Wayne Rash has been writing technical articles about computers and networking since the mid-1970s. He is a former columnist for Byte Magazine, a former Editor of InternetWeek, and currently performs technical reviews of networking, wireless, and data center products. He is the former Director of Network Integration for American Management Systems and is one of the founders of the Advanced Network Computing Laboratory at the University of Hawaii. He is based in Washington, DC, and can be reached at email@example.com.
Using cloud-based applications and data storage can improve your organization’s efficiency and reduce costs, but for it to work, you must be certain that your security measures are well chosen, and that they are effective for your business. While cloud security is not a mystery, there are dimensions that go beyond what constitutes appropriate security within your data center.
However, the cloud brings a new era of uncertainty. The uncertainty centers around the fact that your data and perhaps some of your compute power is taking place somewhere besides your own data center, which means that you now have to worry about the remote data center, and the communications link between them.
This uncertainty is good, because it helps you remember to make sure your data really is safe, both when it’s in the remote location, and when it’s in motion between your data center and where the cloud servers are located. So while your worry might be a good thing, that’s not the same as actually risking your organization’s data. In fact, your data may be safer in the cloud than it is in your own data center.
Your organization has three broad areas of security concerns that need to be dealt with when working with cloud computing and storage. 1.) Your own data center, which has the same issues and vulnerabilities whether you’re using the cloud or not. 2.) The data center that’s providing cloud resources, along with any internal communications, including mirroring and backup. 3.) The communications between your data center and the cloud, which may be using the Internet as a transport medium or a private network.
Your cloud provider’s data center is almost certainly as secure as the one in your organization, and likely is much more secure. This is because your cloud provider must meet the security requirements of the most sensitive customer, including physical security, access security and communications security. Because it’s a commercial operation, your cloud site will include redundant power, redundant storage and multiple pathways for communications. Your cloud provider will need to be able to demonstrate a significant level of security in order to stay in business.
But using cloud-based computing doesn’t eliminate any vulnerabilities you already have. There’s nothing magical about the cloud, and vulnerabilities that affect your own data center don’t change. Likewise, vulnerabilities related to user training, your own best practices, and your corporate culture will affect your security regardless of whether you’re using the cloud.
In addition, there are two areas of vulnerability that cloud computing and storage present. The first is the remote data center which is being run by another company, meaning that you don’t have direct control over your data. The other is the communications pathway that connects you to your data in the cloud, which may be provided by a third party, therefore limiting the control you have over your data while it’s in transit.
Fortunately, you can eliminate or at least control the risks to your data in two ways. First, you have control over the selection of your cloud provider which means that you can audit their operations, you can inspect how they protect your data, and you can confirm the safeguards the provider uses to ensure that their staff can be trusted and that their facility meets the level of protection you think is necessary. In addition, you also have control over the means of data transfer, allowing you to choose anything from communications over the public internet, to a direct, dedicated fiber connection between your data center and your cloud provider.
Key Security Characteristics for a Secure Cloud Experience
Security, as with many things, starts at home. Your own data center must be secure enough to resist a variety of attacks. This includes the obvious, such as malware attacks, but it also includes physical security to protect your data center, even if it’s just a couple of servers in a closet, against theft, tampering and physical damage. In addition, you must continue to protect against intrusion, insider threats and data loss.
The data centers belonging to your cloud provider have the same risks as your organization’s data center, plus some additional risks. For example, if your cloud operations are based on shared hardware, there’s always the potential for risks from other customers, including personnel at a co-location site, who may take actions or who may misconfigure hardware in such a way to affect you. Your cloud provider should isolate your jobs to keep this from happening, but you will need to confirm that this is actually being done.
The communications link between your data center and your cloud provider is a primary vulnerability. In many cases the concern about communications seems to be related to data theft during the transmission of data, and while this can happen, modern encryption practices should protect the information even if it’s intercepted. However, a denial of service attack can prevent access to your cloud-based data, impacting your operations even if no data is stolen. Likewise, a network outage can block your cloud access.
The CSA Treacherous 12
The Cloud Security Alliance has worked to produce industry standards that include best practices and analysis of the threats facing cloud computing. As part of its effort, the CSA created a list of the twelve most important threats based on a survey of industry experts.
1. Data Breaches
2. Weak Identity, Credential and Access Management
3. Insecure APIs
4. System and Application Vulnerabilities
5. Account Hijacking
6. Malicious Insiders
7. Advanced Persistent Threats (APTs)
8. Data Loss
9. Insufficient Due Diligence
10. Abuse and Nefarious Use of Cloud Services
11. Denial of Service
12. Shared Technology Issues
Each of those twelve threats can affect your organization’s use of cloud-based resources, but it’s worth knowing that they are not unique to the cloud. Those threats must also be taken into account for your own data center. Instead, think of them as the beginning of a checklist for assessing your organization’s exposure to vulnerabilities.
One factor stands out in the results of the survey above - a lack of trust in the people making security decisions, or a lack of trust by managers in the people implementing and operating a cloud environment. These concerns range from beliefs that the cloud provider wasn’t properly vetted, to worries that the staff having access to cloud data isn’t properly trained to protect security.
The way to reduce these levels of concern is to start by setting some basic requirements for each organization’s cloud implementation and operations. Those standards should include a detailed description of the vetting process for cloud providers, levels of training required for managers and other employees having access to data in the cloud and even specific security standards applying to your organization.
Finding Your Own Cloud Vulnerabilities
Before you can have a secure cloud presence, you must have a secure data center because your cloud data is directly accessible from your own network. If that network, and its related data center aren’t secure, then everything in your cloud is open to being breached.
This level of security may already be present in your network and data center, but you can’t just assume that. Instead you need to implement policies, procedures and safeguards designed to ensure that your operation is secure, and that it will stay that way.
- Getting past “we’ve always done it this way.”
No doubt your IT staff will have procedures that they’ve implemented in the past, and that they assume work fine. But just because there have been practices in place doesn’t ensure that they’re acceptable. Existing practices need to be reviewed in detail and evaluated for their appropriate place in a new data systems environment. The fact that some procedures were always done in a particular way is not sufficient reason to continue them. It’s probably better to have those procedures evaluated by someone with fresh eyes to avoid a reliance on past practices.
- Your data center audit
Once you’ve evaluated your existing practices, your data center needs a detailed security audit. This includes a search for vulnerabilities in your existing environment, as well as reviews of potential past breaches. You may need to review your security logs using specialized software, and you may need to engage the help of consultants and networking partners. The security audit needs to be painstaking in detail, and it will likely ruffle some feathers in your IT department, so be prepared for that.
- New cloud, same old vulnerabilities
The cloud, by its very nature, has some security issues that remain fairly constant, regardless of whose cloud you’re using. They are related to the remote nature of cloud data centers, and they boil down to making sure your data, and the servers on which your data resides, remain secure and available.
Those vulnerabilities include attacks from third parties against your provider, perhaps to cause damage to your organization, but it could easily be an attack aimed at some other organization who happens to share the same cloud provider. For example, a DDoS attack that overwhelms the cloud provider’s network access can make the cloud services unavailable simply because the network falls under the weight of the attack. Likewise, an insider attack by the staff of the cloud provider may not play favorites in terms of whose data gets stolen.
- Why staff training is critical
Your staff members are the gatekeepers to your data, whether it’s in the cloud or not. Any staff that has privileged access to some data also has the ability to corrupt or allow theft of that data. This could mean being hit with a phishing attack that allows ransomware to make your data unavailable, or it could allow an advanced threat to exfiltrate critical data to competitors or a cyber-criminal.
While no amount of training can make your data or your network invulnerable, it can go a long way in preventing the most common attacks. This means, for example, teaching your staff not to click on any link, to allow any files to be downloaded, or to allow any attachments to be opened, regardless of the temptation. Likewise your staff can be trained in the use of secure logons, and when to realize that the network may be compromised and to alert the security team.
How to protect the cloud
Making sure your cloud security is up to snuff isn’t necessarily more difficult than making sure your enterprise data center is secure, but there are differences. Those differences are due to the variety of methods that your cloud can be accessed, and the variety of devices that are being used. While the specific details of any cloud implementation are different for every organization, there are some basic steps that should be taken, starting with best practices.
Adopt sensible best practices from reliable sources. For example, Forrester Research has published a list of three practices based on what the researchers call a Zero Trust security model. The three steps Forrester recommends are:
- Verify and secure all resources
- Limit and strictly enforce access control
- Log and inspect all traffic
Approaches that Help
- Use encryption where it makes sense, which means all access for what Forrester calls “toxic” data before it enters the cloud.
- Control your own encryption, and use an encryption method such as SSH (secure shell) that isn’t easily compromised.
- Don’t depend on your cloud provider to provide your encryption keys, instead, generate and provide your own.
Toxic data in this context is information that can cause your organization, its partners or customers great harm. This may include personally identifiable information, medical data, financial records or intellectual property, for example, but it can include any data which, if released would cause harm.
Why end point security is critical
Your network endpoints, including anything from workstations to mobile devices, are the entry point to your cloud. For your cloud to be secure, you need to control access based on the type and location of the endpoint, the time of day, and the trust level of the person attempting access. For some critical information, you may want to restrict access only to workstations on a wired network during normal work hours, for example.
In addition to controlling the access by endpoints, you must also control the security of the endpoints, which will include anti-malware provisions as well as access control through something more substantial than a password. For example you may want to add biometrics or two-factor authentication.
The role of physical security
If an intruder (or an unauthorized insider) can gain physical access to a protected device, then the device can be compromised. If a device can be stolen, then compromise is nearly certain. This is why it’s vital to protect your endpoints and infrastructure from physical intrusion.
Protection from intrusion means keeping these critical devices, such as your servers, behind locked or guarded doors, requiring access controls on points of entry, and intrusion monitoring. All access should be logged.
The issues of physical access are also reflected in mobile devices, which is why you may want to restrict access to your most sensitive data to non-mobile devices. If an employee loses a laptop computer in an airport security line, for example, the person retrieving that laptop may not have your best interests at heart. This is also why it’s important to inspect and audit mobile devices with access to your cloud for security holes, such as labels on the bottom of laptops giving the exact login information for sensitive sites, including the name and password of the user. (Yes, those things do really happen).
In addition, endpoint physical security should include protection from other forms of loss, including fires and natural disasters. While your data may be safe in the cloud, retrieving it can still be expensive and time-consuming.
Ensuring a secure cloud provider
Before you entrust your critical business operations to the cloud, you need to do your due diligence. This means that you ensure that your soon-to-be cloud provider meets all of your requirements for protection, security and customer service. You will certainly need to meet with your proposed provider’s staff, and a site visit is a very good idea. Finally, you need to nail down how the provider’s staff can be reached, the level of support you can expect, and differences will be resolved.
The cloud provider’s physical security is critical. A primary reason for using cloud-based facilities is because they can provide a more secure environment than you may be able to provide in your own data center. Their data center must be run by a professional staff and you must be assured of a state-of-the art facility with redundant power and cooling. You should be able to find out whether the servers that you’ll be using will be shared with others, and how they will be protected from tampering.
Look for redundancy in facilities and communications. Redundancy is key to protecting your data. Your cloud provider must have a means of duplicating your data and applications to another facility with a means of immediate fail-over. This means that if the primary data center for your cloud provider is unavailable, you will still have access to your data.
In addition, you need to confirm that the data center has redundant access to the internet or to the private network you’re using, and it must be serviced by redundant power grids. While there are various levels of redundancy, you will need to be satisfied that your operations won’t impacted by foreseeable outages. However, be aware that additional redundancy will cost more.
Demand geographic diversity. Data center redundancy is nice, but it does you little good if the same natural disaster takes out both the primary and redundant data centers. This means that for real physical security, your cloud provider must provide geographically dispersed data centers. While there’s no set distance for this dispersion, you should satisfy yourself that the same flood, earthquake or terrorist attack can’t take out your entire operation.
It's critical that you confirm your potential cloud provider be equipped to handle commonly found threats so that you won't be prevented from accessing the data or applications you need. You also need to make sure that your data won't be corrupted, and that your cloud servers won't be compromised. Some capabilities to investigate with your cloud provider include:
- DDoS protection – Cloud based denial of service protection is available, and it should be available to you to use with your cloud service. Otherwise a DDoS attack can effectively shut your business down.
- Anti-malware capability – Even though the data and applications in your cloud all come from you, it's possible for malware to end up in your cloud. You need to make sure you have a way to detect and remove malware that ends up in the cloud.
- Customer support – Good customer support is vital to keeping your cloud access open, regardless of whether it's a late night DDoS attack or a network outage. You need to be able to overcome issues preventing access, and customer service is frequently the best way to do that.
- Disaster recovery support – Depending on how you use your cloud service, disaster recovery may be an important feature, but you'll need help to restore systems following a disaster. You will need to make sure this capability exists before the disaster happens.
Securing your data and applications in the cloud is effectively an extension of the security in your own data center. This means that you must follow appropriate security practices in your own data center because a lapse there can also open up a lapse in cloud security.
Fortunately, a well-chosen cloud provider will frequently have better physical security than you can manage on your own, and will have a higher level of data protection. In addition, your cloud provider can also help with your organization’s disaster recovery, and you can use the data stored in the cloud to rebuild and restore your data center.
But everything depends on following best practices for cloud security, as well as following appropriate practices for your own data center. Otherwise, you can easily turn your cloud presence into an easy source for a security breach.