Evolving Security in the Cloud: 7 colors in my umbrella for this rainy Cloud..Should I still stay in House ?

The world is looking towards Cloud. For some of us , outside it is  bright, shiny and blue Sky with clear Clouds where we want to be the early  adopters of these new economics – of pay for what you use, reduced management –  with no hassles of patching, fault  tolerant architecture and increased productivity – with instant  self-provisioning, anywhere access of latest software.

And for others still there is a dark and rainy side of this as Security  has been the top concern while we decide going out in this Rainy Cloud and  accordingly need an umbrella to get protected and moreover how colorful that  umbrella should be so that its looks attractive and pleasant to use it and rest  can fall under Acceptable Risk.

Let’s figure out what are Top 7 Security Consideration &  Assurance, organizations should look for while they are stepping outward from  on-premise to Cloud Services?

1.  Start from your own Home: Prepare  your on-premise network  perimeter first for cloud.

As soon as the word cloud security  comes, organizations jump on to check what is lying with Cloud Service  Providers end. But we do forget that many critical assets and components are  still on premises like User Identities, Encryption Keys, and Client machines.  This may be the weakest link in this over all security framework, if broken may
compromise the security for the entire solution. Attackers know this and actively targeting end-users, client machines and on-premise Servers.

We should look for a risk-based,  multi-dimensional approach to safeguarding services and data to secure and  control all the way to cloud including  on- premise resources, internal server security, Edge Security and Remote  Client Security. So there is a need to go back for the basic of security –  Defense in Depth.

Design an Identity Federation to  authenticate user to authenticate using their on premise credential and create  a trust relationship between Identity and Resource Provider. Also use  two-factor authentication (such as smart cards or biometrics in addition to passwords) for maximum security. Regardless of how users sign in, connections established over the Internet to the service should be encrypted

Leverage Secure Web access proxies  to do URL filtering blocking phishing and malicious sites, HTTPS certificate validation,  malware inspection, Access Control rules and Network inspection.

It will be also critical to ensure  appropriate response time for end users while they access productivity tools on  cloud passing through secure web access gateway solutions at the perimeter  network. This may require proper capacity planning for these solutions.

You should do Equal Risk  Assessment for internal Threats and incorporate endpoint protection solution,  application control, Server Hardening and Patch Management.

Look for the seem less secure Direct  Access experience for the client machines which are outside the internal  boundaries for the organization but accessing the same productivity tools on  the cloud. Incorporate Malware protection, Drive encryption and endpoint policy
enforcement solution for these remote machines.

2.  Choose  the Cloud Service Provider who can help you in flying to meet your compliance  need.

Organizations  are ultimately responsible for ensuring you meet your compliance obligations.  Look for the Service provider certifications and audit reports to help you
design your compliance program.

Third party audits and certifications provide a trust on services that those are designed and operated with stringent safeguards.

If you are subject to industry or jurisdictional requirements, you will need to make  your own assessment of your ability to comply, but Customers in many industries
and geographies have found they can use Service Provider Services in a manner  that remains in compliance with applicable regulations, provided they utilize  the services in a manner appropriate to their particular circumstances.

Trusted  third-party certification provides a well-established mechanism for  demonstrating protection of customer data without giving excessive access to  teams of independent auditors that may threaten the integrity of the overall platform.  This also may reduce the need of Right to Audit clause over the time.

3.  Your  identity is your most valuable possession. Protect it, if anything goes wrong,  consequences can be me more dangerous in the cloud.

An organization’s current identity  management gaps extend to the cloud and become more complex: e.g Failure to  disable accounts in a timely manner when people’s employment is terminated or  Failure to adjust rights and permissions when people transfer to new roles.

Same Single Sign on experience as on premise requires Identity Synchronization e.g while migrating from on-premise email boxes to hosted environment.

Workflows and approvals should be  in place to do Provisioning / De- Provisioning to manage users and groups which  reduces high costs and risks associated with manual provisioning.

e.g ensures accounts are disabled  automatically based on several triggers – Change in status in HR database , Paternity  Leave, Short or Long Term Disability,  sabbatical , Promotion, conversion to FTE, or change of job title or  Cost Center , Resignation or termination of employment , Account inactivity , Failure  to change password in n days after expiration

Enhance  security by granting role based access for physical and virtual systems in Private cloud. E.g when Virtual machines are treated as a file on the file  system.  Across physical and virtual  environments, access to files can then be granted through user groups created
in Directory.  It also enables the  management of end-user rights for hardware, application, and presentation  virtualization and can also be used to manage which end-users or groups have  rights to access applications.

e.g if an employee joined in the  organization as a developer role then he/she gains automatic access to private  cloud , can order for new Test VM’s and Test VM’s are configured via  group policy to be separated from rest of  network.

4.  Data Security Life Cycle – should not that become more sensitive in cloud ?

As we know the 2nd   asset bucket in the cloud is “Data” apart from the “Application/Functions/Processes”.

Cloud attributes like  Multi-tenancy, Elasticity, Logical & Global Architecture requires that
Cloud Service provider should ensure a coherent, robust, and transparent  privacy policy emphasizing that you maintain ownership of your data. They  should tell you exactly how they handle and use data gathered. If you decide to  stop using service, do they provide, by default reduced functionality service  kind of thing, allowing you to export your data and should send multiple  notices prior to deletion of customer data.

To  mitigate Data inference & aggregation and to also ensure data discovery,  Data storage and processing should be logically segregated between customers  through specialized Directory technology engineered specifically for the  purpose. For organizations that want additional data isolation, an option  should be available that stores your data on dedicated hardware Protect Anywhere – Right  Management System can help in the battle to prevent data leakage and corporate  disclosure. Many incidents in the recent path have highlighted the growing need  for control of the data which is persistent regardless of the boundaries of  organization. E.g Hosted email service should support additional security  measures to protect sensitive information such as Secure/Multipurpose Internet Mail Extensions (S/MIME) for public key  encryption and digital signatures as well as Information Rights Management  protection for restricting who can access and perform specific actions on  documents, email, and even voicemail messages

5. All Ok…But what is the surety  during bad time – Double Check on Business Continuity and Disaster Recovery.

Hope for the best but be prepared for the worst. Organization  should check Cloud Service Provider’s highly available data centers  availability, strategically locations around the world. These facilities should  be built from the ground up to protect services and data from harm, whether  natural disaster or unauthorized access.

Physical security best practices should be maintained, including
state-of-the-art hardware, 24-hour secured access, redundant power supplies,  multiple fiber trunks, and other features.

Because of system redundancy, updates can generally be deployed to  the system without any downtime for your users. The system is protected at the  logical layer by robust data isolation, continuous monitoring, and a wide array  of other recognized practices and technologies.

All of the physical and logical security tasks should be taken  care of in the data center, which can drastically reduce the amount of time you  spend keeping your data and systems safe.

 6.   Find out more  information with the Cloud Service provider how they follow a clear, defined, and provable process to  integrate security and privacy in the service from the beginning and for the  whole lifecycle.

While a cloud operator can bring the benefit of consolidated  security expertise, it is also important to ensure that the provider’s  development and maintenance processes integrate security and privacy into each  phase of development.

The SDL addresses security threats throughout the development  process by means that include threat modeling during the design process;  following development best practices and code security standards during coding;  and requiring various tools for testing and verification before deployment.

These proactive checks during development make software less  vulnerable to potential threats after release, and the SDL provides a  structured and consistent methodology with which to apply them.

7.  Where ever you will go, your users  are most Vulnerable…….Security    Education and Awareness will ensure Governance.

Though you are still deciding to  go or not to go for cloud your users may be using some of the cloud services  since many years now and there to enroll they don’t require approval from IT.  You can try restricting use of these applications by blocking access from your
network, but sometimes it looks impractical or it’s likely that users will find  ways to bypass your security measures.

Start by establishing a security  policy that covers the use of external services , acceptable use policy,  implications of failing the follow the policy, what to don’t and what not and
who talk with if they have questions.

Summary:

After incorporating 7 colors to my  umbrella mentioned above to our go to cloud strategy, it can make the sky Bright,  Shiny and with Clear Cloud.

Are you ready to go ????

Advertisements

About Keep Security Evolving

Secure state of today , may not be true tomorrow… so keep security evolving !!!
This entry was posted in Cloud Security. Bookmark the permalink.

12 Responses to Evolving Security in the Cloud: 7 colors in my umbrella for this rainy Cloud..Should I still stay in House ?

  1. Chirag Shah says:

    …I was in a NASSCOM event last couple of days and there everyone was talking about cloud…But no one could get a clear picture on what and how security is going to make impact and the way ahead…your blog made it Enlighting….clearly…blue..without cloudy pics 🙂

  2. pinaldave says:

    I think this is great article. Though, I agree with all the 7 points the 5th one is definitely most important as per my opinion.

    Nobody wants disaster – and every one does their best to make sure the disaster stay away. However, when disaster happens the recovery is often less rehearsed or not properly planned. One needs the most attention when disaster happens. I think following statements sums it up –

    “All of the physical and logical security tasks should be taken care of in the data center, which can drastically reduce the amount of time you spend keeping your data and systems safe.”

    Looking forward to next article in series.

  3. Krishna Sai says:

    Hey Manish, first of all congrats for starting the blog. The content and narration is excellent. This blog will help the people who are planning to shift to cloud to mitigate the security risks. great job once again manish.

    • Thanks for the feedback, really appreciate your input.That will be my priority in future posts also , to simplify the security concepts so that every one from all of us can understand easily to implement and execute in the field. Will be incorporating more data points related to Hybrid environment as we discussed. I also feel Hybrid Model is the practical way for early cloud adoption.

  4. rakesh raj says:

    nice one MG, keep it up…………..Raj

  5. Stephen Jesukanth says:

    Quite a comprehensive and logical approach to cloud security. Very interesting to note areas such as Identity federation, granular data security controls, encryption & key management !! So important for consultants and system integrators to gear up and offer such services to customers !!

  6. Great article Manish. Very precise and comprehensive. Interesting to see areas such as identity federation, granular data security, encryption & key management, which are vital areas for a good cloud security program. But, I wonder if security implementation & consulting organisations are geared up to deliver this !

  7. Thanks Stephan for the feedback. It is always a nice feeling to get the comment from the experts. 🙂

    Identity federation, granular data security, encryption & key management are vital areas for a good cloud security program because in the field ‘Practically’ we will always land in Hybrid scenarios of on-cloud & on-premise. This may not be just true only for migration phase but also Hybrid Model will keep on existing in the long run too due to 2 reasons –

    1. Organizations may prefer always some of the key critical workloads like Identity Management running on-premise only. Another simple example can be that organization may prefer to have specific group emails on – premise and for rest of the normal users they may simply adopt the cloud.

    2. Some may prefer to run the existing environment on -premise as it is and for the new Applications need they may go for Cloud.

    I see lots of momentum already with various solution providers on Identity Management including Federation like ADFS, Single Sign On and Same Sign On. Similarly on Data Security Solutions DRM & RMS kind of solutions can play a critical role ensuring confidential Information protection is persistent irrespective of location (on-premise or on-cloud).

  8. Pranjal Gupta says:

    Good article It Provides detail of new security concepts Interesting to look around areas such as, data security, encryption & key management, which are crucial areas for a secure cloud security structures

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s