Is anyone in control of cloud security?

There are those who argue that the age of cloud computing is merely in the minds of the more far-sighted IT visionaries. I have even met those whose businesses are indifferent to the cloud. This indifference may cost them dearly – and soon.

The UK’s new Coalition Government is implementing the “G-Cloud” strategy (actually the strategy of the last Government) and there are some who claim that it will save the government £3.2bn from its annual £16bn IT budget of £16bn. That’s not just a big saving for the Government – it’s an obvious opportunity for suppliers who can ensure it is secure.

The proposal is to replace the present ad-hoc network of department – hosted systems with a dozen dedicated government secure data centers, costing £250m each. The G-Cloud plans could support everything from pooled government data centers to a communal email solution and collaboration. By 2015 the plan is that 80% of government departments could be using this system. But will it be secure enough?

Safeguarding the IT infrastructure from unmonitored access, malware and intruder attacks grows more challenging as the operation evolves for cloud service providers. And as a cloud infrastructure grows, so too does the presence of unsecured privileged identities – those so-called super-user accounts that hold elevated permission to access sensitive data, run programs, and change configuration settings on virtually every component of IT. Privileged identities exist on all physical and virtual operating systems, on network devices such as routers, switches, and firewalls, and in programs and services including databases, line-of-business applications, Web services, middleware, VM hypervisors and more.

Left unsecured, privileged accounts leave an organization vulnerable to IT staff members who have unmonitored access to sensitive customer data and can change configuration settings on critical components of your infrastructure through anonymous, unaudited access. It can also lead to financial loss from failed regulatory audits such as Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance, Portability and Accountability Action (HIPAA) of 1996, and the Sarbanes-Oxley Act of 2002 standards that require privileged identity controls.

One of the largest challenges for cloud service customers inside and outside of government is attaining transparency into how public cloud providers are securing their infrastructure. How are your identities being managed and secured? Many cloud providers won’t give their customers much more of an official answer than a SAS 70 certification. How can we trust in the cloud if the vendors of cloud-based infrastructure neglect to implement both the process and technology to assure that segregation of duties are enforced, and customer and vendor identities are secured?

The cloud vendor’s challenge: Accountability
Cloud computing has the potential to transform business technology, but it brings a spectrum of security issues that IT organizations should consider before trusting their sensitive data to the cloud. These issues cause security experts and auditors to rethink many fundamental assumptions about Privileged Identity Management in terms of who is responsible for managing these powerful accounts, how they manage them, and who exactly is in control.

Historically, IT data centers have always been in secured physical locations. Now with cloud computing those locations are no longer maintained directly by the IT organization. The question comes down to this: how do you get accountability for management of physical assets that are no longer under your physical control, and exactly what control mechanisms are in place? Can you trust your cloud vendor to secure your most sensitive data? Moreover, if there’s a security breach in the cloud, who is to blame? Is it the cloud vendor that disclaims all legal liability in its contract, or an enterprise that relinquishes control of its sensitive data in the first place?

From the vendor’s standpoint, cloud computing promises to reduce customer headcount, make IT more efficient and deliver more consistent service levels. However, there’s a paradox that when it comes to security (and control over privileged identities in particular) cloud services are often among the least efficient. Many cloud service providers’ processes – based on ad-hoc techniques like scripting of password changes – are slow, expensive and unreliable. And that’s dangerous.

Fortunately the industry is starting to move beyond paralyzing discussions about the security and compliance problems that arise from cloud computing to address them head on. One example of this is the Trusted Cloud Initiative, which was launched at RSA Conference 2010. The goal of the initiative is “to help cloud providers develop industry-recommended, secure and interoperable identity, access and compliance management configurations, and practices.” However, only time will tell if it will help standardize cloud computing or turn out to be a technology certification of little use.

In addition, several major cloud vendors and ISPs have begun the difficult task of integrating security solutions that are capable of managing the large number of privileged identities that make up their infrastructure (hardware, VM hosts, VM Image OS, application stacks). This has really broken the fundamental model of IT being in control of security and has started to blur the lines between vendor and customer when it comes to the management of security.

The end user’s challenge: Transparency
In my opinion, the cloud is a really good, compelling idea. It can reduce the cost of IT dramatically. Given that cloud computing is available, the idea of building new data centers these days seems like a last-century way of doing things. On the other hand, for enterprises, the ability to see and touch your own systems in your secured data center does give confidence that you have some measure control of your destiny. But most large corporations don’t have enough IT people or security talent to manage the IT resources they have, and so are turning to outsourcing. Cloud computing is essentially the next generation of outsourcing, so that we’re not only reducing man power, but we’re getting rid of our hard assets entirely by moving them over to data centers anywhere on the planet that are going to manage this more cheaply than we ever could. And the idea of outsourcing security and liability is extraordinary compelling.

Enterprises should ask the right questions of their cloud providers before taking the leap into cloud and blindly assuming that their data is safe there. Every point of compliance that you’re asked to meet an IT organization and every question you’ve been asked by an auditor should apply to your cloud vendor – and needs to be asked of them. And because today’s cloud vendors offer literally no transparency and little information, don’t be surprised if you don’t like the answers you get. Most cloud vendors would say that for security purposes, it’s on a “need to know” basis, and you don’t need to know. Others state that they’re SAS 70 compliant, but that’s really just a self-certification.

Here are some questions you must consider asking

  • What kind of security does the cloud service provider have in place to protect your privileged accounts and most sensitive data?
  • Do they have a Privileged Identity Management technology in place?
  • How do they control privileged accounts used in cloud infrastructure to manage sensitive systems and data?
  • How do they manage cloud stacks at the physical layer and application stack layers?
  • What is your access to audit records?

Whatever regulatory standards your organization must meet, so too must your cloud vendor. So if you think that by venturing into the cloud you’re saving yourself regulatory headaches, think again.

Conclusion
Security is the greatest barrier towards adoption of the cloud. Unfortunately, improvements in cloud security won’t be seen as a priority until a major breach has a significant enough impact on one or more cloud service vendors and customers. That needs to change. When it comes to cloud security, it is the end-user’s duty to understand what processes and methodologies the cloud vendor is using to protect the customer’s most sensitive assets. We don’t want the Government’s “G Cloud’ to be compromised – that would be a public humiliation that would have cloud doubters in their own little heaven.