'
STACKING UP OPEN CLOUDS | A ZDNet Multiplexer Blog What's this?

Practical steps towards securing the enterprise cloud

Countering threats against cloud infrastructure involves creating and fortifying three critical layers of protection.

With online platforms and infrastructure becoming the target of increasing level of attacks, it's critical that organizations proactively monitor and review cloud security policies and practices. Of all the major threats facing corporate clouds today, low-level attacks such as kernel rootkits and malware are particularly egregious and are able to avoid detection through increasingly sophisticated techniques. System components such as hypervisors and operating systems are major targets of attack where malicious code can be hidden and running covertly. If left unchecked, such threats can quickly disseminate throughout an entire cloud environment and cause incredible damage in a short time span.

To counter these types of threats, three distinct protection layers for your platform and infrastructure must be enforced. The first line of defense is client security, which ensures that your cloud can be accessed by authorized users only. Secondly, API level controls must be established where external entities interact with the cloud environment. Lastly, hardware-based technologies that establish trust relationships between infrastructure components should be integrated.

Client device security

Relying on simple authentication mechanisms such as passwords to secure user access is no longer adequate, since it can be easily compromised. Cloud environments require more sophisticated identity and access management policies such as single sign-on (SSO) with strong authentication and auditing capabilities.

Protecting business data stored in the cloud requires strong hardware-based authentication. Secure SSO with two-factor authentication is essential in hybrid cloud environments to allow the enterprise to maintain control of the authentication process. Security experts widely regard hardware-based authentication as a more effective approach than software-only authentication.

Intel's Identity Protection Technology (IPT) provides two-factor authentication hardware in a user's laptop or workstation. The second factor is generated from a tamper-proof, embedded processor that runs independently of the operating system and updates twice per minute. This technology also ensures strong authentication at cloud endpoints by managing communication between the computer and validated sites.

Protection at the edge

Application programming interfaces (APIs) provide a method for developers, clients, and third parties to interact with cloud-based applications. Cloud endpoints that expose and provide access to APIs are known as service gateways. Control software within service gateways enforces security policy and cloud service orchestration and integration. Service gateways allow cloud applications to scale securely and offer a centralised way for teams to collaborate on the creation and enforcement of security policy.

Intel Expressway Service Gateway (ESG) is a highly scalable software appliance that authenticates incoming API requests against existing enterprise identity and access management systems. The gateway communicates with internal infrastructure to broker, expose, and consume cloud application services and APIs based on common web service standards such as REST, SOAP, and JSON, or legacy protocols such as EDI.

Datacenter protection

The boundaries of the enterprise cloud are elastic and often push the perimeter of the enterprise far beyond the datacenter. Traditional approaches to protecting data and infrastructure using firewalls, physical separation, and isolation are not effective in dynamic cloud environments.

Hardening any cloud platform against attack requires implementing a strong root of trust, which is extremely difficult to defeat or subvert. A hardware-based root of trust enables a trusted foundation within a cloud environment that can extend a chain of trust through critical controlling software layers, including firmware, BIOS, and hypervisor visualization layers to ensure integrity within each system. Attacks against cloud infrastructure can be detected rapidly and the spread of malware contained more effectively if a compromise is detected.

Intel Trusted Execution Technology (TXT), found in Intel Xeon processors, provides hardware-based protection and a root of trust, and uses the processor, chipset, and third-party Trusted Platform Modules (TPMs) to better resist software attacks and to make platforms more robust. Intel TXT provides an infrastructure to establish a "known good" set of launch configurations for the BIOS, firmware, or hypervisor expected or approved to launch. Intel TXT also creates a more tamper-resistant environment for verifying this launch configuration at execution time. It stores the results of this root of trust in the TPM to be read by the hypervisor and security applications for future comparison and evaluation.

Conclusion

Protecting enterprise cloud infrastructure is a continuous and evolving challenge. The elastic and distributed nature of the cloud environment provides many potential attack vectors that can be exploited by nefarious threats such as rootkits and malware. By taking practical steps towards implementing security practices at the client, service gateway, and hardware layers using Intel technology such as IPT, ESG, and TXT, it's possible to minimize risk and strengthen the security of your enterprise cloud.