IT Focus Area: security
November 9, 2016
Security in the Cloud: Key Considerations & Tools
Organizations are increasingly turning to cloud computing in an effort to reduce IT capital expenditures (CapEx) and increase operational efficiency. Many are re-evaluating their application portfolios and "cloudifying" traditionally internal applications. While the benefits of the cloud are clear (scalability, productivity and increased flexibility to name a few), many organizations are struggling with the associated security implications. The shared nature of the cloud — where one organization's applications may be sharing the same resources as another’s — requires IT security teams to acknowledge that they are not in control of these resources, and to address cloud security.
According to Gartner, global public cloud spending is currently 5.7% of $3.41 trillion total IT spending worldwide, but growing eight times as fast annually, at a 16.4% CAGR.*
Effectively handling sensitive information is a constant challenge, and transformational technologies like the cloud bring a whole new set of risks along with the opportunities they provide. Weaknesses in a provider's security can have a dramatic impact on the security posture of the organizations using it. Public cloud security concerns range from vulnerabilities and abuse of cloud services all the way to malware injection and full-scale data breaches. It is important to note that cloud computing is not innately unsecure; it just needs to be managed in a secure way. Organizations should develop a clear understanding of cloud service models, as security issues vary depending on the model being used.
Cloud Service Models
Although most people have developed a basic understanding of cloud computing, there is still some confusion around the core categories of cloud service models — Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (Saas). It is important to consider the similarities and differences between these three models.
Infrastructure as a Service (IaaS)
Infrastructure as a Service is a self-service model for managing remote data center infrastructures. IaaS provides virtualized computing resources over the Internet hosted by a third party (e.g., Amazon Web Services). Instead of having to purchase hardware, organizations purchase IaaS based on consumption, similar to utility billing. It enables organizations to build a virtual infrastructure that mimics traditional physical hardware but can be created, reconfigured and removed on-demand.
Platform as a Service (PaaS)
Platform as a Service providers (e.g., Red Hat OpenShift) allow companies to build, run and manage applications without the infrastructure that is usually required. This makes the development, testing, and deployment of applications quick, simple, and cost-effective. Developers can focus on writing code and testing and launching applications without having to worry about other time-consuming activities normally associated with application development, such as provisioning servers, storage and backup.
Software as a Service (SaaS)
Sometimes referred to as on-demand software, software as a service replaces traditional on-device software with software that is licensed on a subscription basis, and centrally hosted in the cloud (e.g., Salesforce.com). Most SaaS applications can be run directly from a web browser without any downloads or installations required, although some require plugins.
Below is an image that illustrates the differences between the three cloud service models.
All Models Are Not Secured Equally
Cloud computing is highly distributed and fluid, with applications and user accounts constantly shifting within data centers, hybrid clouds, and public cloud services. Cloud security therefore requires organizations to take a new approach — one that has less of a perimeter to guard, but a premium placed around data security, risk, monitoring, and audits. Security concerns, and the strategies, policies and controls aimed at securing cloud access and data vary based on the model being used.
The security concerns around IaaS are similar to the concerns of a traditional corporate data center. They include protecting sensitive data and intellectual property, standardizing identity management procedures across on-premise and cloud providers, ensuring compliance standards are evaluated and met, and the ability to audit providers in order to meet those compliance requirements. Additionally, organizations need to address how virtual machines are created, configured, secured, and spun down, which can help to avoid uncontrolled and unsecured images.
Since PaaS is based on the notion of using shared resources (such as hardware, network, and security provisions), security concerns around this model are usually focused on data protection. The ability to encrypt data, secure applications and configurations, monitor access and usage, and keep track of regulatory issues in different geographical regions is important. Another key element to consider within PaaS is the possibility of a cloud provider outage. Security plans should provide for the ability to load balance across regional zones or providers to ensure failover of services.
Security concerns specific to the SaaS model focus on managing access to applications and minimizing risks to data. Organizations need insight into which applications — both sanctioned and unsanctioned — are in use across the organization, and their associated risks. Cloud access security broker solutions along with IAM controls (e.g., single sign-on and federation), and data protection technology (e.g., data loss prevention and encryption) can provide visibility and control that is centered on the applications being used. Additionally, access policies can be created to dictate, for example, that an employee in sales can only download specific information from CRM applications during local business hours.
Key Security Controls
Security controls need enhanced flexibility in order to meet the challenges of the cloud. Some of the tools that can help organizations make secure use of the cloud are highlighted below and mapped to the cloud models.
Successfully adapting traditional security tools and implementing new tools to address cloud security issues requires a carefully planned strategy. While some organizations are using platforms such as Microsoft Azure (a combination of IaaS and PaaS) to rapidly adopt the cloud from the top down, it is important to take a programmatic approach to preparing the organization in order to leverage the cloud securely and efficiently. A comprehensive risk analysis can be performed in order to establish security requirements for all impacted data, processes and applications before migrating to a cloud solution.
Organizations should focus on building a strategy that aligns with their overall security and business goals. It is important to develop the appropriate cloud security architecture and design, data security, IAM processes, and migration strategies before moving applications and data to the cloud. Development resources, tools and processes that facilitate the provisioning, management, orchestration and automation of workload deployment and security — including images, applications, databases, and data — should be in place. Staff should also be trained, hired or contracted in order to ensure that the organization has the skill sets needed to understand, manage and operate the different cloud models and vendors.
The Cloud Security Alliance offers cloud security-specific research, education, certification and events designed to help develop a practical, actionable roadmap for adopting the cloud safely. And the National Institute of Standards and Technology (NIST) has developed a cloud-adapted risk management framework for applications and services migrated to the cloud that considers an organization's risk tolerance, and how critical and sensitive its data is. A readiness assessment conducted by a firm that is experienced with all aspects of IT infrastructure and security can help to determine the best approach for your organization.
A Successful Cloud Strategy Begins and Ends With Security
Organizations in all industries are turning to the cloud as they pursue digital business strategies. Cloud services help to realize benefits that include enhanced productivity, faster time to market, and reduced IT spending. However, failure to ensure security when using these services can detract from these benefits and result in increased costs, data loss, and even brand damage. Effectively addressing cloud security requires a strategy that carefully considers the service models being used, and includes the appropriate security architecture, controls and policies. With the right approach, organizations can reap the benefits of the cloud without compromising the business.