In the third instalment of TNW’s enterprise cloud computing series, we take a look at security in the Cloud.
Jeff Bezos, Amazon CEO, may have once claimed he’d never lost sleep over cloud security, as users just needed to choose harder passwords, but security is still the biggest roadblock to enterprise cloud adoption, with 30% of corporate IT decision makers saying it’s their biggest pain point, according to a recent survey by 415 Research [PDF].
But what are the biggest risks to your enterprise’s security as cloud adoption increases?
Departments moving to the Cloud without involving IT
Despite all the technical security risks of cloud computing, the biggest risks are often human factors.
IT departments are understandably cautious about moving mission-critical applications to the Cloud, due to fears about security, downtime and control. However, other departments in the same company may already be signing up to cloud services, without even involving the IT department.
Just 34% of business leaders involved IT in the decision-making process when choosing a cloud-based service, while even fewer (29%) involved IT while deploying the service. This presents a genuine risk for enterprises, as it makes it unlikely security audits have been conducted, or safeguards put in place.
So how should IT departments handle other departments moving to the Cloud without involving them?
“A good security policy is essential,” says tech journalist and IT training consultant Les Pounder, “Sit down with your heads of department, and review the work that you do, and how your work is accomplished.”
“Use this information to develop test cases, which can thoroughly test the status of your clouds security. If you find any holes in your security, address them immediately via patches, but seek to implement updates on a regular basis.”
However, it’s important to strike a balance. What the IT Director should be aiming for is a solid security policy which allows departments to achieve what they need without sacrificing security. An overly draconian cloud security policy risks stifling innovation, or worse being circumvented.
Bring Your Own Device
Another hot topic in corporate IT is Bring Your Own Device (BYOD). Staff increasingly want to use their own devices at work, as it’s more convenient and devices are often higher-specced than those supplied by companies.
“BYOD offers obvious savings to employers and greater flexibility for employees,” says Stephen Musgrave, of legal firm Bird & Bird.
In fact, for staff who want to work away from the office part of the time, cloud computing offers some obvious advantages, says Andrew Taylor of Sage One UK.
“With Bring Your Own Device there’s a real threat that an on-site installation can’t accommodate a more mobile or home-based workforce but a cloud approach can.”
BYOD brings risks, though. 44% of security professionals listed BYOD as their biggest security concern in one recent survey [PDF], more than any other aspect of security.
Lost or stolen devices could give an unauthorized person access to cloud services, as well as sensitive data stored locally or in caches. Diagnosing data breaches can also be more difficult, as filtering and monitoring systems may not be in place on employees’ own devices.
Family members and friends of your staff may have access to a device used at work, so measures need to be put in place to restrict access to sensitive data.
The UK Government’s Information Commissioner’s Office advises implementing an acceptable use policy, as well as controlling access to sensitive data with a password or PIN.
Data sent over the Internet
Whenever data is sent over the Internet, there’s an inherent security risk, compared to a fully-encapsulated network.
“The main challenge is data security over a public internet connection,” says Les Pounder, “Your cloud, and internal network will have security policies in place to minimise the risk of data theft, but between the two, is the vast public internet.”
“One common method is to use a Virtual Private Network (VPN), which offers an encrypted tunnel between the two.”
Some of the biggest challenges lie with the understanding of risk rather than mitigating against it, according to Andrew Taylor of Sage UK.
“Enterprise network teams already fully understand the problem of VPN access and secure end-to-end communications but now the tools are different,” says Taylor, “Before teams were been able to install fibre easily to the datacenter this isn’t as widespread an option, networking must be done largely in software, it can be a more restrictive way of working.”
With data transferred over the Internet, there is always a risk of intrusion, not to mention inconsistent performance, so it makes sense for the IT department to want to reduce this uncertainty. While traditional fibre connections are not common with cloud hosts, Amazon did introduce options for both direct connection and hardware to software based VPN, after customers asked for the choice, and this approach is likely to become more common over the next 18 months.
Shared resources in public clouds
In public clouds access to data on Virtual Machines (VMs) is a big concern, says freelance cloud engineering specialist Ryan Stenhouse.
By definition, public clouds share resources between different customers and use virtualization heavily, and this does create additional security vulnerabilities, both from access levels as well as from exploits in the virtualization software.
For example, VMs hosted on the same physical server could theoretically suffer undetected network attacks between each other, unless suitable network detection was put in place. Other known exploits include hijacking VM hypervisors, and exploiting local storage in memory.
“You should carefully investigate the controls providers have in place to secure your environment,” says Stenhouse, “Big providers such as Amazon and Rackspace make this information available and are accredited to the highest industry standards.”
“Aside from that, the security issues are all your standard server security / admin problems. Your best way to mitigate security risks is to hire a competent sysadmin, and for critical applications, an external security tester.”
Public, private and hybrid clouds
With security such a big concern for corporate IT Directors, it’s no surprise that enterprises have been keen to look for cloud technologies which maintain some of the security benefits of private networks.
“There are a number of solutions that offer a private on-premise ‘cloud’ model,” says Andrew Taylor of Sage UK, “Private hardware can be layered with a scalable stack similar to what is offered in the public cloud. The advantages here are obvious because you’re just adding flexibility to an existing platform where you can control the security.”
“You can also deploy a ‘private cloud’ on public shared hardware or a hybrid where you deploy private cloud to public but dedicated equipment.”
“A public cloud, is by its very nature, open to the public,” says Les Pounder, “while a private cloud is segregated from other users, allowing a more secure environment.”
Public clouds need network and system administrators to configure the setup, so private or sensitive data is kept secure.
“The UK’s Government Digital Service have successfully used a public cloud to deliver services to the general public,” says Pounder, “But they also have content that is marked for internal use only.”
Shared infrastructure brings security benefits, as day-to-day management and security patches are handled by the provider, but also remove the IT department’s ability to react to a newly discovered vulnerability, says Taylor, “Any private cloud also brings the ability for enhanced access control and greater degrees of host-based / network-based trust.”
Every executive is aware of the risk of their systems being hacked by a malicious individual or organization. Penetration (or “Pen”) Testing is a tool traditionally used by security professionals to find out if systems have adequate security measures in place to prevent hackers gaining access and is equally useful for cloud systems.
“With the Cloud, comes additional vectors for attacks,” says Les Pounder, “For example DNS spoofing, where your Domain Name Server (DNS) database is altered to redirect traffic to another machine.”
“It’s really important that testing takes place alongside and with the knowledge of the Cloud vendor,” says Andrew Taylor of Sage UK, so they don’t assume that the system is under a genuine attack, and so that it doesn’t affect other customers on the same infrastructure, and to seek the help of an outside security expert.
Whose responsibility is security?
It’s important to establish who is responsible for which aspects of security, so that measures can be put in place to ensure the system and data remain safe.
“As an example,” says Sage UK’s Andrew Taylor, “The Amazon ELB platform is shared infrastructure and in its default configuration is susceptible to some known SSL vulnerabilities. It’s not Amazon’s responsibility to enforce a particular implementation, it’s up to the provisioner to ensure adequate configuration and testing takes place. It’s simply not enough to claim ‘our vendor let us down’.
Ultimately, security should be a constant consideration of everyone involved, from the IT Director, to network administrators, developers, SysAdmins and vendors.
“Security is everyone’s responsibility,” says Pounder.
- Part 1: 5 reasons enterprises are frightened of the Cloud
- Part 2: Is the Cloud ready for Mission Critical Apps?