Security and Compliance in the Cloud Age

Misha Govshteyn

The emergence of the platform and infrastructure-as-a-service models presents just two of many inflection points as IT migrates away from traditional data centers and into the cloud. While the debate on private vs. public clouds rages on, there is relatively little attention paid to the fact that the accepted broader definition of the cloud - IT services delivered under the IaaS/PaaS/SaaS models - in effect brings about a gradual shift of the control over security from the enterprise to the service provider. Above all, this shift in responsibility and control will fundamentally change the way we secure our data.

Irrespective of which cloud model will ultimately prevail (answer: all of the above) and how much enterprise data resides in the cloud (answer: more than you'd like to admit), IT managers must prepare to support security and compliance in the cloud age. And that means developing a new model for enterprise security, one less fixated on erecting castles and moats and more focused on the unique challenges and opportunities posed by advances toward cloud computing.

The most immediate impact on enterprise security will be driven by the real possibility that for some companies as much as 50 percent of corporate data will reside beyond the enterprise data center within the next five years, rendering the ubiquitous notion of the network perimeter obsolete. Complicating matters further is the fact that cloud computing acceptance will inevitably push developers toward emerging Web technologies, whether they are rich user interfaces built with HTML5 or even traditional applications integrated through Web APIs. These Web technologies are the glue that holds the cloud together and are often developed by social media companies without much consideration for industrial grade security.

Left in the same unprotected and unmonitored state they are in today, Web applications represent the most likely set of threat vectors for the next five years as Web-based development platforms, protocols and integration APIs increasingly come under attack. As the cloud computing services become more abstracted from the infrastructure and firewalls that form the network perimeter today fade into the background, service providers and enterprises must effectively move their security efforts up the stack with solutions addressing threats against Web technologies and APIs. The answer to this risk provided by the security industry may come in two forms: a robust set of Web application and XML filtering technologies combined with a much higher level of automation for compliance, auditing and logging efforts than generally available today.

The inevitable migration of security responsibility to the cloud does not necessarily mean that cloud service providers have the necessary capabilities to meet the challenge. Security products on the market today are inherently designed for single tenant delivery and everything about security vendors, from product management to software architecture, is wired to support the needs of the enterprise. Cloud service providers are finding that traditional security products are a poor fit for their typically flat networks that already reach 60-70gbps speeds, a number that will only increase over time as hundreds of thousands of customers rapidly provision (and sometimes as rapidly tear down) computing capacity to meet their changing business requirements. The delivery vehicle of choice for the security industry-the network appliance-is a particularly bad fit for this highly virtualized, elastic and scaled-out world of cloud computing.

Protecting cloud environments in the future will require a fundamentally different set of technologies, most of which are only emerging today. For some cloud providers, the answer will come in the way of security products embedded at the hypervisor level of the cloud infrastructure. Others will ultimately gravitate toward products serving as a security overlay to the network fabric of cloud data centers. Regardless of the model, security products that survive the IT migration to the cloud must find a way to exist in multi-tenant environment and integrate with service provider provisioning systems, which even today provide a level of automation not commonly found in modern enterprise data centers. With the notable exception of cloud-based and inherently multi-tenant security solutions provided by companies such as Zscaler, Watchfire and Alert Logic, many traditional security companies will find it difficult to become cloud-ready without significant re-architecture efforts.

Despite many challenges, enterprises and service providers should realize that the opportunity for transformative change presented by cloud computing is equal to its inherent risk - a chance to finally get security right. Doing so without having full access to networks and operating systems may require adopting a radically different perspective than one currently held by many security professionals who believe that compliance is a perfunctory aspect of their job and has no meaningful impact on security. The emerging CloudAudit standard provides the best example of a way in which a well-thought-out industry effort led by people with cloud security expertise, rather than a patchwork of government regulations, can provide an unprecedented foundation for automated auditing of controls necessary to secure cloud computing environments of the future.

Enterprises that anticipate adopting cloud technologies in the next five years are asking themselves 'what if anything should they do differently today to prepare for tomorrow?' The answer may be as simple as tasking a single person with learning about cloud services and emerging security standards, such as CloudAudit. A more pragmatic step may be to deploy a cloud-enabled single sign-on solution for no other reason than it already solves a pressing problem-access to multiple SaaS solutions using a common set of user credentials. Another low-risk, high-reward opportunity is deploying a set of cloud-based solutions delivered under the security-as-a-service model, which already offer broad support for functions ranging from log management to intrusion protection, Web content filtering and vulnerability assessment. These cloud-enabled security services are natively multi-tenant and are most likely to understand the unique challenges of cloud providers, allowing enterprises to converge on a common set of security services that can protect them on-premise, in the corporate data center and in the cloud. Even if you are not yet consuming IaaS or PaaS services from the cloud, adopting SaaS security solutions for your on-premise IT infrastructure and applications will position your company for migration to IaaS/PaaS services in the future without breaking your security model.

In building your security and compliance strategy for the age of the cloud, consider that the adoption curve for the cloud may be every bit as steep as that of Internet technologies in late 90's. If so, the imminent trends discussed in this article will only accelerate and an entire generation of security practitioners who ply their trade supporting network appliances, grooming network sockets or scrubbing file systems will find their expertise hopelessly outdated. Enterprises and security professionals can and should prepare themselves for the demands of cloud computing tomorrow, by making the right decisions and deploying cloud-ready technologies today.



Add Comment      Leave a comment on this blog post
Jun 23, 2010 5:06 PM Akanji Adeniyi Akanji Adeniyi  says:
This is a quality material. Reply
Jun 27, 2010 11:06 PM CloudNinja CloudNinja  says:
I think John Mullinax hit it on the head when he commented "Companies trust their data to external environments all the time. They generally do not trust ALL their data to these environments, for good reasons. But they generally do trust SOME of their data. It's a good dialogue to have - what data is ok in the cloud? -- but as cloud computing is maturing, we also need to have a more nuanced conversation about trust and the cloud. The question of when will everything move to the cloud has largely been answered... it's not likely going to happen. The Cloud represents a new generation of computing paradigm, but like the platform paradigms that have come before (mainframe, mini computer, PC, client-server, web - all of which are still around) we should not expect the cloud to replace everything that came before it. The question to ask is what data *would* make sense in the cloud? Or even better, what parts of my technology and data portfolio should live in the cloud? It's a good discussion topic, and there's no one right answer for everyone. Since Windows Azure has been purposefully designed interoperate/span across on-premise boundaries, there are many options on the continuum between cloud and on-premise. BTW, with highly automated service provisioning and data center operations, ISO 27001 certification, SAS70 certification, etc... the Microsoft data centers that run Windows Azure are probably "safer" and more reliable than many other environments. More than safety and reliability, what you give up to some degree is loss of direct control." IMHO, when considering security, 2 items need to be addressed: 1) Physical security of the hardware 2) Security of the Data - here are some resources I've found that discuss this and act as guidelines when considering security and the cloud: Physical security: http://www.globalfoundationservices.com/security/index.html http://www.globalfoundationservices.com/security/documents/SecuringtheMSCloudMay09.pdf Data Security: http://www.research.microsoft.com/en-us/projects/cryptocloud/ http://www.research.microsoft.com/en-us/projects/secpal/ thoughts? hope that helps -cn Reply
Aug 8, 2011 5:08 PM Tpham Tpham  says:
Cloud security is especially of concern for e-commerce merchants and healthcare organizations that need to be PCI or HIPAA compliant. While virtualization (cloud computing) is Cap-Ex free and faster to deploy than physical servers and generally more energy/resource efficient, companies need to choose private cloud computing over shared, public environments. Keeping data on private applications can go a long way in avoiding violations and federal fines. Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.