Who hasn’t heard of cloud computing? Even the security industry is getting into cloud services – albeit with limited success. But how secure is your cloud provider? What questions do users need to ask of their cloud provider, especially today when data seems to be freely given to government agencies to snoop on? Is it safe to store your data on servers hosted in the USA? Is it even legal under PoPI to do that? Do we need to encrypt everything? And once we get past all that, there’s still the criminal threat to consider.
Hi-Tech Security Solutions asked CheckPoint Software’s Doros Hadjizenonos and Securicom’s Richard Broeke for their take on the issues faced in secure cloud computing.
Hi-Tech Security Solutions: Everyone seems to like the idea of cloud computing, but can we rely on cloud providers to look after our data? What do users/companies need to look out for to determine if a cloud provider is capable of providing an acceptable level of security?
Richard Broeke: Companies and users looking to put data into the cloud need to look at partnering with a cloud provider that has a track record of security. There is no legitimate company out there doing cloud services that has an intention to steal your data, however, some might hold it to ransom to make sure you stay with their services. This you need to watch out for and read the contract terms and conditions very carefully, particularly clauses such as reasonable cost. Make sure up front that you know what you’re in for.
The best case would be to make sure that the cloud provider not only has local presence, but local infrastructure as then you know who you are dealing with and more importantly, where your data is actually residing.
Doros Hadjizenonos: This is an incredibly important and far-reaching question as the function is being outsourced, but the responsibility remains with the business. That said, outsourcing is not a reason to give up on awareness, involvement or control of IT operations and security. A company’s cloud provider is their 'virtual IT department' and it is their responsibility to ensure the provider meets their daily operational, compliance and security requirements. Here’s a list of items organisations need to consider when selecting a cloud provider:
* Financial stability/'going out of business'. How financially stable is your cloud provider?
* Unplanned outages. What plan does your provider have in place to handle failures such as loss of power, critical equipment failures, volumetric DDOS attacks, etc.? Have you built redundancy into your cloud service model?
* Integration points. How will your organisation be able to securely move your existing systems and data to a cloud platform, ensuring that people can connect securely?
Are the integration points and data conversion rates smooth, reliable and not impactful to operations, especially ongoing, long-term operations?
- Seamless integration with IaaS providers; primarily Amazon Web Services.
- Integrate with cloud automation and orchestration (Web services).
* Security – what is contractually offered and obligated? What type and level of security is your cloud provider obligated to provide, i.e. what does the contract say? It is important to know (before the SLA is drafted) what types of security your provider contractually offers? Can they protect your organisation against all types of threats – access, as well as protection against known attacks, vulnerabilities, bot infections and attacks, data theft, zero-day and unknown attacks, DDOS attacks, Web and secure mobile access?
Another way to assess this is by looking at what security infrastructure your cloud provider offers?
- FW VPN For access control.
- AV to protect against known attacks.
- IPS to protect known vulnerabilities from being exploited.
- Application awareness to protect use of Web applications.
- Anti-bot to protect against bot infections and bot communications.
- DLP to protect against data theft.
- Sandboxing to protect against zero-day and unknown attacks hidden in files.
- Mobile to protect data and systems housed and accessed from mobile devices.
- On-site DDOS protection plus active partnerships for offsite attack remediation and incident response assistance.
* Security service level agreement. According to your contract, what is your provider offering/obligated to provide and with what response time for the following?
- Monitoring and notification of incidents.
- Incident response.
- Incident mitigation.
- Incident remediation.
- Policy management.
- Bottom line, is your provider actively monitoring and managing your security and security stance against the ever-changing threats?
* Secure segmentation
- Are 'your servers' and 'your cloud network' being shared with other customer(s)? If so, are they securely segmented? How are your operations and data segmented and protected from disruption and theft from within by other cloud customers?
- Do the security products support virtual environments?
- Do the operations and security management dashboards segment your data, operations, security, activity and events?
* Security architecture – unified or fragmented and non-integrated. Does the provider leverage a unified security system and operations or do they deploy a hodge-podge of point solutions? Organisations need to consider:
- Single point of administration.
- Single policy for on-premise and cloud gateways.
- Single point of threat monitoring and analysis using info gathered from all gateways (on-premise and cloud).
- Unified incident response and remediation.
- Operationally segmented to enable focus on your network activities for administration, monitoring and response.
* Business and operational growth
- Agility and flexibility to support changing needs.
- Scalability to support additional users.
- Support elastic licensing model (pay as you grow).
How will your provider meet and report on the compliance standards that are required in your business? Your cloud provider must seamlessly and transparently support these needs. This should also be spelt out contractually with defined SLAs.
* Stay in control. This is vitally important. Cloud outsourcing should deliver increased cost and operational efficiencies – but not at the cost of efficient and effective operations, flexibility and security. Companies must stay actively engaged and in control of their IT operations, even when outsourced to a cloud provider because again, the function is being outsourced but the responsibility and accountability remains with the business.
Hi-Tech Security Solutions: What is an acceptable level of security?
Richard Broeke: This really depends on the data that is going to be stored. If we are talking about highly confidential business critical data, then this really should not be on a public cloud service, but instead on-premise or private cloud with a reputable local organisation. If we are talking about public domain information, then as long as the service is reliable, all you really want to ensure is that it is available and can’t be modified.
What level of security is acceptable should be assessed purely on what type of data it is that needs to be stored with the provider.
Doros Hadjizenonos: The level of security required from a cloud service provider is no different than the level of security required to protect a business when the IT operations are run in-house. The company must define their security requirements based on how essential IT is to their daily business operations, the type of information they are responsible for protecting, what compliance standards they are required to meet, and so on. These are the requirements that define what security they would deploy in-house and also define what security should be required from a cloud service.
Hi-Tech Security Solutions: Who is responsible for a company’s data when stored in the cloud?
Richard Broeke: The owner of the data is ultimately responsible for the data, thus the user/company is responsible. This can be passed to the service provider to a certain degree through the use of contracts and SLAs, however the cloud provider would typically be responsible for the integrity and availability of the data under normal circumstances, with the owner of the data being responsible for confidentiality (protecting usernames and passwords etc.).
Doros Hadjizenonos: Ultimately and always, the company. In the event of a major, headline-scale breach and data compromise, even if the cloud provider is at fault, the company’s name will be front and centre as they (and their customers) are ultimately the ones affected. IT and security operations will have to answer to management, who have to answer to the board and so on. Sure, the cloud provider’s name will be in the spotlight too, but the company will not avoid the bad coverage and responsibility just because operations were outsourced to a cloud provider and the cloud provider was at fault. After all, the company chose the cloud provider and they will be held accountable by the board, customers, public and possibly government regulators.
Legal responsibility is a different question. This determination will rely on the legal contract between the company and the cloud provider. The company must ensure the contract specifically defines proper responsibility from the cloud provider.
Hi-Tech Security Solutions: Can you highlight some best practices when it comes to cloud storage and services in the cloud that will ensure your data’s security?
Richard Broeke: The best advice I can give is treat data in the cloud the same way you would treat any confidential information. Make sure you don’t share username/password information, ensure you don’t allow access to the data to anonymous users or the general public. Ensure that you are familiar with the security configurations and limitations of the provider that you choose.
Doros Hadjizenonos: My answers to the first question cover this.
Hi-Tech Security Solutions: How does PoPI impact cloud services and storage practices, if at all? Can companies still store data on Box, Dropbox or Google etc.?
Richard Broeke: I am no lawyer, however, PoPI states that companies are responsible to ensure that reasonable measures are taken to protect personal information that they store to perform their business functions. It further states that this information should be stored within the borders of the country and if it is not, then the country wherein it is stored has to have similar legislation in place. Additionally, it is the companies responsibility to ensure that any service provider they choose has these data protection agreements in place and that any third parties involved have similar and so on.
Once again it comes down to the data being stored, if it is personal information related to your customers, perhaps public cloud storage services are not the best choice for this kind of information.
Doros Hadjizenonos: Compliance standards (including PoPI) provide operational guidelines and requirements to help ensure companies protect vital data and personal information as best as it possibly can. Further, the PoPI Act defines responsibility should a breach occur. In our example of outsourcing storage and/or IT and security operations to a cloud service, responsibility would likely be shared by both the company and the cloud provider. And of course when it comes to lawsuits, all possible parties will be named.
Hi-Tech Security Solutions: Are hybrid cloud solutions a more realistic and cost effective alternative? How does hybrid work?
Richard Broeke: Hybrid is essentially what I explained in point 2, where you can essentially split your data storage requirements into two categories, confidential and public domain. For confidential I would strongly suggest a private cloud scenario, where only your company and people specifically authorised are able to access this information. For the rest of the data, a more cost effective cloud provider can be selected.
There are technologies available that can make this seamless to the end user and ensure ongoing compliance within the business. The user unfortunately still remains the weakest link in the chain.
Doros Hadjizenonos: A hybrid cloud solution is absolutely an effective option to extend the company’s infrastructure to meet varied business demands. A hybrid cloud is an integrated combination of private cloud and public cloud operations and services. Specifically, the private cloud, which can also be called a data centre, is the private IT infrastructure and operations of a company. This infrastructure and operation can be physically owned and operated by the company internally, or it can be outsourced. A public cloud offers infrastructure and service for use by other companies. A hybrid cloud is when a company leverages public cloud infrastructure and serves as a supplement to their existing, private cloud or data centre infrastructure and operations.
Ideally, a hybrid cloud offers a company multiple benefits, including:
- Ability to outsource services that can be more efficiently run by a provider whose infrastructure and operations are optimised to efficiently provide that service i.e. Software as a Service (SaaS) offerings.
- The flexibility to dynamically add (and equally contract) infrastructure and services as their business needs require.
The service requirements, SLAs and legal contracts need to be defined and in place to guide the operations and the levels of service that are required. Once established, the hybrid cloud clearly offers greater flexibility of IT infrastructure and services, at a cost much lower than sourcing and managing the service internally.
|Tel:||+27 11 543 5800|
|Fax:||+27 11 787 8052|
|Articles:||More information and articles about Technews Publishing|
© Technews Publishing (Pty) Ltd | All Rights Reserved