FYI...Security in the Clouds - Part 1
May 24, 2012 - "... Securing a cloud environment involves doing everything we do for traditional IT security plus more
. In other words, the fundamental issues of ensuring the CIAs of security – Confidentiality, Integrity and Availability – are still in play. In fact, it’s even more complicated since now we are dealing with the additional complexity of someone else’s infrastructure. That means we have to begin with a comprehensive risk assessment and from there proceed to develop relevant policies, a solution architecture, a solid implementation that enforces those policies and finish up with a process to analyze results and feedback improvements into the previous steps of the cycle. Nothing new here but sometimes in the cloud rush some people think the laws of gravity have somehow been suspended... What the public cloud adds to the equation is a heightened need to get all this right since it will be in a shared infrastructure at a remote location
. In addition, things like federated single sign-on (to connect across disparate authentication systems), federated account provisioning/deprovisioning (to create and delete the correct access privileges on the system you no longer have direct access to) and securing the hypervisor layer of the virtualization system used by the service provider become key issues. That last part is often overlooked but it shouldn’t be because each new layer of infrastructure represents a potential attack vector
. We know OS’s and apps aren’t perfect so we harden them, patch them and stand up intrusion prevention layers to protect them from the bad guys. The hypervisor in a virtualized computing environment needs the same protections but doesn’t always get the same scrutiny... what happens if the SLA
is not met? Many assume that the provider has the capability to guarantee this commitment but in some cases this may be nothing more than a best effort statement with no penalties if violated and no actual ability to deliver this level of service
Some questions to consider:
• Is the data sufficiently isolated from other users of the shared cloud?
• Are access controls up to the task of keeping the prying eyes of unauthorized users at bay?
• Are you protected against data leakage by administrators working for the cloud provider who are not authorized to view the data but may, by virtue of their privileged status, be able to subvert protections in place?
• Can you get easy access to an audit trail showing who, when, from where, etc., has accessed the data?
• Is it being backed up in case a hard drive crashes?
• Is the environment sufficiently provisioned to handle the demand placed upon it not only by legitimate users but also by attackers launching a denial of service attack?
• What about disaster recovery?
• Is there a mechanism to failover to hot or warm standby at a substantially different geographical location so as to not disrupt operations during an outage?
• Will auditors and regulators be satisfied with your answers to all of these questions?
... so it may not be all that simple to let someone else handle it as you might have first thought as you clearly have some due diligence to perform before turning over the keys to the kingdom..."