Cloud Computing Security in the Enterprise

Download Cloud Computing Security in the Enterprise

Post on 10-Apr-2015




0 download

Embed Size (px)


Cloud Computing Security in the EnterpriseBottom Line: Cloud computing is a strong economic and technical force transforming IT, but enterprise customers are concerned about security. Cloud computing creates significant risks and requires a rethinkbut not a reinventionof security programs and architectures. To the extent they leverage public or private (community) clouds, organizations must accommodate themselves to security postures emphasizing risk transfer, deterrence, monitoring, feedback, and audit more than preventive control. Large enterprises should generally avoid placing sensitive information in public clouds, but concentrate on building internal cloud and hybrid cloud capabilities in the near term. Context: Cloud computingwhich Burton Group defines as the set of disciplines, technologies, and business models used to render IT capabilities as an on-demand, scalable, elastic serviceis evolving rapidly. Many organizations are considering externalizing lesser-value, commoditized IT functions in order to lower costs, increase agility, and create a competitive advantage. In turn, cloud computing vendors have developed on-demand IT services using some old concepts (e.g., utility computing) and some new technologies (e.g., server virtualization) that may solve many of the business issues IT organizations face. Takeaways: Enterprises have a number of concerns about cloud computing security:

Clouds multi-tenant, dynamic characteristics may put sensitive or regulated data at risk. The relationship with cloud vendors, and in some cases, their viability creates strategic risk. A lack of transparency and accountability about security from cloud vendors contributes to customer anxiety. Surveys show approximately 75% of respondents are concerned about cloud computing security. Enterprises are not all rushing to embrace low-cost public cloud offerings; many are investigating internal cloud deployment, as well as hybrid cloud architectures that balance low costs with risk mitigation.Cloud computing demands a rethink, but not a reinvention, of enterprise security programs and architectures:

Third-party audit/assessment, incident response, and operations/change management are particular pain points. Customers have less preventive control of the infrastructure with cloud and must seek instead to transfer risks (where possible) or improve detection and deterrence through monitoring, feedback, and audit. Activities once carried out on organization-owned endpoints, data centers, and networks move across open, untrusted networks. Network perimeters are becoming less effective: o More complex virtual machine and virtual network separation mechanisms are in their early stages. o Data in motion should be encrypted to/from cloud environments. Encryption would also be desirable for data at rest in multi-tenant cloud environments, but the performance cost is currently very high and the key management difficult. Tightly coupled domain access control is not suitable for identity and privilege management in the cloud; standards-based identity services are more appropriate. Data is not only difficult to control in the cloud, it is also difficult to classify, discover, analyze, protect, retain, and destroy. Security management must enforce separation of duty, monitor events, and cover staged deployment and change management workflows for hybrid clouds.

Notwithstanding the challenges, there are silver linings and green shoots of opportunity in cloud computings security landscape:

Done correctly, and in the long run, cloud computing can improve availability. Good managed security services are available. Private (community) clouds can support secure collaboration with external partners. Platform-as-a-service (PaaS) offerings could bake proactive security into the software development lifecycle. Application virtualization, desktop virtualization, and identity federation are transformational cloud services with positive security impact.Recommendations:

Mind the gap: Enterprises should not, in general, use public clouds for medium to high risk (i.e., sensitive) applications. Take out a life insurance policy for the security department: o Where necessary, obtain written risk acceptance from business unit leaders and/or strong assurances from all vendors involved. o Put security hooks into appropriate processes to get visibility and control over business cloud initiatives. Build internal clouds; take baby steps toward public cloud with low-risk or low- (variable-) volume applications; and develop service-oriented hybrid cloud architectures. Consider private (community) clouds in concert with vertical industry affinities. Demand greater vendor transparency around cloud security, better assessment criteria and ecosystems for third-party audit, and industry standards to enhance interoperability and security.Conclusion: Cloud computing creates significant risks and requires a rethinkbut not a reinvention of security programs and architectures. Large enterprises should avoid placing sensitive information in public clouds unless they can obtain strong assurances of appropriate protection from all the vendors involved. To use public clouds, organizations must change their security postures; to use internal or hybrid clouds, they must change architectures.

AnalysisCloud computing is transforming IT perceptions and usage models. Driven by market forces (i.e., the economy) and advancements in cloud vendor capabilities, organizations are questioning the wisdom of owning and operating all of the resources necessary to create IT services. Cloud computings ondemand, pay-as-you-go IT service model may enable IT organizations to reduce complexity, lower costs, increase agility, improve service to mobile or transient workers, and increase capacity or availability by outsourcing IT capabilities to service providers. The scale of this transformation is large. Burton Group is tracking the following trends in cloud computing:

Computing (i.e., infrastructure as a service [IaaS]) Storage (IaaS) Applications (i.e., software as a service [SaaS]) Desktops (i.e., virtual desktop infrastructure [VDI]) Development (i.e., platform as a service [PaaS]) Identity (i.e., federated identity hubs) Security (i.e., managed security service providers [MSSPs])

Burton Group defines cloud computing as The set of disciplines, technologies, and business models used to render IT capabilities as on-demand services. Cloud or cloud computing (used interchangeably) can take a number of forms depending on the architectural level of a service and whether services are delivered publicly or privately. Burton Groups root document Cloud Computing: Transforming IT provides detailed explanations of SaaS, PaaS, and software or hardware IaaS forms of cloud, as illustrated in Figure 1.

Figure 1: Cloud Computing Tiered Architecture

Dark CloudsCloud computing has several drawbacks. As described in Burton Groups root document, customers are confused by:

Multiple, conflicting cloud definitions Incomplete usage models Vendor hypeAnd customers are apprehensive of:

Inadequate, inflexible, or nonexistent service level agreements (SLAs) Lack of interoperability Vendor lock-in Poor transparency on security from the vendors Inability (in some cases) to audit and assess the many risks of cloud computing

With these concerns and after a growing number of incidents,1 its a small wonder that surveys show roughly 75% of IT managers are concerned about security!2 The very location independence and economies of scale in shared resources that lower cloud costs may put customers afoul of laws restricting certain types of data to certain jurisdictions and contracts demanding separation or other

controls over data. Other new issues and vulnerabilities will arise; for example, who would pay for a usage engendered by a distributed denial-of-service (DDoS) attack on a public cloud vendors customers?

Silver LiningsHowever, there are silver linings and green shoots of opportunity in todays bleak cloud computing security landscape. Cloud offerings may, in some cases:

Improve availability through massive and redundant compute, storage, and backup facilities capable of handling bursts or spikes in utilization. Offer better security than some small to medium-size businesses (SMBs) could afford to deploy themselves. Provide, in some respects, simpler and better security architectures and operations than complex enterprise software packages. Relieve customers from the burden of patching and other security chores. Include powerful outsourced security services, such as reputation, multiple engine malware scanning, and other offerings that have potential scale economies or that benefit from cost sharing across multiple customers.In general, large organizations arent engaged in a lemming-like rush to risk acceptance of the lowest common-denominator public cloud offerings. (See the Risk Appetites and the Salesforce Question section of this overview for an apparent exception.) Instead, customers concerned with risk and compliance will demand a long tail of cloud formats with different cost/risk tradeoffs. Many more choices will emerge. But during the initial years of cloud computing, enterprises will find relatively low security maturity levels, considerable churn among public cloud providers, and a tendency to shy away from assuming any liability and risk.

Whats the Same, Whats Different from Traditional IT?In some ways, cloud computing is an expansion of server hosting, outsourcing, web-based computing, managed security services, and other past and present offerings. New and different are clouds:

Scale of adoption Dynamic characteristics (per the Cloud Security Alliance):3 o Abstraction of infrastructure o Resource democratization o Service oriented architecture (SOA) o Elasticity/dynamism of resources o Utility model of consumption and allocation Multi-tenancy in which multiple customers and their information share applications and/or infrastructure New kinds of services, such as IaaS virtual machine (VM) hosting and PaaS development/integration services hostingBurton Group distinguishes between a private cloud delivered by a service provider to an exclusive community of customers (perhaps within a vertical industry) and an internal cloud that is delivered by IT for the use of its organization.

Private clouds are similar to services from a small, but mature, market niche filled by providers, such as Exostar, Covisint, and NeuStar, who already offer browser-based, shared collaborative environments for closed communities of organizations. These services are essentially private SaaS offerings. They cater to competing organizations that need to work together on endeavors such as the Joint Strike Fighter project. Often, regulatory or other security drivers require strong information protection. Going forward, IaaS (and perhaps PaaS) will also be provided via private formats to vertical industry communities, such as nScaleds LegalCloud offering. Internal clouds are essentially data center consolidation initiatives within an organization that heavily leverage virtualization in dynamic waysarchitecturally akin to some IaaS deployments. Dynamic data centers make compute and storage capacity available on demand to many applications. But organizations such as Bechtel4 have taken the internal cloud idea farther; Bechtel studied the architectures of Amazon, Google, and Salesforce and then rationalized applicationsby reducing some duplicate programs and refactoring othersto provide web-based delivery, just like SaaS. With internal deployment, organizations such as Bechtel, with the size and resources to scale, can have their cloud and secure it too. Public clouds in some ways resemble earlier on-demand computing initiatives and may involve multiple providers working together to provide maximum capacity to customers. In the future, public cloud providers may share capacity with one another in a dynamic, brokered manner. As the outsourcers outsource recursively, the ability to scale and handle spikes in demand increases. Customer data and processing needs find the available capacity, wherever it may be. But customers cant be too discriminating about where or by whom their data is stored and how it is controlled. Thats the beauty of the public cloudand the (significant) risk. SaaS offerings in some ways resemble older application service providers (ASPs), but are browser based and use multi-tenant hosting models. MSSPs providing monitoring (e.g., Riptech or BT Managed Security Solutions Group [formerly Counterpane]), message filtering (e.g., MX Logic or Symantecs MessageLabs), or other functions may term themselves SaaS offerings or, perhaps, software infrastructure as a service (SIaaS) in Burton Groups parlance. IaaS offerings are like hosting services on steroids; customers rent computing capacity in terms of VMs (or other units) rather than physical units. PaaS, in which customers rent application development and integration facilities as well as runtime infrastructure, is a new thing under the sun for IT.

Vendor CampsThe vendors of cloud computing fall into three camps:

Large, disruptive entrants from the consumer/small business space Established enterprise IT vendors Smaller vendors providing various cloud computing offeringsGoogle, Amazon, and Salesforce (the big three) are emerging out of, and are still heavily focused on, consumer and SMB markets more than the enterprise market. For enterprises accustomed to offerings with security and manageability built in, the newcomers often bring unattractive terms and conditions, no warranties or representations, and opaque security practices. It is hard for customers to get much security information from Google, Amazon, or Salesforce, let alone have a services terms or controls customized. Incredibly, Salesforce told Burton Group it has a policy of not giving security briefings. Even representatives of the U.S. National Institute of Standards and Technology (NIST, a proxy for the U.S. government) could not learn all they wanted to know. However, NIST did indicate that vendors have become more forthcoming over the past months. And one marquee Fortune 50 company we spoke to said a cloud provider agreed to customize its offering so

that only U.S. data centers and U.S. administrators would touch the customer data elements that are legally required to stay in the United States. Customers generally find few features they can control within public cloud vendors domains. For example:

Among the big three, only Amazon offers a packet-filtering firewall, and none of these vendors offers an application firewall as of early 2009. A representative of a manufacturing company that wanted to provide an enterprise Hotmail type of service for tens of thousands of workers not currently equipped with company PCs told us...