How will you secure The Cloud?

How will you secure The Cloud?

Summary: Cloud security raises a lot of hackles (no pun intended). Cloud security is no better or worse than any other but its strength is up to you.

SHARE:
5

With Cloud adoption on the rise, how will you secure your Cloud-bound data? And, whose responsibility is your data security--the provider's, yours or a combination? In my opinion, the provider has the ultimate responsibility for network, system and physical security but you have the responsibility for password maintenance, application integrity and data access security. It's common for customers to blame providers and for providers to blame customers in a compromise situation. No one wants to admit a missed patch or a programming flaw that allowed a hacker to break in and steal data. How will you handle security and your responsibility?

Security is a major pain point for providers and would be converts to the technology. The FUD associated with Cloud runs rampant--especially among the ill-informed. The question is, "Is The Cloud less secure by default than other technologies because of its scale?"

The answer is "No, it isn't."

The sheer scale of cloud computing does provide a larger attack surface but it doesn't necessarily mean that it's an easier target. There are five things that you can do to prevent compromises and a single caveat.

Selecting a Provider

Your first step in maintaining security is to carefully and thoughtfully select your provider. You should spend time interviewing a technical representative from your down-selected provider list. Ask about physical, network and system security. Ask about patch cycles. Ask about firmware updates. And, find out what measures your provider takes in maintaining security vigilance and mitigation. You should also ask what type of insurance they have in case of a compromise.

Listen to the answers and be sure that you understand exactly what the provider's responsibilities are. And, find out if the provider carries any regulatory compliance certifications or compliance levels (HIPAA, SOX, PCI).

Tip: The provider should be sympathetic with your requests and open with information and data concerning security. If they aren't, take your business elsewhere.

Secure Programming

"Your application isn't secure." If your provider finds no evidence of a network or system compromise, you'll probably hear this as the reason for your information theft or hack. Perhaps the compromise most often blamed for data loss is SQL Injection. Hackers count on lazy programming so that they can send a malformed string to your database for processing. If this happens, you could lose data or provide the hacker with a list of usernames, passwords, credit card account numbers or the entire contents of a table or database.

Application security is your responsibility. If a hacker steals data from your database via SQL injection, you have no one to blame but yourself (your programmers). Select your programmers carefully and remember that you often get what you pay for and programming is no exception. Choosing the cheap labor option is not what's best for your customers or the longevity of your company.

Tip: Have a third party perform a penetration (pen) test on your applications before you deploy them and then again after each update.

Secure Connectivity

This point shouldn't be taken lightly by you or your provider. Require that anyone who connects to your Cloud-based systems or data has to do so via a secure connection. A secure connection is an absolute necessity to prevent man-in-the-middle attacks or "wire sniffing" techniques employed by hackers to grab your info as it travels to and from those remote Cloud systems. Use a VPN connection and secure protocols (SSH, SFTP, HTTPS) to transmit any data between you and your systems. And, provide your customers with an authentic and updated certificate and HTTPS for web transactions.

You can't trust that every customer will have an updated, virus-free, spyware-free system, so you have to do as much as you can to prevent their data from leaking out through a non-secure connection.

Tip: Purchase certificates from a legitimate SSL Certificate Authority (Thawte, Network Solutions, Verisign, GoDaddy, etc.).

Physical Security

This point has shared responsibility between you and your provider. They have the responsibility for maintaining physical security at the data centers that they use and you have the responsibility for the physical security of your office, your home, your car, your backpack and your computer. You expect that the provider will ensure physical security. The provider makes no such request of you, although maybe he should, since many compromises originate from a lost or stolen device.

System locks, disk encryption, short idle-to-lock times and personal vigilance are key to preventing theft and data loss from mobile systems. Hard drives, flash drives and SIM cards should all be wiped or destroyed prior to disposal.

Tip: Training and periodic reminders are significant factors in preventing loss through negligence, carelessness or device theft.

Passwords

Passwords: The bane of our modern existence. No one likes to choose a difficult-to-type password, when it's much easier to use a kid's name, a pet's name, a phone number or a simple dictionary word that takes a hacker less than one minute to guess. We have too many passwords. We can't use the same one for multiple sites or accounts. And, now you can't even use ones that were OK to use just a couple of years ago.

The solution is to convert users to a two-factor authentication key so that the user only has to remember a single password for everything. The single password changes often (monthly or more frequently) but the associated key changes constantly.

Tip: Before a switch to better technology, the best advice for companies is to setup a password policy that requires users to adhere to a strict password maintenance program that includes length, complexity and lifetime.

The Caveat

Now, the fun part. No matter what you do, there are going to be compromises. You have to learn to accept a certain amount of risk. Operating systems are vulnerable. People are vulnerable. And, there's no perfect system. Full-blown compromises are rare but close calls are common.

Some people assume that data is safer in their own data centers or server rooms but they're wrong. Your data, when exposed to the Internet, is vulnerable. Even if you do everything correctly, you're still only about 80% protected. The leftover 20% is the part you have to worry about. Vigilance is your best deterrent for the remaining 20%. Unfortunately, that's the most expensive 20% to protect. That's the 20% that hackers target.

New exploits, undocumented vulnerabilities and unhappy accidents comprise that 20%. You have to accept it.

The Cloud, contrary to popular folklore, isn't less secure than any other technology. People are sensitive to security issues. Your house isn't 100% secure. Your car isn't 100% secure. And, your data isn't 100% secure, no matter where it is. It never will be. It's unfortunate but true.

But, like most people, hackers aim for the low-hanging fruit. Do everything you can to keep that vulnerability sweet spot as far out of reach as possible by adhering to the five simple measures that I've given you. If you do, then you can feel secure and put your faith in The Cloud.

How will you secure the Cloud? Talk back and let me know.

Topics: IT Employment, CXO, Security

About

Kenneth 'Ken' Hess is a full-time Windows and Linux system administrator with 20 years of experience with Mac, Linux, UNIX, and Windows systems in large multi-data center environments.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • Secure Programming

    This is a good blog post on the current state of application coding and security that explains (partially) why this is such an important aspect of security. https://blog.whitehatsec.com/do-we-know-how-to-make-software/
    neskryk
  • RE: How will you secure The Cloud?

    "Tip: The provider should be sympathetic with your requests and open with information and data concerning security. If they arent, take your business elsewhere."<br><br>Agreed. No communication is a bad sign.<br><br>"If a hacker steals data from your database via SQL injection, you have no one to blame but yourself (your programmers)."<br><br>Problem is, SQL makes it way too easy to be vulnerable. The makers of SQL still have a few sacred cows left they're refusing to give up on.<br><br>Your best bet is to use code that layers on top of the database, providing an API that can be secured. Don't access the database directly.<br><br>"The single password changes often (monthly or more frequently) but the associated key changes constantly."<br><br>If a hacker is successfully hacking passwords every month, you're not requiring long enough or strong enough passwords. Changing a password this often is an inconvenience, not a security measure.
    CobraA1
    • RE: How will you secure The Cloud?

      @CobraA1

      I guess the alternative is to have auto-generated passwords. Passwords are a weak link in any system.
      khess
      • RE: How will you secure The Cloud?

        @khess<br><br>The best requirements are usually to make the user use a capital and lowercase letter, a symbol, and a number, and a minimum length.<br><br>The reasons for password requirements are twofold:<br><br>1) To force the attacker to resort to a brute force attack. This means that you should have some complexity requirements, as well as checking them against common passwords (and variants). They needn't be terribly stringent - just enough to prevent types of attacks that aren't brute force (e.g. dictionary attacks).<br><br>2) To make a brute force attack impractical. This means the longer the password, the better. Enforce a minimum length, and do not impose a maximum length for the password. Also, use a very strong cryptographic hash and hash it before sending it to the server.<br><br>The purpose is <i>not</i> necessarily to inconvenience the user. You're not gaining anything by making memorizing the password inconvenient, and in fact that may reduce security by encouraging habits such as writing down the password.<br><br>And that's also why auto-generated passwords are a bad idea - again, they're hard to memorize, encouraging habits such as writing down the password.<br><br>Your fight is not against the user - your fight is against the hacker. Keep that in mind.<br><br>Enforcing a larger minimum length is far more effective than increasing the frequency of password changes.
        CobraA1
  • RE: How will you secure The Cloud?

    This is a fantastic look at a complicated subject. As more and more companies move information to the cloud, they will need the systems in place to assure all that information stays safe. Doing so will allow the company more flexibility as employees can access information more easily. Plus, the enterprise can benefit from the many cost savings that can be seen by moving to the cloud.

    But it???s important to remember to secure that data. Empowering your IT department, so they can protect every device in the system that will access the company???s cloud, will help assure that the information is secure. With the right tools, this can all be done from an IT administrator???s desk. Plus, it???s important to implement security measures for highly sensitive information, so no one can print or email certain documents to unauthorized users. This will guarantee only the right people access the information. Then the company will see the full success of its cloud strategy.

    Stephen Midgley, Absolute Software
    http://blog.absolute.com/
    adaho604