The world is looking towards Cloud. For some of us , outside it is bright, shiny and blue Sky with clear Clouds where we want to be the early adopters of these new economics – of pay for what you use, reduced management – with no hassles of patching, fault tolerant architecture and increased productivity – with instant self-provisioning, anywhere access of latest software.
And for others still there is a dark and rainy side of this as Security has been the top concern while we decide going out in this Rainy Cloud and accordingly need an umbrella to get protected and moreover how colorful that umbrella should be so that its looks attractive and pleasant to use it and rest can fall under Acceptable Risk.
Let’s figure out what are Top 7 Security Consideration & Assurance, organizations should look for while they are stepping outward from on-premise to Cloud Services?
1. Start from your own Home: Prepare your on-premise network perimeter first for cloud.
As soon as the word cloud security comes, organizations jump on to check what is lying with Cloud Service Providers end. But we do forget that many critical assets and components are still on premises like User Identities, Encryption Keys, and Client machines. This may be the weakest link in this over all security framework, if broken may
compromise the security for the entire solution. Attackers know this and actively targeting end-users, client machines and on-premise Servers.
We should look for a risk-based, multi-dimensional approach to safeguarding services and data to secure and control all the way to cloud including on- premise resources, internal server security, Edge Security and Remote Client Security. So there is a need to go back for the basic of security – Defense in Depth.
Design an Identity Federation to authenticate user to authenticate using their on premise credential and create a trust relationship between Identity and Resource Provider. Also use two-factor authentication (such as smart cards or biometrics in addition to passwords) for maximum security. Regardless of how users sign in, connections established over the Internet to the service should be encrypted
Leverage Secure Web access proxies to do URL filtering blocking phishing and malicious sites, HTTPS certificate validation, malware inspection, Access Control rules and Network inspection.
It will be also critical to ensure appropriate response time for end users while they access productivity tools on cloud passing through secure web access gateway solutions at the perimeter network. This may require proper capacity planning for these solutions.
You should do Equal Risk Assessment for internal Threats and incorporate endpoint protection solution, application control, Server Hardening and Patch Management.
Look for the seem less secure Direct Access experience for the client machines which are outside the internal boundaries for the organization but accessing the same productivity tools on the cloud. Incorporate Malware protection, Drive encryption and endpoint policy
enforcement solution for these remote machines.
2. Choose the Cloud Service Provider who can help you in flying to meet your compliance need.
Organizations are ultimately responsible for ensuring you meet your compliance obligations. Look for the Service provider certifications and audit reports to help you
design your compliance program.
Third party audits and certifications provide a trust on services that those are designed and operated with stringent safeguards.
If you are subject to industry or jurisdictional requirements, you will need to make your own assessment of your ability to comply, but Customers in many industries
and geographies have found they can use Service Provider Services in a manner that remains in compliance with applicable regulations, provided they utilize the services in a manner appropriate to their particular circumstances.
Trusted third-party certification provides a well-established mechanism for demonstrating protection of customer data without giving excessive access to teams of independent auditors that may threaten the integrity of the overall platform. This also may reduce the need of Right to Audit clause over the time.
3. Your identity is your most valuable possession. Protect it, if anything goes wrong, consequences can be me more dangerous in the cloud.
An organization’s current identity management gaps extend to the cloud and become more complex: e.g Failure to disable accounts in a timely manner when people’s employment is terminated or Failure to adjust rights and permissions when people transfer to new roles.
Same Single Sign on experience as on premise requires Identity Synchronization e.g while migrating from on-premise email boxes to hosted environment.
Workflows and approvals should be in place to do Provisioning / De- Provisioning to manage users and groups which reduces high costs and risks associated with manual provisioning.
e.g ensures accounts are disabled automatically based on several triggers – Change in status in HR database , Paternity Leave, Short or Long Term Disability, sabbatical , Promotion, conversion to FTE, or change of job title or Cost Center , Resignation or termination of employment , Account inactivity , Failure to change password in n days after expiration
Enhance security by granting role based access for physical and virtual systems in Private cloud. E.g when Virtual machines are treated as a file on the file system. Across physical and virtual environments, access to files can then be granted through user groups created
in Directory. It also enables the management of end-user rights for hardware, application, and presentation virtualization and can also be used to manage which end-users or groups have rights to access applications.
e.g if an employee joined in the organization as a developer role then he/she gains automatic access to private cloud , can order for new Test VM’s and Test VM’s are configured via group policy to be separated from rest of network.
4. Data Security Life Cycle – should not that become more sensitive in cloud ?
As we know the 2nd asset bucket in the cloud is “Data” apart from the “Application/Functions/Processes”.
Cloud attributes like Multi-tenancy, Elasticity, Logical & Global Architecture requires that
Cloud Service provider should ensure a coherent, robust, and transparent privacy policy emphasizing that you maintain ownership of your data. They should tell you exactly how they handle and use data gathered. If you decide to stop using service, do they provide, by default reduced functionality service kind of thing, allowing you to export your data and should send multiple notices prior to deletion of customer data.
To mitigate Data inference & aggregation and to also ensure data discovery, Data storage and processing should be logically segregated between customers through specialized Directory technology engineered specifically for the purpose. For organizations that want additional data isolation, an option should be available that stores your data on dedicated hardware Protect Anywhere – Right Management System can help in the battle to prevent data leakage and corporate disclosure. Many incidents in the recent path have highlighted the growing need for control of the data which is persistent regardless of the boundaries of organization. E.g Hosted email service should support additional security measures to protect sensitive information such as Secure/Multipurpose Internet Mail Extensions (S/MIME) for public key encryption and digital signatures as well as Information Rights Management protection for restricting who can access and perform specific actions on documents, email, and even voicemail messages
5. All Ok…But what is the surety during bad time – Double Check on Business Continuity and Disaster Recovery.
Hope for the best but be prepared for the worst. Organization should check Cloud Service Provider’s highly available data centers availability, strategically locations around the world. These facilities should be built from the ground up to protect services and data from harm, whether natural disaster or unauthorized access.
Physical security best practices should be maintained, including
state-of-the-art hardware, 24-hour secured access, redundant power supplies, multiple fiber trunks, and other features.
Because of system redundancy, updates can generally be deployed to the system without any downtime for your users. The system is protected at the logical layer by robust data isolation, continuous monitoring, and a wide array of other recognized practices and technologies.
All of the physical and logical security tasks should be taken care of in the data center, which can drastically reduce the amount of time you spend keeping your data and systems safe.
6. Find out more information with the Cloud Service provider how they follow a clear, defined, and provable process to integrate security and privacy in the service from the beginning and for the whole lifecycle.
While a cloud operator can bring the benefit of consolidated security expertise, it is also important to ensure that the provider’s development and maintenance processes integrate security and privacy into each phase of development.
The SDL addresses security threats throughout the development process by means that include threat modeling during the design process; following development best practices and code security standards during coding; and requiring various tools for testing and verification before deployment.
These proactive checks during development make software less vulnerable to potential threats after release, and the SDL provides a structured and consistent methodology with which to apply them.
7. Where ever you will go, your users are most Vulnerable…….Security Education and Awareness will ensure Governance.
Though you are still deciding to go or not to go for cloud your users may be using some of the cloud services since many years now and there to enroll they don’t require approval from IT. You can try restricting use of these applications by blocking access from your
network, but sometimes it looks impractical or it’s likely that users will find ways to bypass your security measures.
Start by establishing a security policy that covers the use of external services , acceptable use policy, implications of failing the follow the policy, what to don’t and what not and
who talk with if they have questions.
Summary:
After incorporating 7 colors to my umbrella mentioned above to our go to cloud strategy, it can make the sky Bright, Shiny and with Clear Cloud.
Are you ready to go ????
…I was in a NASSCOM event last couple of days and there everyone was talking about cloud…But no one could get a clear picture on what and how security is going to make impact and the way ahead…your blog made it Enlighting….clearly…blue..without cloudy pics 🙂
Thanks Chirag… its a great feedback…You may would like to share this further with the relevant community and end users.
I think this is great article. Though, I agree with all the 7 points the 5th one is definitely most important as per my opinion.
Nobody wants disaster – and every one does their best to make sure the disaster stay away. However, when disaster happens the recovery is often less rehearsed or not properly planned. One needs the most attention when disaster happens. I think following statements sums it up –
“All of the physical and logical security tasks should be taken care of in the data center, which can drastically reduce the amount of time you spend keeping your data and systems safe.”
Looking forward to next article in series.
Very true Pinal… BCP & DR are critical pillors for Information Security. Some of the solution providers were very early to realize that information is more secure if available all the time to the users.
Hey Manish, first of all congrats for starting the blog. The content and narration is excellent. This blog will help the people who are planning to shift to cloud to mitigate the security risks. great job once again manish.
Thanks for the feedback, really appreciate your input.That will be my priority in future posts also , to simplify the security concepts so that every one from all of us can understand easily to implement and execute in the field. Will be incorporating more data points related to Hybrid environment as we discussed. I also feel Hybrid Model is the practical way for early cloud adoption.
nice one MG, keep it up…………..Raj
Thanks Raj.
Quite a comprehensive and logical approach to cloud security. Very interesting to note areas such as Identity federation, granular data security controls, encryption & key management !! So important for consultants and system integrators to gear up and offer such services to customers !!
Great article Manish. Very precise and comprehensive. Interesting to see areas such as identity federation, granular data security, encryption & key management, which are vital areas for a good cloud security program. But, I wonder if security implementation & consulting organisations are geared up to deliver this !
Thanks Stephan for the feedback. It is always a nice feeling to get the comment from the experts. 🙂
Identity federation, granular data security, encryption & key management are vital areas for a good cloud security program because in the field ‘Practically’ we will always land in Hybrid scenarios of on-cloud & on-premise. This may not be just true only for migration phase but also Hybrid Model will keep on existing in the long run too due to 2 reasons –
1. Organizations may prefer always some of the key critical workloads like Identity Management running on-premise only. Another simple example can be that organization may prefer to have specific group emails on – premise and for rest of the normal users they may simply adopt the cloud.
2. Some may prefer to run the existing environment on -premise as it is and for the new Applications need they may go for Cloud.
I see lots of momentum already with various solution providers on Identity Management including Federation like ADFS, Single Sign On and Same Sign On. Similarly on Data Security Solutions DRM & RMS kind of solutions can play a critical role ensuring confidential Information protection is persistent irrespective of location (on-premise or on-cloud).
Good article It Provides detail of new security concepts Interesting to look around areas such as, data security, encryption & key management, which are crucial areas for a secure cloud security structures