cloud security
Cloud Computing Compliance: Exploring Data Security in the Cloud
Digg
Reddit
Delicious
StumbleUpon
Facebook
Twitter
LinkedIn
BuzzBy Guest Author, David Mortman
David Mortman, Director of Operations and Security at C3 and former CISO at Siebel Systems, has a proven track record in leading security teams and setting security strategy at several companies, including C3, Siebel Systems, Network Associates, Securosis and Echelon One. David is a regular presenter at RSA and Black Hat and has also presented at SOURCE Boston, Information Security Decisions and the CSO World Congress.
Amid an ever-increasing bevy of regulations that enterprises need to worry about -- from SOX and PCI DSS to HIPAA/HITECH and the FTC's Red Flags Rules -- and a growing number of cloud service providers to choose from, enterprises have a lot of options and a lot of questions to consider concerning cloud computing compliance.
While migrating services to the cloud may provide many benefits, it does not absolve an enterprise of certain responsibilities. Most notably, the enterprise is still required to remain compliant with the assorted regulations and laws that it would fall under had it retained that service inside the company.
In some cases, as with PCI DSS, there is definite potential to reduce a company's compliance scope by outsourcing certain services. Most notably, by wholesale outsourcing the credit card processing to a third-party provider, an organization's PCI scope will be significantly smaller (though not go away completely). With the FTC's Red Flags Rules, however, that is not the case, as the FTC has mandated that any outsourcing must entail equivalent or better security than the enterprise would have implemented internally.
As you start to investigate moving services to the cloud, it's important to ask several cloud computing compliance questions:
- Does this data that will be moving to the cloud fall under any compliance-related regulations or requirements? This includes data such as Personally Identifiable Information (PII), Personal Health Information (PHI), or corporate finance-related information.
- If the answer to question one is yes, which regulations does it fall under and what controls are necessary?
- Can the cloud provider actually offer the identified or equivalent controls that your organization's data requires?
- Does the cloud provider have the necessary policies, processes and procedures to properly maintain those controls?
- Does the provider have appropriate disaster recovery and business continuity processes to meet your organization's business needs?
- What happens if the cloud provider goes bankrupt? Can the enterprise's data be sold to a creditor or at auction as a provider's asset?
- Should I decide to change providers, is there an easy way to export my data in a useable format?
- Is the provider willing to alter its default terms of service in order to guarantee or provide service level agreements (SLAs) around questions 3-7?
That last question is particularly important, as many cloud providers refuse to use anything other than their default contract language. As a result, they have effectively eliminated themselves from being potential providers of compliance data-related services. Several of the compliance regulations, most notably HIPAA/HITECH and the FTC Red Flags Rules, specifically mandate that an enterprise must have contracts with its service providers mandating appropriate controls, processes and procedures in accordance with each regulation's guidelines.
Similarly, if the providers can't meet the requirements of questions 3-7, they should also be eliminated from contention for your company's business. Lack of ability to meet requirements is a problem especially when it comes to PCI DSS and HIPAA/HITECH. Thus, you will quickly find that your options for cloud service providers are limited -- at least in the short term -- though rumor has it that several of the larger cloud providers are working on retooling their systems to meet these compliance needs. There are a handful of cloud providers on the healthcare side that have built applications specifically to meet the needs of the healthcare industry, but I have not yet seen any security evaluations of these applications to determine their effectiveness.
In the meantime, I recommend passing the above questions to providers that you're evaluating, much like you would pass them a request for information (RFI )for any other outsourcing project, and then choose the provider that can best meet your needs.
Alternately, if none can, investigate ways of removing or obfuscating the relevant data (such as hashing or encrypting information prior to moving it to the cloud), so your organization can still get the business benefits of the cloud.
Hear more from David Mortman in this recorded CloudSwitch webinar:
Title: “How to Secure the Public Cloud for the Enterprise: Making the Public Cloud Work Like a Private Cloud”
WATCH ON DEMAND >
True Isolation Makes the Public Cloud Work Like a Private Cloud
By Ellen Rubin
Security is always mentioned as a key factor limiting cloud adoption, but what does “security” really mean in the cloud? To understand the potential risks of cloud computing—and how to address them—we need to be more specific. Once we’ve accurately defined the problems, we can address them with the right technology and processes.
When you get into specifics with CSOs and risk managers, security concerns in the cloud can essentially be boiled down to two main issues:
- It’s a shared environment: In a multi-tenant public cloud, you’re sharing resources—servers, cloud networks, and storage—with other companies (possibly even a competitor). Obviously you don’t want them to get access to your data and applications. In this shared environment, data needs to be encrypted, which means you have to develop and deploy an encryption solution that can span the data center and cloud services, and run across a range of operating systems and applications — something that many IT managers and CSOs find outside their comfort zone.
- It’s outside enterprise control: You have to depend on the cloud provider’s security measures, policies, and assurances that your data will not fall into the wrong hands. This can be a non-starter especially given that some aspects of cloud environments are opaque. Loss of control also has another aspect: the cloud provider can make changes to their environment (kernels, storage, software, etc.) that could disrupt the trusted security processes and models that you already have in place.
These are the potential risks that enterprises are anxious to avoid. Therefore they make compromises that allow them to gain at least some cloud capabilities, while maintaining an acceptable level of security. They may choose to partner with a managed service provider to build and manage a dedicated environment for their applications. Or they may pull back completely and build an internal cloud, with applications sharing a pool of resources inside the corporate firewall. But these private cloud models only hint at the agility, efficiency, and on-demand performance available within a public cloud.
Isolation in the Cloud
So how can you incorporate a multi-tenant public cloud in your IT computing strategy without taking a big risk? For an application to run safely in a public cloud, it needs to be isolated from the environment around it at all times. This isolation is not just a matter of keeping things in (protecting data and applications from threats or prying eyes), but also keeping things out (unwanted changes by the cloud provider that could compromise your existing security processes). With our Cloud Isolation Technology, CloudSwitch provides the two-way protection that makes the cloud safe for enterprise use.
How does this isolation layer work? CloudSwitch software automatically builds a secure envelope that extends from the data center to a target cloud that encompasses your entire cloud deployment. Within this envelope, applications and data are encrypted end to end, from inside the corporate firewall, across the Internet, and within the cloud environment—in storage (at rest), during processing, and in transit through the cloud network. Encryption keys are stored within the enterprise data center and are securely transmitted to the cloud only when they are needed and are completely contained within the isolation layer. Control of encryption keys, and thus, control of the data, stays with the customer at all times. Cloud providers have no access to enterprise data at any point—and neither does anyone else.
Inside the secure envelope, the isolation layer maps cloud resources (processors, memory, storage, etc.) to match the execution requirements of the original server. Using this approach, servers and applications run in a cloud “as is” without requiring modification or redesign, and without having to worry about the cloud provider’s configuration or changes to their environment. Further, since all data entering the cloud provider’s environment is encrypted with customer-controlled keys, the data is isolated from processes and changes implemented by the cloud provider. The cloud becomes an integral part of the enterprise IT environment, while the cloud provider sees only an encrypted connection running into one of its servers, and encrypted data flowing to the storage devices.
Agility + Security: Taking Control in the Cloud
Using CloudSwitch technology, the same level of privacy and control that you would expect in a dedicated environment now becomes available in a multi-tenant public cloud. Companies can take full advantage of cloud elasticity and cost savings without being exposed to the inherent risks. True isolation lets you have your cake and eat it too—reaping the benefits of cloud computing (agility and reduced cost) while maintaining enterprise security and control.
Five Things to Do Before Moving to the Cloud
Before moving an enterprise application to the cloud, you need to be sure that your expectations are realistic and your objectives match what the cloud can deliver. In this post, I’d like to share what we’ve learned from working with our beta customers, from their initial exploration of cloud possibilities to going live with a specific application they’ve migrated to the cloud. The following steps can help guide the thought process when considering a cloud deployment, and provide a starting point for moving forward.
1. Determine your cloud objectives. What are you trying to accomplish? Is the cloud a solution for reducing costs, faster provisioning, data center consolidation, all of the above? Sometimes all goals align, where the cloud allows you to save money, be more responsive and avoid huge infrastructure investments all at the same time. But it may not be possible to realize all the benefits for a given organization or use case. For example, if there’s extra capacity in your data center there may be no obvious consolidation advantage to putting an application in the cloud. However, there could be other issues at play that justify the move, such as high operating costs or an infrastructure that makes it difficult for users to get the support they need.
2. Pick an application that makes sense. For example, how much latency is acceptable to users? The laws of physics slow things down over the Internet and network performance will vary, so if you need millisecond response the cloud may not work for your application. How critical is the application? You may not want to put an application in the cloud upon which the business depends even if infrastructure limitations (scaling, support, response time, etc.) make it seem like an attractive option. Get your feet wet before diving in -- a safer approach might be to start with a low-risk, back office (not-strategic) application before setting your sights on more ambitious targets.
3. Involve the CSO/risk management team from the beginning. The cloud, perhaps even more than other technology shifts, has raised red flags about security since your applications and data will potentially be moving outside of the enterprise firewall. Engage your company’s security experts and decision makers from the beginning to understand their perspective and address their concerns directly. Get them involved in the discussion early so they’ll understand why the cloud is important to the business and how you want to use it. Give them a chance to review their security concerns with potential vendors before you sign up.
4. Decide which cloud(s) are acceptable. Finding a cloud that’s best suited to your needs is as critical as identifying the right target applications. Cloud offerings vary widely—in their APIs, configurations, storage infrastructure, networking options, pricing structures and SLAs. Some of the variables will be essential for your requirements, while others are simply nice to haves. The process is like evaluating any other technology offering, except the environment is probably new and unfamiliar. You may want assistance from a partner with cloud expertise who can help you qualify the various cloud options to make sure you make the right choice.
5. Create a sandbox where people can experiment. All of the different user groups should be able to see how a cloud-based application compares to a traditional one. Give business users, administrators and developers a chance to evaluate the benefits of the cloud from their perspective, as well as the limitations. Application experts can use the sandbox to run functionality and performance testing on the application in the cloud to see how it behaves compared to the traditional environment, and if any differences are acceptable.
Get Your Hands Dirty
Once you’ve done the necessary due-diligence, you’re ready to get started with beta testing and proof-of-concept pilots with vendors. In an area as hyped as the cloud there’s really no better way to learn than hands-on, and these basic best practices will help lay the foundation for a successful cloud strategy. CloudSwitch can help address the security concerns and make it “point-and-click” easy to move to the cloud, using your existing management tools and applications.
Making Cloud Computing Secure for the Enterprise
For cloud computing to gain traction in the enterprise, IT and security executives need to be certain that their company’s applications and data are safe. But when security is partly out of enterprise control, it becomes impossible to know if sensitive information has been accessed or compromised.
Today, using a public cloud means moving from an internal environment where a company has complete control of data and processes to an environment where that control belongs to someone else, and is often opaque. Within the cloud, applications run in a multi-tenant virtual environment, sharing physical machines with other customers. Companies considering moving an application to a cloud have legitimate concerns about data being compromised or stolen, including unauthorized access by cloud administrators, exposure in the internet or rogue employees using the cloud to corrupt or leak sensitive information.
One solution is to keep sensitive data within the corporate data center and put the other application tiers in the public cloud. While this approach works well for some use case scenarios, the latency impact of the “reach back” into the data center can be unacceptable for many applications and users. The other option is to move the entire application to the cloud – including the database tier – for better performance and scalability, but this exposes the application to new potential threats such as those mentioned above.
Encryption is a well-known approach to addressing these types of security threats. For protection in the cloud, the enterprise would need to encrypt all data and communications. While it’s not that difficult to add encryption software initially to the application environment, the new configuration requires ongoing management and maintenance. And in order to run the application in the cloud, the enterprise needs to deliver the encryption keys to the cloud to decrypt the data, creating additional security risks by exposing the keys in the operating environment. In the worst case, poor configuration can expose the corporate data center to threats from the cloud.
In developing our security model at CloudSwitch, we worked closely with CSOs and security teams at several large enterprises to understand their requirements. As a result, our architecture addresses three areas of protection required to make cloud computing secure for the enterprise:
- In the data center: Role-based access control protects data and processes from unauthorized access.
- In the Internet: Connections are authenticated and data is encrypted to prevent data in transit from being exposed or compromised.
- In the public cloud: Data is encrypted with keys under enterprise control, and can never be accessed by the cloud provider or unauthorized users.
The CloudSwitch security strategy is a key part of our vision to make the cloud a seamless extension of the corporate data center. Using CloudSwitch technology, companies can move applications and data to a cloud without modification, and back to the data center as needed. Companies can also select the right cloud for a specific application, based on security and compliance levels as well as service offerings and pricing structures. Only with control of applications and data at all times can enterprises take full advantage of cloud resources without sacrificing the security required by customers, internal users, regulators and other stakeholders.
Moving to the Cloud: The Road Ahead
Over the past few posts I covered a number of key points to consider as you plan to move to the cloud. These issues are based on our experiences with many public clouds, as well as what we have learned from working with enterprises adopting the cloud.
I hope it’s clear that today’s clouds are powerful resources that can be used to rapidly develop and deploy applications; they provide on-demand resources and true value. The challenges I outlined in configuration, storage, networking, and management really come into play when you try to integrate the power of the cloud with your existing infrastructure and processes. These challenges are centered on the fact that the cloud is separate from the data center – a problem that hits home when you want to utilize existing applications and rely on your existing services and infrastructure.
We believe that this hybrid model, where companies can use the cloud as a flexible extension of their data center, is central to the adoption of cloud computing, and efficiently addressing these problems is essential for cloud deployments to succeed. The technology we have been developing at CloudSwitch is designed to bring this vision to life. Software from CloudSwitch can now integrate your existing infrastructure with the power of the cloud while preserving your applications, tools and infrastructure investments.
As we look forward to the evolution of cloud computing, I expect the cloud will continue to play a larger, more significant role in enterprise IT. Cloud providers have shown they can rapidly iterate and improve their offerings in response to customer input and have been drawing from their experiences to develop new and powerful infrastructure and features. It has been exciting to be part of this evolution so far, and we’re looking forward to the continuing innovation and expansion of cloud computing.
To end this series, I’d like to leave you with the key principles that guide our technology and product development at CloudSwitch:
- Provide end-to-end security between data centers and clouds to protect all data and storage
- Enable existing multi-tier applications to move to the cloud without modification
- Integrate cloud deployments into the existing data center’s management tools and processes
- Eliminate cloud lock-in so you can move between clouds or back to the center as needed
With these principles in place, it becomes possible to resolve or eliminate most of the challenges I’ve outlined in this series, making cloud a much more secure and viable option for the enterprise.
