understanding the security challenges of cloud...

an Security eBook®

Understanding the Security Challenges of Cloud Computing

2 Enterprise Cloud Computing: Risk and Economics

4 Cloud Computing Faces Security Challenges

6 Cloud Computing Requires Security Diligence

8 Three Steps to Secure Cloud Computing

10 How Cloud Computing Security Resembles

the Financial Meltdown

4

8

2

6

10

Contents…

This content was adapted from Internet.com’s Enterprise IT Planet, eSecurity Planet, CIO Update, and Datamation websites. Contributors: Sonny Discini, David Needle, Robert McGarvey, and James Maguire.


2 Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.Back to Contents


veryone is talking cloud these days, and why not? The offerings are maturing, and the benefits are starting to appeal to those who want to solve enterprise risk

and economic issues still on the table. Things like pay-per-use models now have us looking at how we assess hardware and software costs. You can now pay for only what you use instead of buying a full application suite. But can the economic and risk factors drive enterprises over to full cloud deployments?

A New Way of Doing Business

As I just mentioned, the enterprise now has a new way of looking at the economics of operational IT. This extends from core apps right down to enterprise security. Cloud computing is better at optimizing capital investments because it enables lower capital investments in hardware, software, and real estate; instead of investing in them, enterprises procure cloud services. This significantly lowers total cost of ownership, which traditionally has been a significant cost to the enterprise.

When we think of large enterprise IT, we cannot let go of the old assumption that it is slow to move when it comes time to make a change. Cloud offerings may crush this old adage. Cloud computing typically requires significantly less time and effort to provision additional resources for existing applications or new resources for new applications. The straightforward procurement model and use of shared infrastructure also leads to

greater agility of the cloud computing model.

Another area where costs have been traditionally high has been in IT talent. Cloud models will allow the enterprise to tap talent pools for a fraction of the cost of retaining in-house staff. This will give IT pros heartburn, but for those who are able to shift on the fly, IT pros will

be able to turn their focus to solving business problems. The enterprise can then fully focus on business objectives and allocate more resources to solve business problems, even the ones that were practically insolvable with in-house staff. From another angle, the cloud model now gives small organizations access to IT services and talent previously out of reach. The small organization now has the ability to tap the same level of talent and services as the large enterprises.

You Cannot Shift Risk

Cloud computing offers computing architectures and innovation potential never before seen in large and small enterprises. It is important to understand that risk does not evaporate in the cloud; nor does it shift to the cloud provider. Enterprise security professionals have been waving the red flag to C-level executives interested in migrating to the cloud. Questions must be asked such as:

• Whichrisksrelatedtoservicereliability,availability, and security arise?• HowmuchcontrolcantheuserexertovertheIT

E

Enterprise Cloud Computing: Risk and EconomicsBy Sonny Discini



services provider?• Whatcontrolmustbegiventotheproviderandwhat trust assurances exist?

Given that cloud models are new, even with the SLAs provided today, an enterprise can quickly find that what it thought it was getting may not be the case at all. Legal departments are also seeing cloud issues for the first time, so it is extremely important to involve all enterprise teams when looking at cloud contracts, potential litigation exposures, and of course security risks.

Cloud computing offers significant benefits to the organization in terms of economics, agility, innovation, simplicity, and even social impact. However, the devil is in the details, and while there are many benefits to the cloud model, the trust and risk aspect of the cloud is still widely unknown, and hence, very dangerous. When enterprise architects and security pros design controls around business processes, they will have to take traditional tools and refine them to provide sufficient protection to the enterprise in this new dawn of computing.



s cloud computing adoption hurt by security issues, compliance concerns, or just a poorly chosen name?

“The worst thing we ever did was coin the term ‘cloud,’ which takes a business process and makes it sound ... out there,” said Thinkstrategies analyst Jeff Kaplan.

But John Weinschenk, CEO of security firm Cenzic, said cloud security is far more of a pressing concern. “It’s actually impossible to secure the [public] cloud today,” he said. “You just don’t know if your information is going to be processed in Czechoslovakia or Russia, and what they’re going to do with it. And if anything goes wrong, who do you sue?”

John Desantis, CEO of identity management provider Tricipher, agreed. “There is a thin veil that is clearly being penetrated,” he said.

But Weinschenk and Desantis made clear they were talking about public, consumer service-style cloud providers. Weinschenk said the future for enterprises lies in private and semi-private clouds that are more closed systems where the security parameters and service guarantees are known.

Nicholas Popp, vice president of product development at domain management and security provider Verisign, however, disagreed to the extent that he said companies like his have the potential to make cloud services even

more secure than traditional datacenter solutions.

“Customers think security is the cloud issue, but it’s really a trust issue ... a governance issue,” Popp said. “Can I set the policies I want to and impose them? And second, can I verify that the policy works? It’s about governance and control issues.”

“You never sell security,” he added. “You sell compliance to those who need it. When we look at people embracing the cloud, it’s really from the big guys who control a private cloud and can scale it to realize the benefits. The other buyers are SMBs who are looking to outsource everything.”

Randy Barr, chief security officer at Qualys, said enterprises are demanding their cloud service providers offer greater visibility to make it clear that the systems are secure — a service his firm provides.

“You can get scans of the cloud system for vulnerabilities,” he said. “We’re seeing more transparency from providers to meet this demand.”

CIO Objections

Security isn’t the only concern enterprise buyers have about cloud computing systems, which in theory can save an order of magnitude in costs over companies buying and managing their own computing infrastructure.

I

Cloud Computing Faces Security ChallengesBy David Needle



“From an enterprise perspective, the CIO wants to hold off,” said Joe Tobolski, a partner at Accenture Technology Labs. But he warned that cloud services are already popular, if you include social networks like Facebook and Twitter as well as e-mail services like Gmail, in the mix. These services “are ridiculously easy to sign on to. There is going to be a clash of the command and control infrastructure that a lot of CIOs prefer to those people who want to get stuff done.”

Charles Carmel, vice president of corporate development

at Cisco, said that trends like the cloud and software-as-a-service (SaaS) in particular are causing “one of the largest disruptions across the IT landscape.”

But Marc Benioff, CEO and founder of one of the best known and most successful SaaS providers, Salesforce.com, conceded that “the vast majority of software is still with companies in their datacenters.”

“That’s the opportunity,” Benioff added. “I try to educate people because companies want to hold [us] back, like the people that want to sell more servers.”

http://assets.devx.com/IBM/Enhanceandsecurecriticalbusinessoperations.pdf

http://assets.devx.com/IBM/TakeaHolisticapproachtobusiness-drivensecurity.pdf

http://assets.devx.com/IBM/Developeffectiveusermanagement.pdf

http://assets.devx.com/IBM/EscapingPCIpurgatory.pdf

http://assets.devx.com/IBM/Secureandcompliantcollaborationandaccess.pdf



ffloading IT infrastructure to a cloud computing provider can result in great cost savings and more streamlined, flexible operations. Need more compute power

or storage? Cloud systems like Amazon’s readily scale so there’s no need to go through a time-consuming purchasing process or scrambling to find more room for an expanded datacenter.

But the cloud is not a panacea, and the need to adhere to information management best practices remains, Symantec executive Deepak Mohan told InternetNews.com.

Mohan should know.

In his position as senior vice president of Symantec’s Information Management Group, he oversees a range of products and services including archiving and backup of information management and regularly meets with enterprise customers. The company also works with leading cloud providers like Amazon to ensure their services are compatible.

He jokes that the cloud is very “cloudy” when it comes to enterprise adoption as companies are still experimenting with the best way to leverage it and feel confident their data is secure. Mohan said he’s frequently seeing a hybrid approach where companies rely on a cloud provider for storage or certain applications, but also maintain on-premise backup for security and recovery and to make sure they can adhere to compliance requirements.

“Inside the cloud, customers need the same level

of security and data protection,” said Mohan. While managed service providers offer service level agreements (SLA) and security assurance, Mohan said companies can and should take extra steps to ensure there information is safe.

“There are many security endpoints with cloud services and that’s where authentication becomes very important.

It’s a big area of investment for us,” said Mohan, noting Symantec’s $1.28 billion purchase of VeriSign’s authentication services unit.

“Amazon is going to encrypt and store your files, but the backup data stream may be unencrypted. So things like security in transit are services we provide that support the hybrid, cloud and on-premise use cases.”

Mohan also said it’s important for companies, particularly those in highly-regulated industries like finance and health, to be

sure their information on the cloud is organized both for retention and compliance.

“The cost of legal e-discovery can exceed government fines. It’s very expensive to do on a reactive basis and lawyers love it because they charge by the hour and the page,” said Mohan. “What you want to do is instrument your information on the way in, not after the fact.”

Symantec is one of many providers that have services to index and protect data. Mohan said Symantec’s Enterprise Vault archiving platform follows the EDRM (Electronic Discovery Reference Model) and offers

Cloud Computing Requires Security DiligenceBy David Needle

O



different export formats for outside council that are admissible in court.

“Some companies are ahead of the curve and moving proactively to make sure their information is being managed effectively,” said Mohan. “Another class of companies really gets serious after their first litigation request.”



ou can close your eyes and pretend it is not happening — many CIOs are doing exactly that — but face this reality: “Cloud computing is with us to stay. Everybody

will soon be using it.”

At least this is the prediction of Jim Haskin, CIO at Websense, a San Diego-based data security provider, and others.

A scary thought? For many CIOs, yes. “They are panicking about this,” said Kirill Sheynkman, CEO of San Francisco-based Elastra, a developer of applications currently deployed in association with Amazon’s cloud computing offering. The panic is well-founded, isn’t it? Because of the security concerns that come with jumping the firewall?

Sheynkman snorts: “Security is not the issue. Do you think your IT department knows more about data security than Amazon does?”

Reality check: “Data security in the cloud is no different than data security at a remote data center,” said John Lytle, a senior consultant with IT consulting firm Compass in Chicago.

In many cases, data at most companies “are more at risk in their own environment than in a well-managed cloud,” said Mike Eaton, CEO of Cloudworks, a Thousand Oaks, Calif.-based provider of cloud-based services, primarily to small and mid-sized businesses.

Capable Hands?

The big cloud players — Amazon, Google, Oracle/Sun, Salesforce.com — know more than a little about maintaining online security and, considered in that context, worries about outsiders knocking down the security walls and having their way with your data indeed seem over-wrought. “There’s been a lot of over-reaction,”

said Sheynkman. “The question should not be about data security in the cloud,” elaborates Haskin. We need to be asking other questions that probe exactly why we are afraid of cloud computing and certainly, as a group, CIOs are resisting it. But just maybe that has to end because time to dither may be running out for CIOs.

Bill Appleton, chief technical officer at Mountain View, Calif.-based Dreamfactory, a developer of cloud-based applications, ominously warns: “The cloud

may skip IT and sell directly to end users. It might simply bypass the command and control system of IT.”

And that may be the legitimate worry. That’s because a CIO nightmare revolves around unauthorized use of public cloud resources by employees who may be putting sensitive internal data online at Web-based spreadsheets or into slide shows.

“Most CIOs worry a lot about employees putting data that shouldn’t be public in public places,” said Christopher Day, senior vice president of security

Three Steps to Secure Cloud ComputingBy Robert McGarvey

Y



services at Terremark Worldwide, a global provider of IT infrastructure. That fear is justified. What would the board of directors say if it discovered the company’s strategic plan was accessible in a public cloud? But Day also suggests that CIOs can snuff out this potential firestorm simply by taking a direct approach.

“Just put into place clear policies, then educate employees about them,” said Day.

Pull your head out of the sand (or clouds as the case may be) and directly attack this concern. That is how to make it vanish. Understand too that employees who upload sensitive data usually mean well. They are just looking for better ways to work. Look for other, more secure ways to let them do exactly that, adds Day. Take those two steps and most likely cloud-based shadow IT will diminish in your organization.

Securing the Logon

Another, lingering worry about cloud computing is that — with many providers — log-ons are too primitive. “Large enterprise will not embrace the cloud until security significantly improves,” flatly predicts John Gunn, general manager at Chicago-based Aladdin, a developer of digital security tools. The worry here is that when barebones log-ons are in use, old-fashioned social engineering techniques will let hackers learn employee log-ons and, watch out, data leakage will be at flood stage.

But, said Gunn, the solution is simple: enterprises

should only permit data to migrate to the cloud where two-factor, strong authentication is in use and, right there, hackers probably are kept at bay. Take just that step, suggests Gunn, and considerable big company opposition to cloud computing would instantly evaporate. Most mainstream cloud providers are hanging back on this but, suggests Gunn, when enough users cry out for safeguards the cloud companies will respond.

Here Today …

A final, big worry, particularly in today’s unstable economy, is the durability of the cloud provider, said Raimund Genes, CTO at Trend Micro, the global security company. “You need a provider that will be in business three years from now. When you give up your IT infrastructure, you need a reliable service provider.” When a cloud provider goes bankrupt how accessible is your information, by whom? Better not to deal with such questions at all by instead going with cloud providers that have the wherewithal for a long-haul contest.

Parting advice for CIOs who are still wringing their hands in worry over data in the cloud comes from Elastra’s Sheynkman who reminds us: “It’s not all or nothing. It does not have to be. Put only the data you are comfortable with on the cloud. That is what most companies seem to be doing. We are still in an era of experimentation.”

Take it in little steps but start taking some steps, that’s the smart way to embrace the cloud.



How Cloud Computing Security Resembles the Financial Meltdown

By James Maguire

Hmmm… as a client of a cloud vendor, I’m feeling nervous. But SAS 70 really does mean something, doesn’t it? Well, probably.

More troubling, at this point you might have a moment of déjà vu. Wasn’t a similar conflict of interest at the heart of the recent financial meltdown?

In the view of Jay Heiser, a Gartner analyst who specializes in security, the connection is clear. He’s the author of the research report “Analyzing the Risk Dimensions of Cloud and SaaS Computing.” After reading Michael Lewis’s account of the financial debacle, The Big Short, Heiser told me, “I found more parallels between what happened in the financial services and cloud computing than I anticipated.”

Let’s rewind the tape a bit. A distressing fact about the Crash

of 2008 is that the major credit rating agencies – the very groups tasked with protecting investors – were tacitly complicit.

The two biggest ratings agencies, Moody’s and Standard & Poor’s, failed to send up red flags about subprime mortgage-backed securities. These supposedly impartial watchdogs evaluate the credit worthiness of securities, enabling investors to make informed decisions. Yet instead of labeling junk as junk, they bestowed a top AAA grade on highly risky assets.

Shockingly, virtually all of the AAA-rated subprime-mortgage-backed securities issued in 2006 have now

ow do you know if a cloud computing vendor is secure?

After all, you trust them with highly sensitive data and business critical processes. Your entire business may rest on your ability to evaluate their level of security.

When they make claims about their nearly absolute level of safety, should you just take their word for it?

Goodness no, say the vendors, we’ve got a third-party certification to back up our claims. Specifically, they point to their SAS 70 certification. SAS 70 is a set of auditing standards used to measure the handling of sensitive information. It was created by the impressively named American Institute of Certified Public Accountants (those folks know how to fill out forms). SAS 70 was around before cloud computing, and has been shoehorned into use by vendors seeking an impartial third-party credential to reassure nervous cloud customers.

But here’s where it gets dubious. Guess who writes a check to the SAS 70 certifiers? Believe it or not, it’s the vendors themselves. If you were a cynical, non-trusting type (which you should be if your company’s data is at stake) you might wonder if that is a conflict of interest. Don’t accounting firms have a vested interest in granting SAS 70 certifications to those cloud computing vendors who can pay for them?

H



been downgraded to a junk rating.

It was a clear conflict of interest. These ratings agencies are paid by the issuer of the security. Perhaps it’s not surprising that they labeled some rotting sausage as high-grade beef. If one of the agencies had threatened to give a low (but accurate) rating, the issuer would simply shop at another ratings agency. The system itself was set up to provide false assurance.

Now back to cloud computing and SAS 70. OK, let me get this straight: the cloud companies pay accounting firms for SAS 70 certifications just as the financial organizations paid Moody’s for an investment-grade rating?

“Yes, if you see someone who claims to be SAS 70, they have paid an accounting firm. Not only have they paid an accounting firm to go do the test, but they’ve told the accounting firm what processes need to be tested,” Heiser says.

“And you see a distressing number of providers that are claiming, ‘Well, we’re secure, or we have availability – it’s proven by the fact that we have a SAS 70.’”

This statement echoes a key finding that Heiser noted in his report:

Third-party certifications are immature, are unable to address all aspects of cloud-computing risk, and should be relied on only after a thorough evaluation of the written report.

To be fair, a SAS 70 is likely more than a mere piece of paper. It may prove more than the fact that the vendor has the money to hire an accounting firm. Perhaps it should be thought of as a good starting point. Still, the responsibility remains squarely on the client to evaluate the SAS 70’s written report and make their own determination. Were the right controls included? Were they evaluated to the appropriate degree?

In other words, buyer beware. You have to do your own

digging. From Heiser’s report:

Do not accept the claimed existence of a certification or other third-party assessment as being adequate proof of security and continuity fitness for purpose. Thoroughly review the assessor’s written report to ensure that the scope of evaluation is adequate, and that all necessary processes and technologies were appropriately addressed.

But is it IT?

An additional question bedevils the debate over cloud security: Is SAS 70 — even if administered by an impartial third party (which it’s not) — an insightful evaluation of a cloud computing vendor’s security?

SAS 70 was never designed for this use, though in theory it could address an IT risk scenario. “Call me a cynic, but SAS 70 is an auditing standard originally intended to be used against processes relevant to financial statements, secondarily to financial transactions,” Heiser says.

“So the thing starts very, very far away from anything that would traditionally be considered an information security or a business availability assessment. It’s done by accounting firms.”

A common perception of the financial evaluators involved with false credit ratings is that they were not the cream of the Wall Street elite. Those brighter talents were pursing vastly more remunerative activities.

In contrast, “I would expect that whoever is doing a SAS 70 is a fairly ambitious [staffer] at a CPA firm,” Heiser says. “Still, are they auditors? IT? Did they go to Purdue and get a Master’s degree in Information Security? What’s their background for all this?”

The moral of this cautionary tale is best summed up with a last key finding from the Gartner report:

Be skeptical of vendor claims, and demand written or in-person evidence.

understanding the security challenges of cloud...

Documents