cloud computing security in the enterprise
Post on 10-Apr-2015
Embed Size (px)
Cloud Computing Security in the EnterpriseBottom Line: Cloud computing is a strong economic and technical force transforming IT, but enterprise customers are concerned about security. Cloud computing creates significant risks and requires a rethinkbut not a reinventionof security programs and architectures. To the extent they leverage public or private (community) clouds, organizations must accommodate themselves to security postures emphasizing risk transfer, deterrence, monitoring, feedback, and audit more than preventive control. Large enterprises should generally avoid placing sensitive information in public clouds, but concentrate on building internal cloud and hybrid cloud capabilities in the near term. Context: Cloud computingwhich Burton Group defines as the set of disciplines, technologies, and business models used to render IT capabilities as an on-demand, scalable, elastic serviceis evolving rapidly. Many organizations are considering externalizing lesser-value, commoditized IT functions in order to lower costs, increase agility, and create a competitive advantage. In turn, cloud computing vendors have developed on-demand IT services using some old concepts (e.g., utility computing) and some new technologies (e.g., server virtualization) that may solve many of the business issues IT organizations face. Takeaways: Enterprises have a number of concerns about cloud computing security:
Clouds multi-tenant, dynamic characteristics may put sensitive or regulated data at risk. The relationship with cloud vendors, and in some cases, their viability creates strategic risk. A lack of transparency and accountability about security from cloud vendors contributes to customer anxiety. Surveys show approximately 75% of respondents are concerned about cloud computing security. Enterprises are not all rushing to embrace low-cost public cloud offerings; many are investigating internal cloud deployment, as well as hybrid cloud architectures that balance low costs with risk mitigation.Cloud computing demands a rethink, but not a reinvention, of enterprise security programs and architectures:
Third-party audit/assessment, incident response, and operations/change management are particular pain points. Customers have less preventive control of the infrastructure with cloud and must seek instead to transfer risks (where possible) or improve detection and deterrence through monitoring, feedback, and audit. Activities once carried out on organization-owned endpoints, data centers, and networks move across open, untrusted networks. Network perimeters are becoming less effective: o More complex virtual machine and virtual network separation mechanisms are in their early stages. o Data in motion should be encrypted to/from cloud environments. Encryption would also be desirable for data at rest in multi-tenant cloud environments, but the performance cost is currently very high and the key management difficult. Tightly coupled domain access control is not suitable for identity and privilege management in the cloud; standards-based identity services are more appropriate. Data is not only difficult to control in the cloud, it is also difficult to classify, discover, analyze, protect, retain, and destroy. Security management must enforce separation of duty, monitor events, and cover staged deployment and change management workflows for hybrid clouds.
Notwithstanding the challenges, there are silver linings and green shoots of opportunity in cloud computings security landscape:
Done correctly, and in the long run, cloud computing can improve availability. Good managed security services are available. Private (community) clouds can support secure collaboration with external partners. Platform-as-a-service (PaaS) offerings could bake proactive security into the software development lifecycle. Application virtualization, desktop virtualization, and identity federation are transformational cloud services with positive security impact.Recommendations:
Mind the gap: Enterprises should not, in general, use public clouds for medium to high risk (i.e., sensitive) applications. Take out a life insurance policy for the security department: o Where necessary, obtain written risk acceptance from business unit leaders and/or strong assurances from all vendors involved. o Put security hooks into appropriate processes to get visibility and control over business cloud initiatives. Build internal clouds; take baby steps toward public cloud with low-risk or low- (variable-) volume applications; and develop service-oriented hybrid cloud architectures. Consider private (community) clouds in concert with vertical industry affinities. Demand greater vendor transparency around cloud security, better assessment criteria and ecosystems for third-party audit, and industry standards to enhance interoperability and security.Conclusion: Cloud computing creates significant risks and requires a rethinkbut not a reinvention of security programs and architectures. Large enterprises should avoid placing sensitive information in public clouds unless they can obtain strong assurances of appropriate protection from all the vendors involved. To use public clouds, organizations must change their security postures; to use internal or hybrid clouds, they must change architectures.
AnalysisCloud computing is transforming IT perceptions and usage models. Driven by market forces (i.e., the economy) and advancements in cloud vendor capabilities, organizations are questioning the wisdom of owning and operating all of the resources necessary to create IT services. Cloud computings ondemand, pay-as-you-go IT service model may enable IT organizations to reduce complexity, lower costs, increase agility, improve service to mobile or transient workers, and increase capacity or availability by outsourcing IT capabilities to service providers. The scale of this transformation is large. Burton Group is tracking the following trends in cloud computing:
Computing (i.e., infrastructure as a service [IaaS]) Storage (IaaS) Applications (i.e., software as a service [SaaS]) Desktops (i.e., virtual desktop infrastructure [VDI]) Development (i.e., platform as a service [PaaS]) Identity (i.e., federated identity hubs) Security (i.e., managed security service providers [MSSPs])
Burton Group defines cloud computing as The set of disciplines, technologies, and business models used to render IT capabilities as on-demand services. Cloud or cloud computing (used interchangeably) can take a number of forms depending on the architectural level of a service and whether services are delivered publicly or privately. Burton Groups root document Cloud Computing: Transforming IT provides detailed explanations of SaaS, PaaS, and software or hardware IaaS forms of cloud, as illustrated in Figure 1.
Figure 1: Cloud Computing Tiered Architecture
Dark CloudsCloud computing has several drawbacks. As described in Burton Groups root document, customers are confused by:
Multiple, conflicting cloud definitions Incomplete usage models Vendor hypeAnd customers are apprehensive of:
Inadequate, inflexible, or nonexistent service level agreements (SLAs) Lack of interoperability Vendor lock-in Poor transparency on security from the vendors Inability (in some cases) to audit and assess the many risks of cloud computing
With these concerns and after a growing number of incidents,1 its a small wonder that surveys show roughly 75% of IT managers are concerned about security!2 The very location independence and economies of scale in shared resources that lower cloud costs may put customers afoul of laws restricting certain types of data to certain jurisdictions and contracts demanding separation or other
controls over data. Other new issues and vulnerabilities will arise; for example, who would pay for a usage engendered by a distributed denial-of-service (DDoS) attack on a public cloud vendors customers?
Silver LiningsHowever, there are silver linings and green shoots of opportunity in todays bleak cloud computing security landscape. Cloud offerings may, in some cases:
Improve availability through massive and redundant compute, storage, and backup facilities capable of handling bursts or spikes in utilization. Offer better security than some small to medium-size businesses (SMBs) could afford to deploy themselves. Provide, in some respects, simpler and better security architectures and operations than complex enterprise software packages. Relieve customers from the burden of patching and other security chores. Include powerful outsourced security services, such as reputation, multiple engine malware scanning, and other offerings that have potential scale economies or that benefit from cost sharing across multiple customers.In general, large organizations arent engaged in a lemming-like rush to risk acceptance of the lowest common-denominator public cloud offerings. (See the Risk Appetites and the Salesforce Question section of this overview for an apparent exception.) Instead, customers concerned with risk and compliance will demand a long tail of cloud formats with different cost/risk tradeoffs. Many more choices will emerge. But during the initial years of cloud computing, enterprises will find relatively low security maturity levels, considerable churn among public cloud providers, and a tendency to shy away from assuming any liability and risk.
Whats the Same, Whats Different from Traditional IT?In some ways, cloud computing is an expansion of server hosting, outsourcing, web-based computing, managed security services, and other past and present offerings. New and different are clouds:
Scale of adoption Dynamic characteristics (per the Cloud Security Alliance):3 o Abstraction of infrastructure o Resource democratization o Service oriented architectur