Securing Your Cloud
Reducing opportunity for catastrophic compromised data
- By Amit Cohen
- Sep 01, 2015
Cloud computing offers numerous benefits, such as powerful processing
capabilities, improved access, higher availability and significant
savings with on-demand hosting. However, many organizations
are still wary that the cloud may deliver a less secure
option. Preventing data breaches everywhere is one of the highest
priorities facing businesses and regulators in 2015.
The recent breach at the Federal Office of Personnel Management resulted in
stolen personal data on countless Americans with top-secret security clearances.
This breach is viewed as catastrophic both for national security and for the individuals
whose information has been compromised. The OPM breach occurred
just a few short months after other large data breaches including Home Depot,
Anthem and Premera.
Although these breaches have occurred primarily in traditional enterprise IT
environments, organizations are reluctant to transfer mission-critical and sensitive
information to a seemingly anonymous IT admin in an unidentified location.
Other organizations may be concerned that their IT teams may not have the requisite
skills and processes to manage the migration and maintenance of the cloud
deployment.
As hackers become more sophisticated in their attacks, organizations must become
increasingly vigilant in implementing the highest standards to secure their
data. According to the Javelin 2015 Identity Fraud Study, 12.7 million U.S. consumers
were victimized in 2014 to the tune of $16 billion. Identity fraud can result
in someone using your identifying information to take out cash, obtain a loan, use
your credit cards, apply for a job based on your profile, and more.
Although millennials are generally more tech-savvy than previous generations,
they are more open with their personal information and less concerned with protecting
their identity. This makes them particularly vulnerable to identity fraud.
Health Data: Biggest Risk for Identity Theft
However, the information with the highest risk for identity theft is personal medical
data. The cost of restoring identity after a medical theft incident has been
estimated at $20,000. The most serious consequence for identity theft victims can
be the alteration of their medical records.
According to a Ponemon Institute study, 57 percent of the identity theft victims
never check their medical records to verify that the information is accurate.
Disturbingly, approximately 25 percent indicate that after the identity theft they
were misdiagnosed or mistreated due to inaccuracies in their health records—a
potentially life-threatening situation. Data can never be removed from a medical
record, only annotated; therefore, incorrect information can be potentially harmful
for a lifetime.
Integrating Shadow IT
Added to the challenges of keeping data safe comes the new ‘norm’ of the (official
or unofficial) integration of Shadow IT within organizations. Employees and
business partners are taking advantage of Bring Your Own Device (BYOD) to
use their personal mobile devices and software for business purposes, and/or use
the organization’s devices for personal purposes that can expose the company’s resources.
Not all of these usages are malicious; in fact, the majority of users may be
unaware of the potential risk to which they are exposing their organization’s data.
Shadow IT was born to solve a business need; traditional IT practices are not
able to keep pace with the new technologies coming to market.
The growth of cloud computing options and the associated SaaS and PaaS applications
have made it simpler than ever to evade IT practices. Shadow IT takes
advantage of the cloud or cloud-based software, both external hosting of solutions
and the pay-as-you-go business model. Cloud configuration options include
public, private and hybrid environments. In the public IaaS environment, different
cloud customers share the same cloud service subnet. Private clouds are designed
so that the private subnet is not reachable from other customers’ cloud servers or
from the public Internet. Hybrid deployments maintain certain resources on premise,
while other resources reside in the cloud.
A recent RightScale survey indicates that 93 percent of the organizations surveyed
are already running applications in the cloud or experimenting with Infrastructure
as a Service (IaaS). Many organizations currently use both on premise
and cloud deployments to house their information. Some enterprises have decided
to migrate only certain resources to the cloud; others choose to conduct the migration
in stages. In fact, this survey indicates that 82% of enterprises have adopted a
hybrid cloud strategy.
Shadow IT and Cloud Computing
No matter which type of deployment is implemented, the challenges for businesses
looking to keep their data safeguarded, maintain a productive workforce and benefit
from the potential cost savings available from cloud computing are substantial.
Shared Responsibility Model
In the Public Cloud environment, responsibility for IT security is shared between
the organization and the Cloud Service Provider (CSP), with a clearly defined demarcation.
The CSP is in charge of securing access to the physical servers and
the virtualization layer, while the business is responsible for securing the hosted
Operating Systems, the applications and the data itself. CSPs differ in the ‘native’
security features they offer, but those always fall short of best-practice security
requirements. Therefore, organizations using public clouds are required to supplement
the CSP’s offering to ensure a secure cloud deployment.
Currently, organizations that require a complete enterprise-grade security solution,
let alone a specific compliance such as HIPAA, need to complement the missing
security features using solutions from third-party vendors (ISVs). The cloud
providers’ marketplaces are usually a good place to locate these add-on solutions.
Encryption
A number of factors must be considered when selecting a solution. To protect
their resources within an IaaS deployment, organizations must encrypt their data.
Encryption is a must for security, both for data at rest and for data in motion.
While most cloud providers ensure encryption of data at rest, the picture for data
in motion is less defined and most often requires a third-party solution. Therefore,
maintaining ownership over the encryption, end-to-end is only possible if you control
all the keys—at all points.
Multi-Factor Authentication
In addition, organizations must implement a strong two factor or multi-factor authentication
systems. Identity-based access management policies assure that employees
are not able to access unauthorized data, and multi-factor authentication
ensures that those who steal or find lost devices will not be able to reach internal
resources.
Centralized Identity-based Access Control
As the virtual boundary has superseded the physical boundary, setting tough, centralized
identity-based access control is critical. This identity-based access control
means that company resources are demarcated, so that only those employees or
partners who require access to specific data are able to reach those resources. For
example, warehouse staff should only be able to view customer data relevant to
shipping and logistics, while sales personnel should be able to view full lead and
customer details.
Another important step in securing company information involves implementing
monitoring and logging capabilities. This is emphasized in a cloud environment
where the infrastructure is owned by a third party and is shared among several organizations,
for instance a multi-tenant. Although logs are important, unless they
are regularly monitored in an accurate manner, important or suspicious events will
not be noted. Therefore, visibility and automated alerts are critical in early detection
of security incidents.
Backup and Recovery
Company resources are only secure if your backup and recovery systems are also
secured. Designing the network architecture for recovery necessitates ensuring
that your authentication and authorization safeguards extend throughout your
deployment, including all backups. These measures include encryption of both
the data-in-transit and at the data at rest. In addition, the same strict measures of
user-access control, including authentication and authorization must be incorporated
in all backup locations.
Monitoring and managing both the production and recovery sites requires
high visibility of all network elements including virtual servers and connectivity
statuses, with automated alerts and notifications. Your cloud provider may not
provide all these features out of the box. Especially if you have a multi-provider
cloud deployment for your production and recovery sites, you will likely require a
third-party solution to encrypt the data-in-transit between the different providers
and regions.
Wrapping Up
Creating and maintaining a secure deployment in the cloud requires careful planning
and implementation. Key to a viable security solution are encryption, access
management and firewall policies, combined with event monitoring capabilities
and alerts. Solutions that provide this set of security elements
for the public and hybrid cloud are now available in the cloud
provider marketplaces, evidence that cloud security technologies
have come of age.
This article originally appeared in the September 2015 issue of Security Today.