The world is looking towards Cloud. For some of us , outside it is bright, shiny and blue Sky with clear Clouds where we want to be the early adopters of these new economics – of pay for what you use, reduced management – with no hassles of patching, fault tolerant architecture and increased productivity – with instant self-provisioning, anywhere access of latest software.
And for others still there is a dark and rainy side of this as Security has been the top concern while we decide going out in this Rainy Cloud and accordingly need an umbrella to get protected and moreover how colorful that umbrella should be so that its looks attractive and pleasant to use it and rest can fall under Acceptable Risk.
Let’s figure out what are Top 7 Security Consideration & Assurance, organizations should look for while they are stepping outward from on-premise to Cloud Services?
1. Start from your own Home: Prepare your on-premise network perimeter first for cloud.
As soon as the word cloud security comes, organizations jump on to check what is lying with Cloud Service Providers end. But we do forget that many critical assets and components are still on premises like User Identities, Encryption Keys, and Client machines. This may be the weakest link in this over all security framework, if broken may
compromise the security for the entire solution. Attackers know this and actively targeting end-users, client machines and on-premise Servers.
We should look for a risk-based, multi-dimensional approach to safeguarding services and data to secure and control all the way to cloud including on- premise resources, internal server security, Edge Security and Remote Client Security. So there is a need to go back for the basic of security – Defense in Depth.
Design an Identity Federation to authenticate user to authenticate using their on premise credential and create a trust relationship between Identity and Resource Provider. Also use two-factor authentication (such as smart cards or biometrics in addition to passwords) for maximum security. Regardless of how users sign in, connections established over the Internet to the service should be encrypted
Leverage Secure Web access proxies to do URL filtering blocking phishing and malicious sites, HTTPS certificate validation, malware inspection, Access Control rules and Network inspection.
It will be also critical to ensure appropriate response time for end users while they access productivity tools on cloud passing through secure web access gateway solutions at the perimeter network. This may require proper capacity planning for these solutions.
You should do Equal Risk Assessment for internal Threats and incorporate endpoint protection solution, application control, Server Hardening and Patch Management.
Look for the seem less secure Direct Access experience for the client machines which are outside the internal boundaries for the organization but accessing the same productivity tools on the cloud. Incorporate Malware protection, Drive encryption and endpoint policy
enforcement solution for these remote machines.
2. Choose the Cloud Service Provider who can help you in flying to meet your compliance need.
Third party audits and certifications provide a trust on services that those are designed and operated with stringent safeguards.
If you are subject to industry or jurisdictional requirements, you will need to make your own assessment of your ability to comply, but Customers in many industries
and geographies have found they can use Service Provider Services in a manner that remains in compliance with applicable regulations, provided they utilize the services in a manner appropriate to their particular circumstances.
Trusted third-party certification provides a well-established mechanism for demonstrating protection of customer data without giving excessive access to teams of independent auditors that may threaten the integrity of the overall platform. This also may reduce the need of Right to Audit clause over the time.
3. Your identity is your most valuable possession. Protect it, if anything goes wrong, consequences can be me more dangerous in the cloud.
An organization’s current identity management gaps extend to the cloud and become more complex: e.g Failure to disable accounts in a timely manner when people’s employment is terminated or Failure to adjust rights and permissions when people transfer to new roles.
Same Single Sign on experience as on premise requires Identity Synchronization e.g while migrating from on-premise email boxes to hosted environment.
Workflows and approvals should be in place to do Provisioning / De- Provisioning to manage users and groups which reduces high costs and risks associated with manual provisioning.
e.g ensures accounts are disabled automatically based on several triggers – Change in status in HR database , Paternity Leave, Short or Long Term Disability, sabbatical , Promotion, conversion to FTE, or change of job title or Cost Center , Resignation or termination of employment , Account inactivity , Failure to change password in n days after expiration
Enhance security by granting role based access for physical and virtual systems in Private cloud. E.g when Virtual machines are treated as a file on the file system. Across physical and virtual environments, access to files can then be granted through user groups created
in Directory. It also enables the management of end-user rights for hardware, application, and presentation virtualization and can also be used to manage which end-users or groups have rights to access applications.
e.g if an employee joined in the organization as a developer role then he/she gains automatic access to private cloud , can order for new Test VM’s and Test VM’s are configured via group policy to be separated from rest of network.
4. Data Security Life Cycle – should not that become more sensitive in cloud ?
As we know the 2nd asset bucket in the cloud is “Data” apart from the “Application/Functions/Processes”.
Cloud attributes like Multi-tenancy, Elasticity, Logical & Global Architecture requires that
To mitigate Data inference & aggregation and to also ensure data discovery, Data storage and processing should be logically segregated between customers through specialized Directory technology engineered specifically for the purpose. For organizations that want additional data isolation, an option should be available that stores your data on dedicated hardware Protect Anywhere – Right Management System can help in the battle to prevent data leakage and corporate disclosure. Many incidents in the recent path have highlighted the growing need for control of the data which is persistent regardless of the boundaries of organization. E.g Hosted email service should support additional security measures to protect sensitive information such as Secure/Multipurpose Internet Mail Extensions (S/MIME) for public key encryption and digital signatures as well as Information Rights Management protection for restricting who can access and perform specific actions on documents, email, and even voicemail messages
5. All Ok…But what is the surety during bad time – Double Check on Business Continuity and Disaster Recovery.
Hope for the best but be prepared for the worst. Organization should check Cloud Service Provider’s highly available data centers availability, strategically locations around the world. These facilities should be built from the ground up to protect services and data from harm, whether natural disaster or unauthorized access.
Because of system redundancy, updates can generally be deployed to the system without any downtime for your users. The system is protected at the logical layer by robust data isolation, continuous monitoring, and a wide array of other recognized practices and technologies.
All of the physical and logical security tasks should be taken care of in the data center, which can drastically reduce the amount of time you spend keeping your data and systems safe.
6. Find out more information with the Cloud Service provider how they follow a clear, defined, and provable process to integrate security and privacy in the service from the beginning and for the whole lifecycle.
While a cloud operator can bring the benefit of consolidated security expertise, it is also important to ensure that the provider’s development and maintenance processes integrate security and privacy into each phase of development.
The SDL addresses security threats throughout the development process by means that include threat modeling during the design process; following development best practices and code security standards during coding; and requiring various tools for testing and verification before deployment.
These proactive checks during development make software less vulnerable to potential threats after release, and the SDL provides a structured and consistent methodology with which to apply them.
7. Where ever you will go, your users are most Vulnerable…….Security Education and Awareness will ensure Governance.
Though you are still deciding to go or not to go for cloud your users may be using some of the cloud services since many years now and there to enroll they don’t require approval from IT. You can try restricting use of these applications by blocking access from your
network, but sometimes it looks impractical or it’s likely that users will find ways to bypass your security measures.
Start by establishing a security policy that covers the use of external services , acceptable use policy, implications of failing the follow the policy, what to don’t and what not and
who talk with if they have questions.
After incorporating 7 colors to my umbrella mentioned above to our go to cloud strategy, it can make the sky Bright, Shiny and with Clear Cloud.
Are you ready to go ????