Hi-Tech Security Solutions delves into the complex and popular world of cloud computing with a view to understanding the security implications of this trend.
The cloud is not a simple solution. It may be more cost effective, flexible and scalable, if you choose the right service provider, but the idea of the cloud being a bucket you can just throw data into or load and run applications from – as people do on their smartphones – and forget about, is as ignorant as it is dangerous.
Firstly, most people view the cloud as a hosted data store: you buy space from a service provider and all your data is stored there, looked after by the provider who ensures your company has access to its data from anywhere. The idea is the cloud provider leverages off the economies of scale of a large data centre, providing all the space you need at a lower cost than you can host and manage it in-house. Of course, cloud computing is more than just a place to store your data. (See the sidebar below: What is cloud?)
Even in the security world, the idea of cloud services is catching on in many countries. Hosted video is one example, where a company has its surveillance footage stored in a service provider’s data centre and can access it via the Internet. This concept saves money on equipment, maintenance and upgrades, as well as the need to keep IT skills onboard. Of course, it only works in places where you have the bandwidth to support it.
However, there are companies starting to offer cloud-based access services where a service provider handles the technicalities of managing and running a corporate access control system. Even locally, some access control and time & attendance providers have remote access enabled to store information and to continually monitor the health of the equipment installed. These ideas are still fairly new, but the cost efficiencies and lower skills demands make them very attractive to many companies.
Of course, it is always easy to talk about cloud and the hype around it, but it is not that easy to do it when you consider the real implications of outsourcing data, applications and even business processes to a service provider. One of the primary concerns about anything cloud-like, whether in the security industry or anywhere else, is security. Even if you simply use a service to store data, how can you be sure your data is secure? How can you provide unrestricted access to authorised employees or customers via the Internet from a PC, laptop or smart phone, while restricting unauthorised access and the abundance of malware out there looking for data like bank accounts etc?
Hi-Tech Security Solutions decided to find out a little more about security in the cloud computing world at a round-table discussion. The attendees in the discussion were Samresh Ramjith from Dimension Data, Hans van Vreeden from Infoprotect, Stephan Le Roux from RSA (an EMC company), Quentin Geldenhuys from HP, Joe Ruthven from IBM, Mark Eardley, an independent consultant, and Eren Ramdhani from CA Southern Africa.
State of the cloud
While everyone would have heard of cloud technology by now and how it can improve their lot, Ramjith says there is still a lack of education among people as to what a dynamic IT organisation looks like and what it should be. Many people still see IT as plumbing as opposed to something that can raise strategic ability and differentiation in an organisation.
However, he says there has been a rapid growth in the adoption of cloud platforms of all descriptions and it has been driven primarily by the commercial benefits of a shared asset model. “The guys who are able to get it right are able to realise significant cost savings, not just in technology, but in the people and process costs. They are also able to realise better quality of service because everything is standardised.”
Geldenhuys adds that within the cloud journey, it comes down to organisational mindset, not only the IT side, but also the business side, “and that is predominantly where the big driver is from, but IT needs to support this and become an enabler of business and not only reactive.”
He adds that the South African market is about two to three years behind what is happening in Europe and the United States at the moment, but this will change dramatically as technology evolves. “I definitely see an interesting time being ahead of us within the next year where local companies, from a technology perspective, will be as advanced as our counterparts in the rest of the world.
Ramjith agrees, noting that this is especially true in emerging Africa where infrastructure is lacking. Here, cloud services can make an enormous impact on the viability and profitability of companies.
Cloud also gives customers the capability to take older (legacy) applications out of operation and upgrade to the latest technology without having to spend a fortune, says Le Roux. “But I also believe that customers are looking at this and seeing where should they go first, it is a journey not a quick fix.”
How cloud security aware are we?
To many, the idea of cloud computing equates to a product like Dropbox where you put your data in a directory and Dropbox synchronises it to a server somewhere in the world, encrypts it (supposedly) and you can go about your business happily. Even though Dropbox is a consumer product, the idea remains the same for many business people – it is less for them to worry about and cheaper as they do not need to purchase servers and storage. But are they addressing the security issue?
Many organisations definitely see the merits and benefits of leveraging of the Opex verses Capex models of cloud computing, says Ramdhani, but they also understand that you do not really have the control and visibility that you once had as an organisation that hosts everything internally. Many organisations are therefore taking a step-by-step approach in creating internal cloud services, including virtualisation etc., to understand the processes before venturing out into the public or hybrid cloud (See sidebar: cloud deployment models). This also helps in managing some of the security concerns.
It is also important to remember that not all cloud providers are the same. Different processes and data require different levels of security, notes Ramjith. So whether you are talking about cloud or not, it comes back to the basic fundamental security principals: what is the information or what is the process? What is the sensitivity?
In some companies, like banks, it may be that public cloud services are out of the question because the information is just too sensitive and you are never going to put it in the cloud no matter who the provider is. “And unless you have done the basics such as data classification, system classification, roll base access control, identity and access management, understanding relationships and information and the risk management that you need to put around it, you are unable to really start on the journey.”
But this is a two-edged sword because not everyone has bothered to consider the security implications of having data and processes 'out there'. It is often in the name of convenience that security is ignored. “We find some clients have rushed off and have built cloud platforms and then put stuff in or they have started using and consuming cloud services without being aware of the security risks,” he adds. “So you will have board members sharing board packs by Dropbox. And you will have people syncing all their data into iTunes or iCloud.
“So they are a cloud user, they just do not know it and have not considered the security aspect.”
Van Vreeden agrees and says many companies have discovered the benefits of cloud services, some even seeing it as a perfect fit to their problems. However, what IT needs to do is educate people and create the awareness of what exactly is involved: Where the data or the application will be held; the communication methods that will take place, the encryption that takes place and so forth.
Do these issues actually meet the governance and security requirements of the company? If they do, what applications or what processes will actually be replaced by cloud services? What will the direct benefits be, the implications, and from there on moving to actually understanding how it will affect the business as a whole.
Backing up to a cloud-based server may be just what the doctor ordered for some companies, but what about the executive who wants to access this data from home. What security will this person have at home? Will his kids have inadvertently downloaded malware from Facebook or some other social network that will compromise the company’s security?
Even if the company tries to stop access from home, employees will find a way to exploit the convenience at the cost of security. An organisation’s cloud preparation must consider this inevitable fact.
We are really dealing with a couple of extremes here, adds Ruthven. We have the traditional classic mistake of people adopting something without paying attention to security considerations at all, like we have seen over the years in all aspects of IT. On the other side, we have people that are so worried about security they do not do it at all, and in between you have all the examples that everybody has shared here.
“I think it is important for organisations, as a starting point with security in mind, to give themselves the ability to monitor everything. Ignorant users that load things onto public clouds are going to keep on doing that because of the convenience factor. With monitoring as one of the core security principles, the company gains the ability to know who did something, what they did and have the proof that it was actually done.”
If you monitor everything, including the cloud and have base lines so that you can spot abnormal or taboo behaviours, you may not be able to stop someone from putting a file into Dropbox, for example, but you will know that it has been done and at least you can go and do something about it. “Right now, the IT department and the risk department have no clue of how much intellectual property or confidential customer information sits in these public clouds, they have absolutely no clue,” Ruthven adds.
Le Roux agrees, noting that data classification and continuous information management have matured as processes within the organisations over the past few years. However, there are still some fundamentals that need to be addressed properly, such as life cycle management. We have all heard stories of someone who leaves a company, but is still able to log on and access data or enter premises months after he has gone. Adding cloud to the equation simply makes security problems like this worse.
The access area is where monitoring can also make a big difference. Geldenhuys mentions the benefits of monitoring physical and logical access and having the capability to immediately link a transaction with an event. For example, recognising that a user is logging on by remote VPN after he has already entered the building and raising a flag. That is where access to information immediately, having that data analytics capability to enable the security department to proactively start enforcing certain standards and investigate what’s happening pays dividends.
Education at all levels
Le Roux believes one of the reasons security is still a bugbear or a grudge purchase is that it still is not a boardroom topic. There is talk of the benefits of cloud and the reduction in cost that it can bring, but security is left out. Additionally, the people building the cloud solutions are infrastructure architects, they are not security architects, which means they develop great solutions without considering the security element. Incorporating security professionals in the initial design phases should be a standard procedure that way the security aspect is built in from the start, instead of having to be bolted on as an afterthought – which is always messy.
It is all about security awareness. The threats and the attackers have changed and keep on changing and you cannot allow ignorance to impact your company.
Not having security represented on the board is probably one of the biggest problems that organisations have, says Ruthven. “IBM has done a very interesting study, called the 'CISO study'. We looked at organisations who had a CISO (chief information security officer) compared to those who did not. The companies who had the CISO and who had the focus at board level had a much better security posture. They were thinking about security early, they were doing all these things that we are now saying does not happen.
“Typically, those organisations had been burnt at board level through either a regulatory fine or an audit fine against them. Or they had a massive loss of information or money. That was a wake-up call.”
Ramdhani adds that some clients believe that because they are not a bank, they do not need to worry about security. Their business is mining or logistics so what do they need all this information security for? Then their server farm crashes and they lose millions because they cannot function effectively. Again, awareness of the real implications of poor security for each individual company is crucial.
In addition, it is also important to realise that perimeter security is not the end of it. With virutalisation, phishing and malware coming from almost any source, as well as ‘safe’ options like Dropbox and FTP transfers, your information lifecycle is more important than ever. Part of this awareness is to make security a business enabler rather than the inhibitor it viewed today. Instead of saying NO to cloud or services like Dropbox or mobile access to the corporate network, Ramjith says users at all levels should be educated to KNOW the implications of what they are doing.
Van Vreeden says that companies need to first understand their internal security goals and what they want to achieve. Once you actually grasp that properly, you will be able to better understand how taking on a cloud solution will actually affect the business from various aspects.
Le Roux adds that having legislation that has teeth will also go a long way in encouraging senior people to take security more seriously. King II and PoPI (when it is passed) should assist in that as long as they are enforced.
The importance of identification
One of the greatest security risks to any organisation is people, especially those inside the organisation. As has been noted in previous issues of Hi-Tech Security Solutions, the majority of fraud in companies is done by an insider, most of them without a previous criminal record. So when it comes to protecting data, money, processes and anything that is of value to the organisation, the issue of correctly identifying the person doing something is critical.
The problem, says Eardley, is that very few companies currently have the mechanisms in place to effectively identify who is doing what, when. “At the core of IT security currently, we have no methodology to accurately say, this person signed onto that machine, this is the application they opened; this is what they did within that application because we base all of our IT security, almost universally, on nothing more effective than a card, PIN or password (CPP). I can use yours and you can use mine. That might be an inconvenient truth, but it nevertheless is a fundamental flaw within IT security. If a person denies having logged onto a system and stolen money, even though their password was used, you have no case against them.
“So all of the talk that we hear about DLP, SIEM, IAM, IDS, IDM, is in fact completely irrelevant because we are unable to say who, what, when, and where.”
While everyone agrees with this authentication issue, Geldenhuys adds that it is also a matter of convenience and the concept of “I want it faster, I want it better, I want it now”.
Eardley asks whether it is therefore time to make biometrics a boardroom issue. He points out that South Africa is truly a world leader in its application of biometric technology in the physical security world, i.e. in the physical access control and time & attendance markets, and is realistically years ahead of EU and US usage of biometrics. Should we not be translating this into the digital world?
As an example of unauthenticated transactions, the example of a recent ‘heist’ in the US is mentioned. A group of people gained access to a retailer’s loyalty card database and stole money people had on their cards, but only small amounts or less than $5 so the owners of the card would not catch on. It took a long time for the company to notice this, who notices a small amount that is missing, but before they were stopped, they managed to steal over $40 million. These crooks managed to pretend they were the authorised user, but there was no way to prove it was not actually the cardholder making the transaction until long after the fact when the company noticed an anomaly in its data.
Of course, Ruthven points out that while integrating biometrics with the digital world is a good idea, there are additional security areas that will not be helped with effective identification. The need for monitoring still remains.
Context is king
“We still need to have the ability to say ‘Joe logged on and he is who he says he is because he had a thumb print authenticate his identity’, but then we need to monitor the behaviour and we need to monitor it in context. If I come into the organisation, I may be a director, I may have access to privileged information etc., and me logging onto a HR system is a totally legitimate activity. Also, sending an e-mail to a Gmail account is a total legitimate activity, but the visibility you need is to be able to say, ‘Joe logged on, he identified himself correctly, he had access to the HR system, he accessed that HR system, he sent a Gmail’, all of those in isolation are legitimate activities. But if it happens in a specific sequence, ‘he logged on at 12 pm via VPN, accessed the HR system and within 10 minutes sent a Gmail containing salary data to a known competitor’, now that becomes a security exposure. You need data, but you also need real-time analysis to assess the context.”
The question was raised as to the effectiveness of biometrics when breaking out of the confines of the enterprise into the cloud. Can an identity chain be built as reliably and still be trusted when dealing with data, applications and processes in the cloud? Eardley believes it can when looking at the uses biometrics has been put to in the physical security world.
“It is a very similar environment to what we saw in South Africa eight or nine years ago when biometrics started to replace conventional access cards. There was apprehension and a lot of misunderstanding about the technology, and there was a lot of debate around what good biometric technology is and what constitutes competency in biometric authentication. The IT market is going through the same issues now and I believe it should learn from the lessons the physical security industry learned in moving from uncertainly to effective identification.”
Both Ramjith and Ramdhani point out that, even with biometric authentication, it is still an issue of people and educating them as to what is acceptable behaviour or not from a security perspective throughout their scope of operations. The strictest legislation or corporate policies are worthless if they are not broken down into processes and policies that are tailored to and understandable at every level of the organisation.
While cloud security is a complex task for any organisation, the reality is that it is simply an extension of the security processes and procedures organisations should already have in place as part of their corporate governance policies. If you cannot adequately secure your internal network, you have no chance of securing your cloud activities, especially when considering the public cloud.
On the other hand, if you have your finger on your internal network’s security and the activities of your employees, expanding to the cloud is simpler and will not be as big a burden on employees and security administrators as suddenly trying to create a good security posture out of the blue.
What is cloud?
Cloud computing is a colloquial expression used to describe a variety of different computing concepts that involve a large number of computers that are connected through a real-time communication network (typically the Internet). . . . The popularity of the term can be attributed to its use in marketing to sell hosted services in the sense of application service provisioning that run client server software on a remote location.
Cloud computing relies on sharing of resources to achieve coherence and economies of scale similar to a utility (like the electricity grid) over a network. At the foundation of cloud computing is the broader concept of converged infrastructure and shared services.
The cloud also focuses on maximising the effectiveness of the shared resources. Cloud resources are usually not only shared by multiple users but as well as dynamically re-allocated as per demand. This can work for allocating resources to users in different time zones. For example, a cloud computer facility which serves European users during European business hours with a specific application (eg. e-mail) while the same resources are getting reallocated and serve North American users during North America’s business hours with another application (e.g. Web server). This approach should maximise the use of computing powers thus reducing environmental damage as well, since less power, air conditioning, rackspace, and so on, is required for the same functions.
Cloud deployment models
Private cloud is cloud infrastructure operated solely for a single organisation, whether managed internally or by a third party and hosted internally or externally. Undertaking a private cloud project requires a significant level and degree of engagement to virtualise the business environment, and requires the organisation to re-evaluate decisions about existing resources. When done right, it can improve business, but every step in the project raises security issues that must be addressed to prevent serious vulnerabilities.
A cloud is called a ‘public cloud’ when the services are rendered over a network that is open for public use. Technically there is no difference between public and private cloud architecture, however, security consideration may be substantially different for services (applications, storage, and other resources) that are made available by a service provider for a public audience and when communication is effected over a non-trusted network. Generally, public cloud service providers like Amazon AWS, Microsoft and Google own and operate the infrastructure and offer access only via Internet.
Hybrid cloud is a composition of two or more clouds (private, community or public) that remain unique entities, but are bound together, offering the benefits of multiple deployment models. Such composition expands deployment options for cloud services, allowing IT organisations to use public cloud computing resources to meet temporary needs. This capability enables hybrid clouds to employ cloud bursting for scaling across clouds.
|Tel:||+27 11 543 5800|
|Fax:||+27 11 787 8052|
|Articles:||More information and articles about Technews Publishing|
© Technews Publishing (Pty) Ltd | All Rights Reserved