality, integrity, and availability
objectives of the business. Todays security environment is
more complex given stronger industry standards and the suite of
regulations that are enforced at the international, national,
and state levels to ensure privacy. So, how is security impacted
by the cloud?
SECURITY In ThE CloUd
Cloud computing represents the logical extension of important
IT advances, most notably in the areas of virtualization, network
connectivity, and data storage. Collectively, these underlying
components provide dynamically scalable IT resources such as
compute cycles, storage, and network bandwidth. Knowing how the
cloud has evolved from these underlying IT infrastructures will help
organizations understand that securing workloads in the cloud is
similar to securing traditional IT, with some important adjustments to
strategy, approach, and execution. Good security practices tend to
apply whether they are handled in the cloud or in the traditional data
center.
Before addressing how to evaluate and mitigate risks from various
threat vectors, its important to understand why information security
is so important. Information is the lifeblood of todays organization,
and ensuring its confdentiality, integrity, and availability is the
primary responsibility of IT security. Not all information, however, is
created equal. Security approaches should be customized based on
the type of data that is being protected. Certain types of information
such as credit card, healthcare, and personally-identifable information
are subject to prescriptive security controls. These controls range
from data encryption to the use of advanced security appliances such
as web application frewalls. The implications are clearsecurity
controls should be tailored to the information they are designed to
protect. Just how customized the approach will be depends upon the
information at hand.
ABSTRACT
This paper discusses cloud security and suggests how Cloud Service Providers (CSPs) can signifcantly improve an
organizations security by leveraging the economies of infrastructure, process, and technologies.

Security in the Cloud 3 2
The ideal CSP would work collaboratively with their clients to build custom, tailored,
and highly secure cloud architectures that ft each clients unique needs.
dATA ClASSIFICATIon
Information provides the basis for organizational decision-making, so
its important that it be treated as a valuable corporate asset. The frst
step to any good security effort is to defne and map corporate data.
Failing to understand the type of data and associated data workfows
within an organization is one of the key reasons why we fnd so many
security breaches today. Simply put, if organizations dont know the
structure of their data, its type, its location, and its lifecycle, mapping
appropriate security tools to mitigate breaches becomes impractical.
Because so few organizations have adequately developed this intimate
knowledge of their information, security fxes tend to be reactive and
misaligned to the actual threats at hand.
Here are a few basic items to keep in mind with respect to data
management and how this will impact security practices, whether in
the cloud or in traditional IT settings.
data Structure: Structured data is dependent upon a
higher-level application, such as a database, to make the data
meaningful. Structured data, such as information in SQL tables,
can often be secured using native tools in database applications
or with other complementary tools. Unstructured data consists
of those items that typically live in fle servers or the desktop,
such as documents, diagrams, Word & Excel fles, etc. Its not
uncommon to have a signifcant amount of intellectual property
in unstructured data. As the name implies, unstructured data
presents challenges from a security standpoint. Most attempts to
secure unstructured data stop at domain authentication and fle
and folder level permissions. Information subject to standards and
regulatory control is often hard to identify in unstructured fles.
For example, personnel fles may be a Microsoft Word document
containing the employees social security number, phone number,
and address.
data Type: Corporate data should be classifed to determine
if it is subject to standards such as PCI-DSS, state privacy
laws, HIPAA/HITECH, etc. Managing this type of information
is obviously easier when youre dealing with structured data
with database tools that can control and limit access to tables.
Unstructured data is more challenging, but data loss prevention
(DLP) tools can often be used to help determine when data is
being accessed and whether it has been moved or leaked out of
the organization.
data location: Its important for companies to understand
where their data resides, be it in motion, in process, or at rest.
This means talking to CSPs about where their facilities are located,
to ensure appropriate security measures are taken at every step
of the data transmission process, as well as any underlying third-
party vendors they may use to deliver service. Its also important
to monitor distribution of data within the company, as copies of
fles can quickly multiply and propagate to be found both inside
and outside the organization.
data lifecycle: Data tends to have a life of its own. Knowing
the lifecycle of company data is a key element to developing
a security strategy that ensures data is secure throughout
its lifecycle. This understanding should capture when data is
archived, sent off-site for vaulting, or destroyed.
Good data management practices are a requisite for addressing
security, whether that security takes place in the cloud or within the
four walls of your organization. Time invested in mapping company
data and knowing its dependencies on applications, infrastructure, and
locations will have tremendous benefts to an organizations overall
security management.
ThREAT VECToRS
Organizations face security challenges on a variety of fronts (threat
vectors). Knowing what type of data your organization has, how
this data is controlled through its lifecycle, and who has access to
such data is a critical frst step to good security practices. Beyond
data-specifc threats, here are some additional threat vectors that
need to be evaluated and adequately secured. Its important to note
that threats are dynamic and change on a frequent basis. Frequent
vulnerability scans can help organizations keep current on the changing
threat landscape. With careful implementation, cloud services can
actually improve an organizations level of security.
Applications Poor application coding, coupled with security
appliances that are not application aware or mis-confgured, are a
hackers dream come true. CSPs typically leverage more advanced
security capabilities including web-application frewalls, which
are designed to prevent application specifc attacks such as SQL
injection and cross-site scripting. They also utilize next generation
frewalls that combine application awareness and network frewall
functionally to deliver robust IPS. CSPs can further enhance
application security by engraining multiple layers of protection
into the service. As part of this effort, CSPs will often perform
procedures to harden operating systems and provide frequent
vulnerability scans to evaluate exposure to new threats. They
can also employ tools to provide event correlation and log
management across multiple infrastructure components, including
the application.
SeCurITy In The Cloud hereS why
ultimately, security in the cloud is based on a better, more intelligent use of
resources. CSPs can dramatically improve security for most organizations,
provided they offer fexible approaches to addressing security challenges
across multiple threat vectors. Superior CSPs leverage mature service
practices, beneft from the latest technology, and utilize deep economies of
skills and infrastructure to build custom security solutions for clients. while
reducing an organizations exposure to so many challenging threat vectors
can seem like a daunting task, leveraging cloud services is an exceptionally
viable and frequently overlooked strategy for improving security.
Ultimately, security in
the cloud is based on a
better, more intelligent
use of resources.
networks One of the key exploits of networks is the
Distributed Denial of Service (DDoS) attack where compromised
hosts (commonly referred to as zombies) are instructed to
send frequent requests to targeted systems. If there is a large
enough number of compromised hostsmany botnets number
in the thousandsthese requests can quickly saturate system
resources and network lines, effectively denying legitimate
service. Organizations that do not have suffcient network
capacity can easily see their systems grind to a halt as a result of
even a relatively small DDoS attack. CSPs are far better equipped
to address these threats. They often utilize multiple Internet
Service Providers (ISPs) connected from disparate fber routes to
protect against such attacks. CSPs also beneft from continuous
network management by sophisticated network operations
centers (NOCs) and security operations centers (SOCs), which
allows them to quickly detect and take appropriate action against
DDoS attacks to minimize exposure. Equally important, CSPs
have developed best practices for hardening network access,
closing all but essential ports, segmenting network traffc, and
employing rigorous change-management controls to core network
infrastructure.
Malicious Insider Many statistics point to malicious insiders
and disgruntled employees as the source of the majority of
attacks. CSPs can help minimize this exposure by limiting
the threat vectors that malicious insiders have access to,
and providing tools to log and analyze this access. In typical
infrastructure as a service (IaaS) deployments, the CSP will
be responsible for many of the core elements that support
an application. This includes server and operating system
administration, network administration (including frewalls,
intrusion prevention appliances, etc.), and backup & storage
administration. CSPs also bring mature processes for on-boarding
new technical staff that include extensive background checks,
training, and on-going skills enhancements documented in
SSAE 16 audit reports. CSPs that follow ITIL best practices
employ procedures that maximize segregation of duties covering
confguration and implementation responsibilities. They
also closely monitor release management to ensure that the
underlying application infrastructure is as stable as possible.
Depending upon the nature and extent of the services provided,
CSPs can signifcantly reduce the threat of malicious insider
activity by limiting the exposure to core systems.
Physical Security Limiting physical access to IT systems
can be a challenge for organizations that dont have secured
computer rooms or data centers. A lack of physical access
controls coupled with a high turnover rate among employees
can frequently lead to social engineering attacks. Many attacks
occur by simply putting viruses and other malware on USB drives
and leaving them in a companys offce or internal computer
room. Cloud computing signifcantly reduces this threat vector by
deploying IT services in highly secured data centers that control
and limit physical access. Equally important, such facilities
also help establish a chain of custody over IT assets by logging
access and recording data center activities on closed-caption TV
cameras. Dual factor authentication, 24x7 network operations,
and physical rounds of the facility all help to ensure that physical
access is limited to only authorized individuals. CSPs who control
their own data center facilities clearly have optimal control over
physical security.
with careful implementation, cloud
services can actually improve an
organizations level of security.
About redIT
redIT supports the global IT community with private, customizable cloud services and data centers in the southwestern U.S. and Latin America.
redIT enables its clients to focus resources on what drives their competitive advantage not the distractions of owning and managing IT. For
clients such as Oracle, McDonalds, Bloomberg, and Carl Zeiss, among others, redIT customizes an IT strategy thats scalable for the long term,
delivering lower total cost of ownership.
About the Author
Matt Stamper serves as Vice President of Managed and Professional Services at redIT, where he oversees the design and development of the
companys cloud-based managed services and security solutions. As a Certifed Information Systems Auditor (CISA) with extensive public-company
experience, Matt brings a depth of understanding of IT best practices, managed-services technologies, and compliance requirements to redITs
clients. He can be reached at matt.stamper@redit.com or 858-836-0200.
Security in the Cloud 3 2
The ideal CSP would work collaboratively with their clients to build custom, tailored,
and highly secure cloud architectures that ft each clients unique needs.
dATA ClASSIFICATIon
Information provides the basis for organizational decision-making, so
its important that it be treated as a valuable corporate asset. The frst
step to any good security effort is to defne and map corporate data.
Failing to understand the type of data and associated data workfows
within an organization is one of the key reasons why we fnd so many
security breaches today. Simply put, if organizations dont know the
structure of their data, its type, its location, and its lifecycle, mapping
appropriate security tools to mitigate breaches becomes impractical.
Because so few organizations have adequately developed this intimate
knowledge of their information, security fxes tend to be reactive and
misaligned to the actual threats at hand.
Here are a few basic items to keep in mind with respect to data
management and how this will impact security practices, whether in
the cloud or in traditional IT settings.
data Structure: Structured data is dependent upon a
higher-level application, such as a database, to make the data
meaningful. Structured data, such as information in SQL tables,
can often be secured using native tools in database applications
or with other complementary tools. Unstructured data consists
of those items that typically live in fle servers or the desktop,
such as documents, diagrams, Word & Excel fles, etc. Its not
uncommon to have a signifcant amount of intellectual property
in unstructured data. As the name implies, unstructured data
presents challenges from a security standpoint. Most attempts to
secure unstructured data stop at domain authentication and fle
and folder level permissions. Information subject to standards and
regulatory control is often hard to identify in unstructured fles.
For example, personnel fles may be a Microsoft Word document
containing the employees social security number, phone number,
and address.
data Type: Corporate data should be classifed to determine
if it is subject to standards such as PCI-DSS, state privacy
laws, HIPAA/HITECH, etc. Managing this type of information
is obviously easier when youre dealing with structured data
with database tools that can control and limit access to tables.
Unstructured data is more challenging, but data loss prevention
(DLP) tools can often be used to help determine when data is
being accessed and whether it has been moved or leaked out of
the organization.
data location: Its important for companies to understand
where their data resides, be it in motion, in process, or at rest.
This means talking to CSPs about where their facilities are located,
to ensure appropriate security measures are taken at every step
of the data transmission process, as well as any underlying third-
party vendors they may use to deliver service. Its also important
to monitor distribution of data within the company, as copies of
fles can quickly multiply and propagate to be found both inside
and outside the organization.
data lifecycle: Data tends to have a life of its own. Knowing
the lifecycle of company data is a key element to developing
a security strategy that ensures data is secure throughout
its lifecycle. This understanding should capture when data is
archived, sent off-site for vaulting, or destroyed.
Good data management practices are a requisite for addressing
security, whether that security takes place in the cloud or within the
four walls of your organization. Time invested in mapping company
data and knowing its dependencies on applications, infrastructure, and
locations will have tremendous benefts to an organizations overall
security management.
ThREAT VECToRS
Organizations face security challenges on a variety of fronts (threat
vectors). Knowing what type of data your organization has, how
this data is controlled through its lifecycle, and who has access to
such data is a critical frst step to good security practices. Beyond
data-specifc threats, here are some additional threat vectors that
need to be evaluated and adequately secured. Its important to note
that threats are dynamic and change on a frequent basis. Frequent
vulnerability scans can help organizations keep current on the changing
threat landscape. With careful implementation, cloud services can
actually improve an organizations level of security.
Applications Poor application coding, coupled with security
appliances that are not application aware or mis-confgured, are a
hackers dream come true. CSPs typically leverage more advanced
security capabilities including web-application frewalls, which
are designed to prevent application specifc attacks such as SQL
injection and cross-site scripting. They also utilize next generation
frewalls that combine application awareness and network frewall
functionally to deliver robust IPS. CSPs can further enhance
application security by engraining multiple layers of protection
into the service. As part of this effort, CSPs will often perform
procedures to harden operating systems and provide frequent
vulnerability scans to evaluate exposure to new threats. They
can also employ tools to provide event correlation and log
management across multiple infrastructure components, including
the application.
SeCurITy In The Cloud hereS why
ultimately, security in the cloud is based on a better, more intelligent use of
resources. CSPs can dramatically improve security for most organizations,
provided they offer fexible approaches to addressing security challenges
across multiple threat vectors. Superior CSPs leverage mature service
practices, beneft from the latest technology, and utilize deep economies of
skills and infrastructure to build custom security solutions for clients. while
reducing an organizations exposure to so many challenging threat vectors
can seem like a daunting task, leveraging cloud services is an exceptionally
viable and frequently overlooked strategy for improving security.
Ultimately, security in
the cloud is based on a
better, more intelligent
use of resources.
networks One of the key exploits of networks is the
Distributed Denial of Service (DDoS) attack where compromised
hosts (commonly referred to as zombies) are instructed to
send frequent requests to targeted systems. If there is a large
enough number of compromised hostsmany botnets number
in the thousandsthese requests can quickly saturate system
resources and network lines, effectively denying legitimate
service. Organizations that do not have suffcient network
capacity can easily see their systems grind to a halt as a result of
even a relatively small DDoS attack. CSPs are far better equipped
to address these threats. They often utilize multiple Internet
Service Providers (ISPs) connected from disparate fber routes to
protect against such attacks. CSPs also beneft from continuous
network management by sophisticated network operations
centers (NOCs) and security operations centers (SOCs), which
allows them to quickly detect and take appropriate action against
DDoS attacks to minimize exposure. Equally important, CSPs
have developed best practices for hardening network access,
closing all but essential ports, segmenting network traffc, and
employing rigorous change-management controls to core network
infrastructure.
Malicious Insider Many statistics point to malicious insiders
and disgruntled employees as the source of the majority of
attacks. CSPs can help minimize this exposure by limiting
the threat vectors that malicious insiders have access to,
and providing tools to log and analyze this access. In typical
infrastructure as a service (IaaS) deployments, the CSP will
be responsible for many of the core elements that support
an application. This includes server and operating system
administration, network administration (including frewalls,
intrusion prevention appliances, etc.), and backup & storage
administration. CSPs also bring mature processes for on-boarding
new technical staff that include extensive background checks,
training, and on-going skills enhancements documented in
SSAE 16 audit reports. CSPs that follow ITIL best practices
employ procedures that maximize segregation of duties covering
confguration and implementation responsibilities. They
also closely monitor release management to ensure that the
underlying application infrastructure is as stable as possible.
Depending upon the nature and extent of the services provided,
CSPs can signifcantly reduce the threat of malicious insider
activity by limiting the exposure to core systems.
Physical Security Limiting physical access to IT systems
can be a challenge for organizations that dont have secured
computer rooms or data centers. A lack of physical access
controls coupled with a high turnover rate among employees
can frequently lead to social engineering attacks. Many attacks
occur by simply putting viruses and other malware on USB drives
and leaving them in a companys offce or internal computer
room. Cloud computing signifcantly reduces this threat vector by
deploying IT services in highly secured data centers that control
and limit physical access. Equally important, such facilities
also help establish a chain of custody over IT assets by logging
access and recording data center activities on closed-caption TV
cameras. Dual factor authentication, 24x7 network operations,
and physical rounds of the facility all help to ensure that physical
access is limited to only authorized individuals. CSPs who control
their own data center facilities clearly have optimal control over
physical security.
with careful implementation, cloud
services can actually improve an
organizations level of security.
About redIT
redIT supports the global IT community with private, customizable cloud services and data centers in the southwestern U.S. and Latin America.
redIT enables its clients to focus resources on what drives their competitive advantage not the distractions of owning and managing IT. For
clients such as Oracle, McDonalds, Bloomberg, and Carl Zeiss, among others, redIT customizes an IT strategy thats scalable for the long term,
delivering lower total cost of ownership.
About the Author
Matt Stamper serves as Vice President of Managed and Professional Services at redIT, where he oversees the design and development of the
companys cloud-based managed services and security solutions. As a Certifed Information Systems Auditor (CISA) with extensive public-company
experience, Matt brings a depth of understanding of IT best practices, managed-services technologies, and compliance requirements to redITs
clients. He can be reached at matt.stamper@redit.com or 858-836-0200.