Even though it was still a mainstream reality a few years back having servers standing on the floor of a cleaning locker, among mops and dustpans, start-ups nowadays directly begin their activity using cloud computing.
With limited resources, it is rational to focus on core business instead of having to acquire and maintain hardware-based solutions and hire technical staff whose mission is to support the delivery of IT services to the business.
No doubt that adopting a hosted collaboration platform for email/calendar/contacts is much more cost effective than deploying an in-house Exchange or Notes platform. The same applies to Enterprise Resource Planning (ERP), Customer Relationship Management (CRM), shared storage or backup services.
When it comes to build a full scale three tier infrastructure for lab, demo and even production environment, it take no more than 15 minutes to deploy such topology in the cloud.
Besides, with the booming of low cost cloud service providers (CSP) and open source virtualisation platforms, e.g. OpenStack, you can now find cheep or even free Infrastructure-as-a-Service (IaaS) offers which are technically reliable.
Many companies gain in IT maturity by learning from their past misstakes and accordingly adopting guidelines, processes and procedures to standardise the delivery of IT services.
There are numerous security standards and regulatory frameworks that would help to implement a sound IT governance in a contained IT environment, within a defined security perimeter. Yet using multiple cloud services from divers CSPs makes the task of securing data much harder.
Moreover, there are many additional risks related to hosting data in the cloud, such as loss of governance, isolation failure between cloud customers, compliance risks, data leakage, incomplete data deletion, management interface compromise, malicious insider and lock-in risks.
The more cloud services a company uses, the more management interfaces there are to deal with to control parameters such as identity and access management, performance monitoring, log analysis, provisioning and rights management.
There is still a lack of standards and regulations for cloud computing, therefore it is essential to look at best practices to most appropriately preserve information confidentiality, integrity and availability in the cloud.
Key concerns with cloud computing are related to identity (i.e. secure identity federation, user provisioning and strong authentication), infrastructure (i.e. integrity of the cloud stack, data geolocation and system hardening) and compliance.
To address those concerns there is a number of compensative controls that can be implemented.
The first step is to use encryption for data-at-rest, which is actually offered by 75% of CSPs today. However, it is not necessarily recommended to use the CSP's own encryption mechanism if you are worried about privacy issues. Let's keep in mind that 90% of all data infractions in the cloud are caused by data centre employees having access to customers' data. Therefore, it is a good practice to use a third party encryption provider instead, such as Porticor, to avoid risks related to above mentioned malicious insider, geolocation violation and key management in particular.
The next measure is to implement a centralised Identity and Access Management (IAM) solution, which provides standardised mechanisms to federate multiple cloud services in terms of user accounts and access rights management. Such mechanisms can be for instance provided by Intel Cloud SSO.
Public cloud services have the characteristic of being widely accessible which means that they are likely to be subject of attacks from the internet.
Gathering and correlating log data can be useful to efficiently monitor, troubleshoot, audit and analyse users' activity as well as usage and performance of managed services. Cloud based Security Information & Event Management (SIEM) solutions, e.g. CloudAccess SIEM technology, will allow you to centralise log data into one place and offer you a common management interface to supervise incidents.
Considering the different cloud service models - i.e. IaaS, Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) - the key security consideration with cloud computing is that the lower down the stack the CSP stops, the higher responsibility will the consuming organisation have to protect its assets.
For example, in a PaaS delivery model, the CSP's responsibility will consist on maintaining the physical support infrastructure (facilities, rack space, power, cooling, cabling, etc), the physical infrastructure security and availability (servers, storage, network bandwidth, etc) and host systems (hypervisor, virtual firewall, etc).
Independently of which cloud service model and delivery model an organisation utilise, the confidentiality and integrity of the data remains the entire responsibility of the owner, e.g the organisation itself.
Using adequate compensative controls will help an organisation to mitigate risks related to migrating data to the cloud.
However, it is never worth spending $1000 to protect an information which value is $100.
Quentin Authelet
Risk consultant, KPMG
No comments:
Post a Comment