By E.G.Nadhan, Distinguished Technologist, HP Enterprise Services
One of the reasons I am excited about attending the HP Master the Cloud event in Canada is to get some deeper insight into Cloud Security – an area where there are continuing concerns based on a perception of reduced control over the underlying infrastructure. These concerns, albeit valid, do not necessarily stem from the infrastructure itself. Instead, they are more related to the manner in which the infrastructure is employed by its consumer -- YOU.
Here are my top 5 steps that YOU can take to secure YOUR Cloud Computing environment.
Peer Validation. YOUR service providers provide Cloud-based services to many consumers including YOU. YOUR peer consumer could be Infiltrators R Us. Thus, YOU should conduct a thorough evaluation of the registration process that YOUR service providers have in place. YOU should be convinced that they cannot be a primary cause for providing easy access to malicious infiltrators.
Interface evaluation. APIs and interfaces have been around for decades. However, they are excellent gateways for infiltrators to penetrate enterprises over the Cloud. YOU should comprehensively evaluate the security model that is in place for YOUR APIs and conduct an impact analysis of the API chain in the event it is compromised. YOU should define the standards that ought to be in place for YOUR enterprise to use Cloud APIs and interfaces.
Human Nature. In my post on Applications Security Testing, I detail the malicious side of human nature (e.g. disgruntled employees). Even though such malice could be targeted at individual Cloud-based service providers, YOU should respect the fact that their environment is an extension of YOUR environment. YOU should be concerned about the recruitment practices of YOUR service providers and monitor significant changes in their employee base.
Virtualization Vulnerabilities. While YOUR CFO may like the financial benefits of a multi-tenant environment, YOU should ensure that the virtualized environments do not allow rogue consumers to laterally penetrate environments on the same physical hardware. A detailed review of the manner in which YOUR service provider manages the provisioning and access to these virtual environments is in order.
Data Security. YOU must review the measures that YOUR service providers are taking to prevent data loss and have the appropriate mechanisms in place to mitigate the possibility of data integrity being compromised. They should have robust processes to clean out physical media before it is reused.
YOU might think that YOU have to be less concerned when YOU avail services and solutions deployed in the Cloud so that YOU can focus on the core competencies of YOUR enterprise. However, YOU are ultimately accountable for the extended IT environment. Taking the appropriate, preparatory steps in a timely fashion will ensure that YOU have a robust environment in place across YOUR base of Cloud Service Providers.
What are other steps YOU can take to ensure the security of Cloud-based solutions? You can also take a look at the Top Threats to Cloud Computing, a collaborative research paper from HP, the Cloud Security Alliance and other industry vendors.