In
Part 1 we discussed Risk, Security and Cloud Computing at a high level.
Having been part of design teams as a contributor as well as project
manager to include security and assessment team management over the last
few years; I still find the same repeatable security concerns and
issues directed at the Cloud. So here is my take of a few of them with
respect to a Private Cloud environment. Remember a private cloud can be
housed within the infrastructure of a service provider (more cost
effective for you) or within your own in house network. Some of these
thoughts can be translated into the Public Cloud environments, although
some additional controls may be in order.It is a given that security of data is a major concern for any entity considering a move toward a Cloud Computing environment. How will my data be kept secured from unauthorized access, modification or distribution can be a nagging concern.Data loss, modification, or mis-placement will affect the entire organizational structure up to and possibly including shareholder value.
Major cloud providers therefore are going to great lengths these days to ensure that there are essential mitigative controls and response processes in place, in the event of a security breach, which in most instances will include their client either actively or passively with updates in a pre-defined time-frame.
Some of these updates can include, alerting, centralized logging, smart monitoring (not just signature based events) observing traffic to and from the client location into their private cloud environment. They will typically have processes are in place whereby all these systems are auditable and are aligned to established industry standards and aligned with emergency change management protocols.
One thing that I like to look at is a service provider’s security policy (which is typically based off the ISO 27000 series) as well as an independent auditors SAS 70 report. The SAS 70 report for example will identify and test control in place to secure the environments both physical and logical, test access control privileges, test backup and recovery as well as a data protection at rest to name a few. One thing that is of importance here is getting clarification as to how data in motion is secured going into the cloud from the client's site as well as how the CSP provisions user rights and manage administrative access.
However before transferring data to the cloud some things you should ask yourself are, have you identified classified and defined ownership of your data before considering a move to the cloud?
Once there is some structure and organization with regard to data classification and ownership you have taken a step to securing your data and assigned some control as you move to a private cloud. This combined with a CSP’s stringent controls implemented, can ensure that anyone accessing your data is identified, tracked and most importantly..auditable.
Always remember your CSP wants your business and in this light will ensure that they endeavour to make you happy by the manner with which they manage your data as well as with the service they provide within this sphere.
In almost all of my articles I have mentioned Service Level Agreements. As Cloud Services mature so will the SLAs implemented to protect your data. This will allow you to move your data without concern for lock in, incompatibility between CSPs or data loss; an assurance that will become common showing that CSPs are targeting all major areas of concern to earn your business and ensure the confidentiality, integrity and availability of your data.
In closing I wanted to share one question that I have been asked frequently, the one about hypervisor security and the potential of rootkit injection within this area; an attack which can possibly allow data exfiltration without a timely alert.
While there is always the possibility of a crack occurring in any one system, be assured that researchers and practitioners are constantly looking for ways to ensure the security of data.
With that said, I have seen the successful implementation of the Altor software firewall which for the VMware folks can be integrated via VMsafe application programming interfaces.
According to the manufacturer the firewall can see traffic as it moves through the hypervisor between virtual machines (VM) on the same physical host. I think this is a good baseline and will allow us to track and create auditable records for any notification of an unauthorised or suspicious event occurring.
For more on this software hypervisor firewall and the hypervisor environments it can impact, see the VGW Series by Juniper Networks.
Reference
http://www.juniper.net/us/en/products-services/software/security/vgw-series/
No comments:
Post a Comment