Organizational pressure to reduce costs and optimize operations has led many enterprises to investigate cloud computing as a viable alternative to create dynamic, rapidly provisioned resources powering application and storage platforms. Despite potential savings in infrastructure costs and improved business flexibility, security is still the greatest barrier to implementing cloud initiatives for many companies. Information security professionals need to review a staggering array of security considerations when evaluating the risks of cloud computing.
With such a broad scope, how can an organization adequately assess all relevant risks to ensure that their cloud operations are secure? While traditional security challenges such as loss of data, physical damage to infrastructure, and compliance risk are well known, the manifestation of such threats in a cloud environment can be remarkably different. The blurring of boundaries between software-defined and hardware infrastructure in the datacenter demand a different perspective.
One of the first steps towards securing enterprise cloud is to review and update existing IT polices to clearly define guidelines to which all cloud-based operations must adhere. Such policies implement formal controls and processes with the specific aim of protecting data and systems in addition to fulfilling regulatory compliance obligations. Government bodies such as NIST, the US Department of Commerce, and the Australian Government Department of Finance and Deregulation (PDF) have produced cloud computing security documents that outline comprehensive policies for their departments, which can be a useful starting point for implementing a corporate policy.
Cloud security policies should be applied to both internal and third-party managed cloud environments. Whether building private or utilizing public cloud infrastructure within the enterprise, the responsibility for cloud security is shared between your organization and any cloud service providers you engage with. When conducting due diligence on cloud service providers, carefully review their published security policies and ensure that that it aligns with your own corporate policies.
A fundamental security concept employed in many cloud installations is known as the defense-in-depth strategy. This involves using layers of security technologies and business practices to protect data and infrastructure against threats in multiple ways. In the event of a security failure at one level, this approach provides a certain level of redundancy and containment to create a durable security net or grid. Security is more effective when layered at each level of the cloud stack.
When implementing a cloud defense-in-depth strategy, there are several security layers that may be considered. The first and most widely known protection mechanism is data encryption. With appropriate encryption mechanisms, data stored in the cloud can be protected even if access is gained by malicious or unauthorized personnel. A second layer of defense is context-based access control, a type of security policy that filters access to cloud data or resources based on a combination of identity, location, and time. Yet another popular security layer in cloud-based systems is application auditing. This process logs all user activity within an enterprise application and helps information security personnel detect unusual patterns of activity that might indicate a security breach. Finally, it is critical to ensure that all appropriate security policies are enforced where data is transferred between applications or across systems within a cloud environment.
When it comes to cloud security, no universal solutions are available to neutralize all threats against IT infrastructure. Corporate firewalls no longer demarcate a secure perimeter, which can often be extended well beyond the datacenter and into the cloud. It is similarly unwise to assume the security policies of third-party public and hybrid cloud service providers meet the standards and levels of compliance mandated by your internal policies. It is imperative that security requirements expected of third-parties are clearly defined and agreed upon.
Cloud security can be a daunting issue with wide-reaching implications for business. Threats and potential vulnerabilities are magnified and the scope of responsibility expanded dramatically: from protecting data and infrastructure from theft, intrusion or attack through to maintaining regulatory compliance. In following articles, I will outline, some of the , and provide you with for strengthening data, access, and platform protection in your cloud environment.