Cloud services. Cloud apps. Cloud infrastructure. Cloud storage. Cloud backup.
“Cloud, cloud everywhere
And all the users did cheer;
Cloud, cloud everywhere
Nor any bit to secure.”
— Excerpt from the unpublished best seller Rime of the Ancient Security Guy
It seems that everything within the IT world is moving towards cloud something, and it is here to stay (at least for the time being). Cloud services of all types have their value to business – that’s one thing that’s been proven time and time again. You need a server for an application you’re developing? Spin one up using Amazon Web Services in 5 minutes and you’re ready to roll. Need a CRM solution? Whip out the credit card and start selling using SalesForce in 20 minutes.
IT people all over (sometimes) sing the praises of cloud services, as it’s less infrastructure (storage, compute, network) that they have to manage, and they can provide their customers (i.e. users) with the services that the business needs in a more efficient and timely manner.
Except for IT security people.
Nearly every security person I’ve talked to in the past few years when asked has stated that they don’t like cloud services. The universal answer is related in some form or fashion to monitoring, auditing and control, which are core tenets of securing data.
The National Institute of Standards and Technology (NIST) defines cloud computing as coming in basically three models: Infrastructure as a Service (IaaS) – Hardware only is supplied/managed by the cloud provider; Platform as a Service (PaaS) – Hardware and operating system is supplied/managed by the cloud provider; and finally, Software as a Service (SaaS) – Hardware, operating system and applications are supplied/managed by the cloud provider. Most, if not all, cloud offerings can be categorized in one of these ways.
Here’s the reason why IT security people cringe when the cloud is mentioned:
The value of IT to a business is the ability of IT assets to store, move and process data. Every business survives on data – whether they are a manufacturer and the data (technical design information) is used to create a sellable product, or are a retailer and use data (credit card numbers) to get paid. Because this data is how businesses survive, it should be protected and every IT security person would agree on that principle.
When the data is local, it’s easier to secure. Physical access is controlled because not everyone has a key to the server room. Logical access is controlled via various permissions and firewalls. Server logs are reviewed. User accounts are audited to ensure that only legitimate users have accounts.
Once cloud services come into play, some of those security measures go out the window. In some cases, all of these security measures go out the window.
Physical access to the data is now under the control of a faceless identity in some unknown part of the world. Give me physical access to data and I’ll be able to access it within minutes (a little longer with some types of encryption).
Logical access is at the mercy of whatever the cloud provider wants to allow. Maybe they can give granular permissions, maybe they can’t. And even if they allow the customer to provision the access, who’s to say there aren’t “backdoors”?
Who is monitoring access to the data? What will they do with that information? How is the access controlled?
The list of questions and concerns can go on and on. Unfortunately for many in the security field, the risks of using cloud services are outweighed by the advantages, or the risks are accepted as a cost of a solution being “convenient” or “less expensive”, so any objections to using cloud services are simply overruled.
Fortunately, steps can be taken to ensure a certain level of security with cloud services, depending on which model is used (IaaS, PaaS, or SaaS).
In the IaaS model, the business can usually do whatever they want with the hardware. This provides the most flexibility in regards to security. Disk encryption can be used to hinder unauthorized access. Permissions can be audited and monitored. Logging can be performed and reviewed.
Generally speaking, the PaaS model provides similar security opportunities, but because the cloud provider is responsible for the operating system there could be some challenges. If the cloud provider has a system administrator or root access, that’s a weak link. Yes, you’re supposed to trust your provider but what security guy trusts the telecom providers after the NSA spying scandal?
The SaaS model provides the least amount of flexibility when it comes to security. Everything is managed by the cloud provider, and the customer is merely a consumer of service (much like I’m a regular consumer of Starbucks but have little to say how they make my drink). The cloud services customer cannot install encryption in the SaaS model nor can they completely control anything – they’re at the mercy of the provider.
But all is not lost. There are cloud security services to fill the void!
In an ideal situation, the cloud services customer is using a single sign-on (SSO) solution to manage identities and uses a single portal by which users can access the various cloud-based services. This single sign-on portal creates a choke point by which you can implement a security solution, such as that offered by Skyfence (www.skyfence.com).
Basically what happens is that Skyfence becomes a cloud security gateway, in which all traffic destined to/from cloud-based services is inspected to see which cloud services are in use and by whom, inspect the traffic for malicious activity and block it if required, and monitor and log all usage. What’s even better is that Skyfence doesn’t require a proxy server or anything installed on the endpoints (unlike other cloud security solutions).
Finally, there is an easy to implement and easy to manage solution for helping to secure cloud services, providing much-needed control, monitoring and auditing capabilities. And now the IT Security people can stop cringing at the mention of the cloud.