Securing Your Cloud Environment

Leonel Navarro

Security in the cloud has been a hot topic for a long time now, yet many individuals and organizations fail to realize the implications of security, while others have not performed enough due diligence to seize the necessary solution. Cloud computing requires controls for addressing threats that jeopardize confidentiality, integrity and availability. The purpose of this article is to delineate existing cloud security implications and determine which cloud archetype is best suited for a particular business case.

Security implications change based on cloud use case and the chosen cloud archetype. The most common cloud computing use cases relate to infrastructure, since organizations leverage from the Infrastructure-as-a-Service (IaaS) to migrate data centers to a virtualized environment. However, two more archetypes promise even more value when it comes to applications. These fall into Platform-as-a-Service (PaaS) and can be leveraged from cloud provider web services and even fully functional applications through Software-as-a-Service (SaaS).

To better understand the security implications, let’s focus on the infrastructure and applications use cases.

Infrastructure

When organizations think of infrastructure, migrating (IaaS) their data centers to the cloud usually comes to mind, by creating virtualized environments that provide the same functionality but include other benefits, from cost reduction to resiliency. This specific use case, even when implemented as a private cloud, has threats that usually go ignored with no control put in place, leaving environments vulnerable to attacks. The security implications include:

  • Virtual machines tracking
  • Virtual network environment traffic monitoring
  • Separation of duties (high privilege accounts, change and configuration management roles)
  • Virtualization platforms vulnerabilities
  • Malware-based threats
  • Hypervisors hardening
  • Vulnerability management and patching
  • Data encryption
  • Firewall and proxy configurations
  • Log orchestration

 Applications

Organizations build or consume from cloud-based applications. These scenarios present specific security implications, whether you’re using SaaS or PaaS. On one hand, from a SaaS perspective, organizations benefit from fully functional applications that reduce software development costs, and provide “pay only what you use” engagement models. While these are very attractive to customers, security implications fall under the following:

  • Authentication and authorization
  • Identity and access management
  • User provisioning
  • Data loss prevention
  • Application security
  • Regulatory compliance requirements
  • Data export control restrictions

On the other hand, PaaS provides a set of web services that give full capability to developers to integrate those services as an intrinsic part of their applications and fully benefit from specialized services, such as:

  • Elastic store service
  • Global content delivery network service
  • Data import/export service
  • Elastic email service
  • Large-scale push notification service
  • Many more

Therefore, the most important security implication with PaaS is defining the right web services implementation based on the cloud computer pattern that best suits the application needs. Some patterns include:


On and Off: workloads that do not require resources 100 percent of the time

Growing Fast: services that become successful need to scale and keep up with growth

Unpredictable Bursting: unexpected and/or unplanned peak in demand that may impact performance

Predictable Bursting: services with seasonality trends that scale up due to periodic increased demand

The cloud is a very flexible solution that allows you to solve those challenges by enabling you to scale up/down, reducing your infrastructure investment and converting your capital expenditures into operational expenditures. Each service demands a set of security responsibilities that someone must assume to ensure there are no gaps or ambiguities. These responsibilities are managed by the vendor or the user based on the cloud archetype, as follows:

Cloud Security

Whatever CSPs promise, organizations need to realize that protecting the information in the cloud will always be the organization’s responsibility. For that reason, organizations must complete enough due diligence to fully understand the cloud archetype that makes the most sense facing their particular challenge.

Recently, the National Institute of Standards and Technology (NIST) and the Cloud Security Alliance (CSA) released two very important documents for the cloud:  “Cloud Computing Security Reference Architecture (SP 500-299)” by NIST, and “The Notorious Nine Cloud Computing Top Threats in 2013” by CSA. These two sources host a wealth of information for those concerned about cloud security.

The intrinsic concern for data protection in today’s cloud-enabled environment is not disappearing, despite the evolution of cloud computing. A number of commonly known advantages continue to entice organizations to move to cloud. The companies that will truly be able to realize these perks and reap the benefits are those that take the time to assess their unique obstacles, ask the right questions and self-inform.

Leonel Navarro is Practice Manager & Business leader for Softtek Information Security Practice, he is a certified project management professional (PMP) and a certified information systems security professional (CISSP). Navarro’s twelve years of experience in IT operations with teams based in Mexico, the United States, and China, combined with critical customer-facing positions he has held, enable him to perform the overall coordination of the Sales, Marketing, Product Management and Strategic Alliances strategy for Softtek’s Information Security Service offering while overseeing the delivery of those services with existing clients. Leo holds a Bachelor in Electrical Engineering & Computer Architecture from ITESM.



Add Comment      Leave a comment on this blog post

Oct 22, 2013 1:15 AM eddiemayan eddiemayan  says:
For reducing your risk on cloud server and to maximize your security wall on cloud use cloudways service. Reply
Oct 23, 2013 3:52 AM James cage James cage  says:
Good advice. As adoption of the cloud increases, organizations should ensure adequate levels of security for data residing on it. The points in this article are very helpful for businesses that are looking to move to the cloud and effective. Vendor management is often overlooked and the selection of a vendor is as critical as the decision to move to the cloud itself. I work for McGladrey and there’s a whitepaper on the website that aligns well with this article it talks about the importance of privacy and security of data hosted on cloud, readers will be interested in it @http://bit.ly/16uLsgi Reply
Nov 18, 2013 11:55 PM Alka Alka  says:
Try out Perfect cloud's products for better cloud security: www.perfectcloud.io Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 

Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making

SOA

SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data