Given how expensive it is to maintain in-house hardware and software, the idea of putting one's IT infrastructure in the cloud sounds downright heavenly.
Consider the advantages: You needn't have expertise or control over the infrastructure when it's being offered as a service over the Internet. You just put everything in the so-called cloud and forget about it. There's no expense to pay people to sit in a room full of servers or other equipment and play babysitter.
Of course, like any young technology, the rate of implementation is far outpacing most adopters' abilities to secure it. This series is meant to put the security requirements of cloud security into sharper perspective.
CSOonline began the task by reaching out to people via several security forums on LinkedIn. What follows are the views of six IT security practitioners on what they believe cloud computing is truly about, and how best to secure it.
MORE ON CLOUD SECURITY:
Also see Cloud Security: Danger (and Opportunity) Ahead
Also see Cloud Security: Time to Smoke Another One?
Matt Schneider, security consultant and senior Web design architect at Ford Motor Company
I am very interested in security in the cloud as we are developing a Web application that will give the masses a secure alternative to e-mail, chat, message boards and collaboration whereby all content is protected on our Web and database servers using strong encryption and optionally passkeys. I am just now starting to network in the security space in hopes of getting some unbiased opinions on just how secure this solution is perceived by the experts.
As a Web developer, I know how easy it would be to claim you're doing all you can to protect the data users entrust to your care while just storing it as plain text on a shared hosting site. Most people don't even read the fine print, but if they did, they probably err on the side of blind trust. In the majority of instances, your personal information is not of value to anyone else and the sites you visit are not being hacked. I am just as guilty of trusting Web apps with my data. But I am well aware of the risks. I have used my credit card hundreds of times for Internet purchases over the years and have never had it stolen from a website by a hacker (at least that I know of).
Most of the data we deal with on the Internet is not sensitive and doesn't warrant being protected from theft or destruction. Take this conversation for example. I highly doubt this data is encrypted while at rest on LinkedIn's servers. If we were discussing something top secret, this would not be the safest way to do it, although we would probably "get lucky" and no one would ever see our conversation.
It makes me wonder just how concerned the average user is about cloud computing. I think most don't even give it a thought. Look at Facebook and Twitter. There's a couple of apps that have been hacked, yet that's all you hear people talking about lately. If they really cared about security, I think they would just stop using those apps.
What makes a website (in particular, one you are trusting your sensitive data to) secure in the eyes of the savvy user? Some of the pieces include:
- SSL connection
- Reputable badge displayed (e.g. Verisign, GeoTrust)
- Multiple badges displayed (Verisign, McAffee, BBB, etc.)
- Trusted company name
- Widely advertised
- Promoted by the media
- Large user base (if there are lots of users, it must be safe)
Are the above enough to convince users that a site is going to protect their sensitive data? I think so. I think there is evidence that users are willing to trust a site that claims to protect their data without ever seeing how it is protected or where it is stored. Take Mint.com for example. Even though you are asked to enter all of your financial account names AND passwords, nowhere on their site do they say how this information is guarded other than "We provide bank-level security for your data." What is that anyway? Are banks really immune to hacking? I personally know people that trust this site with all of their financial account information. They saw it on CNBC, it must be safe.
So, I wonder, is it enough to claim "bank-level security" when creating a Web application that stores data on your behalf or on behalf of your organization? Is the mere illusion of safety enough to foster trust?
I am going somewhere with this. I'll get there eventually.
Terry Woloszyn, CEO/CTO at PerspecSys Inc. in Ontario:
When someone wants to adopt a cloud-based application, we've come up with categories of cloud data governance that they need to address -- privacy, residency, and security (PRS). The security aspect can be split into two main groups -- the security surrounding the data as provided by the cloud vendor, and the security of the data between the user's finger tips and the cloud vendor's firewall. So, in trying to answer the question of what is and isn't cloud security, you are trying to establish a taxonomy.
Michael Versace, partner, principal research contributor at The Wikibon Project, a worldwide community of practitioners, consultants, and researchers dedicated to improving the adoption of technology and business:
Some are making cloud security more difficult to understand than it needs to be. Since security is a risk-based discipline, users need to understand the inherent risks in cloud services and implement the best set of organizational/management/business processes and technology controls to manage risks down to a profitable/acceptable level.
George Moraetes, volunteer cybersecurity consultant at CYBER WARFARE Forum Initiative:
Cloud computing is a business concept commonly defined as SaaS (software as a service), PaaS (platform as a service) and IaaS (Infrastructure as a service). In reality it is outsourcing the data center to third party providers all of them proclaiming they are the best in breed and their services are secure. The problem with those profound statements is that every system was thought as infallible and the truth is nothing is 100 percent secure.
The first thing is to decouple the term "cloud" and consider it an outsourced data center providing computing services to an organization. If the services provided are software, platform or infrastructure then securing these particular services should be no different as one would implement in their own non outsourced services following industry best practices, but are they? Can one truly control security once outsourced? Can the security itself be outsourced that governs the protection of data and transactions? Can an organization dictate terms to a provider on how to secure their data? I see this as problematic with many legal ramifications should a breach occur. Many concerns also is who owns the data once it is outsourced to the custody of the third party. Where is it located? Who controls the data? In a global environment what is secure in one country is not secure in another, so if a serious breach occurs in another nation, what if any legal recourse do I have if the data is breached?
Consider the effects of Cyberwar if the data is compromised in a country not friendly to another. Truly the security risks are elevated far beyond the cost benefits of cloud computing currently. From the legal sense it become nirvana to assure and audit the facilities of the outsourced third party dictating the terms of how they should run their centers to protect the data.
To Bill Brenner's question I view what is cloud security are the enabling technologies and practices we all employ to our own traditional data centers (computing services) as the third party providers also have. What is not cloud security are the legalities, best practices and industry standards that govern the security framework which becomes the overwhelming issue. It surrounds the benefits of this business concept that everybody is gravitating because it appears cheap on paper.
Venkatesh Ravindran, information security manager at KVH (a Fidelity Investments company):
As we all know fundamental security is centered on availability, integrity and confidentiality. Cloud security needs to address these basic components of security. In terms of various domains that should be addressed are:
- Network perimeter security (Perimeter security implemented by the Cloud security provider)
- Network communication security (Transactions happening between the client and the Cloud security provider)
- Application/ Platform security (This is the challenging part as most of the application/ platform will have multi-tenancy)
- Data protection
- Regulation and compliance
Wing Ko, principal architect/CSO at Maricom Systems: cloud computing definitions from NIST and the Cloud Security Alliance. Our guidance document has provided quite a few cloud security recommendations already, and we plan to release a much richer version 2 in the fall.
Hopefully people are already aware of the emerging
I agree with George Moraetes that in its most basic form, cloud computing is just data center outsourcing. Although depends on which delivery model (XaaS), how you use it, and how your provider implements the services, specific security concerns and safeguards could be quite different than typical data center outsourcing. Devils are in the details and that's why we're devoting quite a bit of time and pages to provide specific guidance.
Having said that, I also agree with Mike Versace that we should offer some basic approaches that ease the learning curve and ask some basic questions. The approach that I've been using is what I coined RAIN, which is just a plain old tried-and-true planning and analysis approach with emphasis on interfacing.
- (R)equirement: understand your business requirements, and derive technical, non-technical, regulatory and security requirements.
- (A)nalysis: from your requirements, analyze what tasks or services you want to or can outsource, and clearly define which party is responsible for which tasks, to reduce confusion and conflict later; perform risk analysis, especially with respect to cloud connectivity, mutli-tenancy, local data privacy regulations (of your providers), and business continuity.
- (I)nterface: clearly define system and human interfaces. Who and how to contact providers for services or problems? What API or webpages to use and how, what the returned result should look like? The more interfaces/touch points, the higher the risk for breakages or problems.
- e(N)sure - verify and ensure services are performed according to agreements. (Validate and boundary) Test the results sent from providers to ensure that they are in the correct formats and are what you expected; audit or pen test services; perform practice runs with your providers.
This is nothing new or fancy, but I've witnessed light-bulb moments without glassy eyes when I explained cloud computing challenges with this approach.
About this series: Enterprises are increasingly dependent on cloud-based infrastructure -- virtualized resources provided as a service over the Internet. But security experts worry that many businesses are embracing the cloud without regard for the risks. This series will define how the cloud has changed business processes, where the security risks are and how to mitigate those risks.