Cloud Security, are we missing the point? - Part 1

Cloud security has been a hot topic for quite a while. It continues appearing amongst the top reasons for companies not to move to public cloud. Data is most often at the core of the discussion. And that makes sense. Indeed, data in the cloud is permanent; executing services in the cloud is transient. So it is normal people are looking at data as a critical element that needs to be protected. If you are interested in the arguments used, take a look at the LinkedIN discussion titled “Do you think your data is safe in cloud application hosted by a third party?” currently ongoing. It gives you the complete spectrum of arguments.

The other week, one of my colleagues was talking to a prospect who told him that security in the cloud was easy. You just needed a good identity management environment and data encryption. With both of those your information was fully protected.

Isn’t that a little too simple? What if the cloud service is blocked by a denial of service attack? Your data is encrypted, sure, but you no longer have access to it. What if your identity is stolen by a malevolent insider? And I could go on like this.

At the other extreme of the spectrum, I had a conversation with somebody looking at cloud services to store his personal information. He started asking detailed questions about how to protect his mobile devices, how to ensure secured communications to the cloud, how to make sure the cloud provider used had the appropriate levels of security in place etc. He is at the other end of the spectrum.

Security is increasingly becoming a question of risk management. What risks am I prepared to take and what budget do I have to enforce security? That’s the fundamental question. How can I balance both?

We should really review the different security aspects and then assess the procedures that should be put in place. Let’s look at this in more details.

In my mind there are seven areas to take into account. In two blog entries I hope to describe some of the aspects associated with each of those:

• Client Security, the security associated with a client device
• Network Security
• Physical Security, typically of the datacenter where the services are run from
• Platform Security, the security of the cloud platform
• Application Security
• Data Protection
• Identity & Access Management

There is nothing in this that is specific to cloud. Many of our best practices are applicable to cloud in the same way as they apply to traditional environments. The new business models associated with cloud in general and the public cloud in particular make it more difficult to assess each of those seven aspects unfortunately.

The art of the possible is to balance security procedures across each of those seven aspects to limit the risk of security breaches to a reasonable level with an acceptable investment. So, let’s look at each of the areas separately and see what can go wrong and how we can address the fears. Let’s then pull them together, but that will definitely be for part 2.

Client Security

THE new term is BYOD, bring your own device. It’s no longer seen as a privilege by generation Y, rather a right, reports ZDNet in an article titled:”Generation Y: Are we a BYOD policy nightmare?”. And the answer might be yes.

First, there is the inherent security of the mobile device itself. A comprehensive study comparing Android and iOS security point out that the latest versions of both platforms were developed with security features directly in the operating system to limit attacks from the outset. But at the same time the article points out that those devices are operating in an ecosystem, much of which is not controlled by the enterprise, making enterprise control difficult.

And then you have the way we get on with our mobile devices. How many of those have no pin or password to speed-up access? What happens if the device is stolen or lost somewhere? It’s clear that mobile devices are vulnerable in more than one way. We should be vigilant, but we shouldn’t be paranoid either. There are risks associated with mobile devices such as the interaction between corporate applications and personal apps downloaded on the same platform, the access to all sorts of foreign networks. But that is often true for enterprise supplied mobile devices also. BYOD mainly brings the variety of operating systems with it, forcing IT to keep track with the evolutions of iOS, Android and Windows Mobile mainly. Protect the devices with the tools available, set policies and educate your staff is probably the best way to limit risk in this area.

Network Security

Between your device and your datacenter, the information has to travel through a network. That sounds pretty obvious. Over that network, the information seems vulnerable, so, how can we protect it. Fundamentally there are three ways:

• You can encrypt the information to ensure it is more difficult to be accessed by unauthorized people
• You can set-up a VPN between the mobile device and the datacenter
• You can limit access through leased lines, but that does not work with smart phones and others.

Now, let’s look at things from the other end of the spectrum. Encrypted information can more or less always be decrypted. All depends on the amount of raw compute power you can throw at it. And obviously, being able to call upon the public cloud facilitates the task. However, one question remains to be seen, what is the cost of breaking the key and what is the possible return of such action? That’s the fundamental question which brings us back to the risk management discussion. If you are interested in this subject, I found an interesting ZDNet article “Is encryption really crackable?”  which puts things in perspective.

Physical Security

Now we are entering the datacenter. How secure is the datacenter? What physical precautions have been put in place to secure the building and its surroundings? I’ve seen video cameras, high fences, even goose and dogs circulating between double fences forming the periphery of the datacenter itself. If you are using a private cloud, you have a good understanding of the datacenter security, but this is much more difficult in case of the use of public cloud. Understandably, companies are not divulging their precautions, leaving you hoping they are good and forcing you to trust the organization. Companies are using standards to point out how secure they are. You often hear of SAS70 compliance.  The standard dates from the 90’s and is rather loosely defined. So, where-as SAS70 gives some level of comfort it is not ensuring invulnerability. In particular because, as pointed out by the Cloud Security Alliance, one of the key threats of cloud is malevolent insiders. And in that scenario physical security will not play a role.

What makes the datacenter an interesting target is that it contains information from many users. Both the mobile device and the network convey information from one user, once in the datacenter, that information is combined with the one of many others, making an attack potentially more profitable to the hackers. Hence the reason why the datacenter is the typical targets of such attacks. Now, mobile devices can be used to attack a datacenter, through the use of maleficent code that may have been downloaded as apps for example.

These are the first three areas I’ll discuss the other four in the next blog entry. If you disagree with me, don’t hesitate. I’d love to hear from you as this is a really interesting topic and is key for the adoption of cloud. How are you addressing mobile, network and physical security? Feel free to leave me a comment here, or join our discussion on linkedIN.

HP's Security & Risk Management offering

Photo: freedigitalphotos.com