Cloud computing security - what is the fuss?

There are probably a number of good reasons why you shouldn't jump on the Cloud computing band wagon, but security should not be one of them and here is why....

There seem to be a million articles on why cloud computing security is so different to normal in-house security - I have no idea why (well actually I do - it's so that us in the industry can maximise the money we make out of this) but there is no real reason why cloud security should be that much different. Just keep it simple, do the basics, i.e. the 20% that will cover 80% of your risk, transfer the rest and realise actually the cloud is actually more secure than your current IT.

Here are the basics you should do:
  • Authentication - Whether its infrastructure, platform or software as a service you are buying control the access. As a good friend once said everything else in security is window dressing. Ideally if you have an LDAP (e.g. Active Directory) stick a Active Directory Federation Services (ADFS) or OpenSSO (its free!) or Ping Identity server out in your DMZ and use the same access controls in the cloud as you do currently internally
  • Authorization - Goes with the above, give the minimum access to the people that have a good business reason for it
  • Logging and monitoring -  Log as much as you can pay for storage, if you have some spare cash pay some 24x7 Security Operations Center to monitor it for you but this typically not worth it unless you are going to know what to do when they call you or god forbid they can take some automated action
  • Protect sensitive data - If you actually have any real sensitive date e.g. personally identifiable info, trade secrets/IP, card holder data, health info, etc encrypt it in storage and transit. Transit is easy to do you have plenty of options HTTPS, sftp, VPN etc, storage is a bit harder but some Cloud vendors will support you encrypting database and files, you can also do it manually with something like PGP. Manage the keys properly, get a Certificate Authority in the cloud if you can
  • Secure configuration - Download a hardened build from the Internet just Google CIC or SANS and there are plenty, use things like the community hardened builds on Amazon EC2 - not hard to find a LAMP stack that is locked down only the services you need. If you just need a few Linux servers to do your grunt work just enable the services you need on them. If you want to get real fancy put something like Tripwire  on them so that you know the config stays how you defined it. Or just outsource this part and just use SAAS
  • Patching - patch your servers regularly or just use SAAS
  • Anti-virus - goes without saying
  • Test it - pay some security company a few thousand $/£ to test your config for anything obvious. Do this every 6 months or so and fix what they tell you to fix.
That's basically it. You will get some pretty good network security controls firewalls, IDS etc with most Cloud providers anyway.

Do some work on the contract as well if you can, have some clauses in there about:
  • Them vetting and doing background checks on their staff - pretty stock standard
  • A joiners, leavers, movers process
  • Get some SAS70 Type 2's which are not worth the paper they are written on but maybe you can sue the guys who signed them if something really goes wrong
  • Incident notification and response process
  • A right to audit - so you can security test them
    Get some Cyber security insurance - again if you have some really sensitive data. Buy some PR and good legal staff beers :)

    Really even if you do half of the above, you will probably get more security in the cloud than you have internally. I mean seriously do you have any of the following:
    • Network access control - No? too hard? That means any cleaner or photocopy repair man can plug into a free Ethernet port or into the back of your IP phone with their laptop or wireless hub and they are on your network
    • Encryption? In transit your probably do? In storage I doubt it, backups strongly doubt it, how about removable media including floppy disks (yes they still exist) and CD/DVD's?. Email and share drives where your most important info is definitely not
    • Hardened consistent builds for all your infrastructure and a way to to ensure they stay that way? I thought so
    • Any halfway decent identity management program that covers more than 10% of your systems?
    • Any central logging?
    • Data loss prevention - you probably do have this because it is a cool pet project for your security team. Does it work? How many actual incidents has it really stopped in the last 2 months vs how much it is costing?
    • Network segmentation? Beyond a basic Internet and maybe partner DMZ?
    • Consistent effective patching ? How about your non windows machines?
    So seriously what is the incremental risk of using Google for your email, or Amazon to run a few of your Linux servers or Salesforce for your CRMWarcraft, all that working capital tied up in IT that could be spent on better things.

    But no my IT is internal at the moment. The cloud is all external that is too scary and insecure. Seriously? So you don't have any of the following:
    • Any outsourcing? offshoring etc? What access do they have to your data? 
    • How many third parties do you send your HR and other sensitive data to? What do they do with it after you get it to them securely? You have great contracts with them right? And audit them regularly?
    • Any third parties with priviledged remote access to your systems? No none of those? How about the storage guys that dial into the modems on your EMC units? or the Iron Mountain team that have access to all your unencrypted backups? Any remote support for your COTS applications? Remote development? 
    • Actually forget remote access, all the people with physical access to your offices and in your data center (it is dedicated to only you right?) How many contractors, consultants, auditors have access to your systems right now? How about that guy in finance who has been there 13 years, knows all the systems and can approve his own vendor payments?
    What are you really scared of? Who has more incentives to keep your systems and data secure Google and Amazon or your 13 IT guys looking forward to the next Blizzard game?

    Oh no how about regulation? The data is just in the cloud I'm sure I'm going to break so many laws. Guess what you probably are already breaking a 100 laws you are not even aware of. E.g. :
    • How long do you keep personal data? How about on your backups on the grandfathering system? 7 years? Well guess what you are probably in breach of your local data privacy act
    • Do you ever collect more personal data than you need? Ever mine it for correlations without direct permission?
    • Do you keep any health and safety related info for 50 years?
    • How about using cloud email like Gmail or Postini? Wouldn't your business benefit from prioritized email?  I mean email already travels and is processed everywhere in the world, it is not encrypted most of the time, how can regulators object?
    You don't care and the regulators don't care unless you have an incident. If they ever do an audit, show them the controls including encryption you put in place above and the marketing pack from the Cloud vendor

    There are some good reasons for not significantly reducing your IT costs, increasing your agility, outsourcing painful things like patching. They are:
    • You think this is a fad - good move I like it
    • Its too new - no problems
    • You don't have anyone in your company who knows anything about this and you have not heard of Google
    • You have no idea where to start and you have not heard of Google or Quora
    • You have other priorities like making money or saving money and you don't care about IT - fair enough
    But please don't let security be the reason. Get on board, try out Gmail, Google apps, Postini for email filtering, Salesforce.com, Amazon S3 storage or Simple DB. Do it as pilot, you can do it securely, it will save you money and increase your speed to market. What have you really got to lose?

    2 comments:

    1. good one .....keep udating.... nice work

      ReplyDelete
    2. Enlightening! Summarised up what I need to know about cloud security nicely without me having to google around too much on this subject matter. Keep up the good work!

      ReplyDelete

    Author

    Written by