Welcome!

@CloudExpo Authors: Pat Romanski, Liz McMillan, Elizabeth White, Zakia Bouachraoui, Yeshim Deniz

Related Topics: @CloudExpo, Cloud Security

@CloudExpo: Article

Cloud Security Questions?

Here are some answers

Cloud Security Track at Cloud Expo

For companies considering a transition to cloud computing (CC), one of the major concerns is (or should be) security. If addressed properly while selecting a cloud computing provider or cloud provider (CP), security can actually improve for many companies. For many firms, a cloud computing provider can provide better security than their in-house facilities. This is because the CPs are devoting huge resources to making security a non-issue for customers and, in fact, a selling point versus other CPs. With billions of dollars of potential business at stake, CPs are going to do their best to secure their environment. However, there are many new risks with CPs that should concern potential users.

Before trusting a particular provider, potential customers must perform adequate due diligence to make sure that the CP has the proper controls in place to protect their data and applications so they can obtain the required security and reliability. Fortunately, the competitive environment in which CPs operate provides selection options and, in many cases, more control than customers had with their own IT organization. Savvy cloud shoppers can play one provider against another to their advantage - if they know what to look for.

Customers must start by determining their overall system requirements including security. Then they can go to CPs and query them to make sure the customer's requirements are met. Asking the right questions and knowing what to look for in answers is the key to getting the expected level of security.

Who's On Your Side?
One organization specifically championing cloud security is the Cloud Security Alliance (CSA) (see Sidebar). CSA has compiled and recently updated a 76-page security guide that lays out hundreds of issues and recommendations that must be considered when examining security needs in the cloud. Since the CSA guidelines are quite long, we have distilled the most critical CSA recommendations into a series of questions that you should ask CPs along with answers that you should be looking for. Reading the CSA guidance document is still a good idea but this article will give you an overview of many key points.

Another organization working on cloud security is the Trusted Computing Group (TCG) (see Sidebar). TCG has developed several standards that address cloud security and are in widespread use today, including Trusted Storage, Trusted Network Connect (TNC) and the Trusted Platform Module (TPM). See the TCG web site for more detailed information on these standards.

Cloud Computing Q&As
The questions below are key ones to ask as you consider cloud security. These questions are divided into six specific areas, as shown in Figure 1. The numbers in the figure correspond to the headings below.

Figure 1: Security areas to investigate in cloud computing

One issue that must be considered for all of the questions is: "Should you use standards-based or home-brewed security solutions?" Home-brewed security solutions are not as secure as standards-based systems. This has been widely recognized in government and industry. That's why standard encryption algorithms like Advanced Encryption Standard (AES) and protocols like Transport Layer Security (TLS) are used. These standards have received years of thorough analysis and review. Furthermore, by using a standards-based security system, customers gain the flexibility and advantage of being able to move to a different provider if they choose to as they are not locked into one provider. This article identifies relevant standards as appropriate.

Another issue with cloud security is "How can I ensure that the CP fulfills their promises?" Make sure that the CP documents their promises in a Service Level Agreement, contract, or other written document.

1. Securing data at rest. How does the CP secure data at rest (on storage devices)?
The best practice for securing data at rest is cryptographic encryption. The CP should always encrypt data on storage devices (e.g., hard drives and back-ups) to avoid data breaches. The CP should also ensure that data is destroyed when no longer needed. That's easy to do with encrypted data: just delete the encryption key.

2. Securing data in transit. How does the CP secure data in transit (within the cloud and on its way to and from the cloud)?
Data in transit should always be encrypted, authenticated, and integrity protected. This ensures that nobody can read or modify the data as it passes through the potentially dangerous byways of the network. Thousands of person-years of experience have gone into creating reliable standard protocols (e.g., TLS and IPsec) and algorithms (e.g., AES) for this purpose. CPs should use these protocols, not invent their own. This ensures security and interoperability.

3. Authentication. How does the CP authenticate users?
Passwords are the most common form of authentication but CPs that are committed to security should support stronger forms of authentication such as certificates and tokens. As important as strong authentication, the CP should be able to use standards such as LDAP and SAML to consult the customer's identity management system when authenticating users and determining their permissions. This ensures that the CP always has up-to-date information on authorized users. A much-worse alternative is for the customer to give the CP a list of authorized users. This inevitably leads to disconnects where someone has been fired or reassigned but not removed from the list of authorized users at the CP. Can you say disgruntled former employee? That's bad news!

4. Separation between the customers. How are one customer's data and applications separated from other customers (who may be hackers or competitors)?
The best answer is that each customer uses a separate virtual machine (VM) and virtual network. A hypervisor enforces separation between VMs and therefore between customers. Virtual networks are implemented using standard techniques such as VLANs (Virtual Local Area Networks), VPLS (Virtual Private LAN Service), or VPNs (Virtual Private Networks).

Some CPs place all of their customers' programs and data in one big application instance and use custom-built code to prevent customers from seeing each other's data. This approach is fragile and ill-advised. First, a malicious party may find a bug in the custom code that lets them view data they should not be able to access. Second, a bug in the code can accidentally allow one customer to see data from another customer. Both these problems have occurred at CPs in the recent past. Therefore, VMs and virtual networks are the preferred form of customer separation.

5. Cloud legal and regulatory issues. How does the CP address legal and regulatory issues related to CC?
Laws and regulations vary from one jurisdiction to another. They may restrict data export, require particular security measures, or enforce compliance and auditing requirements. They may even provide for a government or litigant's right to inspect data. Careless CP actions can expose customers to costly legal consequences.

The CP must provide strong policies and practices that address legal and regulatory issues such as data security and export, compliance, auditing, data retention and destruction, and legal discovery (especially considering that one physical server may contain several customers' data). Each customer must have its legal and regulatory experts inspect CP policies and practices to make sure that they are adequate for the customer's needs.

6. Incident response. How does the CP respond to incidents and how are customers involved?
Things can and do go wrong. CPs must have a well-documented incident response process that includes customers. At the very least, CPs should detect incidents, minimize their effects, and inform customers of status. Ideally, CPs should provide confidential, real-time information to each customer about that customer's resources and users. Customers should consider and plan for the possibility of CP security breaches. How will you respond to incidents in the cloud? Can you conduct forensic investigations to determine what caused an incident?

The Future of Cloud Security
With all of the techniques and tools in place to provide better security than ever before, there is still more work to be done. In some cases, problems have been identified and the technology has been developed but not yet brought to market. Some of the cutting-edge technologies for cloud security are self-protecting data, trusted monitors, and searchable encryption.

With self-protecting data, intelligence is embedded within encrypted data. Data encrypted using this approach consults a policy when it is accessed and reveals its content only if the environment is verified as trustworthy. A trusted monitor is software installed at the CP's server that monitors CP operations and provides proof of compliance to the customer to verify adherence with established policies. Finally, searchable encryption allows computations on encrypted data so that data can be searched and indexed while staying encrypted for maximum security.

When the research and development to make these approaches practical for cloud computing are completed, the next step will be cloud provider implementation. With the integration of these technologies into their solutions, customers will have even more trust in their cloud provider.

Resources:

  1. Cloud Security Alliance (CSA)
  2. Trusted Computing Group (TCG)
  3. Controlling Data in the Cloud:  Outsourcing Computation without Outsourcing Control
  4. A Security Analysis of Cloud Computing

Organizations Addressing Cloud Security
Cloud Security Alliance
The Cloud Security Alliance (CSA) is a non-profit organization specifically established to promote best practices for security assurance within cloud computing. Formed in November 20, 2008, the group consists of industry experts from several companies with partnerships from other not-for-profit associations and industry groups. As part of its efforts to promote improved cloud security and educate cloud computing users, CSA has developed Security Guidance for Critical Areas of focus in Cloud Computing. The most recent version v2.1 was completed in December 2009.

Trusted Computing Group
Increased enterprise security, risk assessment, and solutions through open specifications have been the focus of the not-for-profit open standards consortium known as the Trusted Computing Group (TCG) for over a decade. To guide its work, TCG's committee members identified specific enterprise aspects that need to have improved security. Developed by experts from leading and innovative technology companies, TCG's open standards allow scalability for successful implementation both now and in the future and provide open-market dynamics to reduce cost.

Comprised of more than 100 major companies that cover the enterprise with connectivity and computing technology, TCG has addressed the security issues that confront cloud computing even though its specifications were not originally developed for this purpose.  TCG specifications for Trusted Platform Module (TPM), Trusted Network Connect (TNC) and Trusted Storage provide a starting point for enterprise-wide security that directly applies to cloud computing.

Note: information on Trusted Computing Group and various specifications, free to download, is at www.trustedcomputinggroup.org

More Stories By Steve Hanna

Steve Hanna is co-chair of the Trusted Network Connect Work Group in the Trusted Computing Group and co-chair of the Network Endpoint Assessment Working Group in the Internet Engineering Task Force. An inventor or co-inventor of 30 issued U.S. patents, he holds an A.B. in Computer Science from Harvard University.

More Stories By Jesus Molina

Jesus Molina is a security researcher at Fujitsu Laboratories of America, and co-chairs the authentication working group at the trusted computing group (TCG), where he has been contributing since 2002. In addition, he is the instructor of a graduate course on trustworthy computing at the University of Maryland. Prior to that, he was the maintainer of the open source emulator for the trusted platform module, and contributed to other projects related to trustworthy computing. He has published and presented his work at several conferences, including IEEE security and USENIX security. His current research interests include hardware security, authentication, trustworthy computing and virtualization.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


CloudEXPO Stories
A look across the tech landscape at the disruptive technologies that are increasing in prominence and speculate as to which will be most impactful for communications – namely, AI and Cloud Computing. In his session at 20th Cloud Expo, Curtis Peterson, VP of Operations at RingCentral, highlighted the current challenges of these transformative technologies and shared strategies for preparing your organization for these changes. This “view from the top” outlined the latest trends and developments in AI and Cloud Computing technology innovation for enterprise communications to help you shape your future strategy.
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm. In their Day 3 Keynote at 20th Cloud Expo, Chris Brown, a Solutions Marketing Manager at Nutanix, and Mark Lavi, a Nutanix DevOps Solution Architect, explored the ways that Nutanix technologies empower teams to react faster than ever before and connect teams in ways that were either too complex or simply impossible with traditional infrastructures.
Historically, some banking activities such as trading have been relying heavily on analytics and cutting edge algorithmic tools. The coming of age of powerful data analytics solutions combined with the development of intelligent algorithms have created new opportunities for financial institutions. In his session at 20th Cloud Expo, Sebastien Meunier, Head of Digital for North America at Chappuis Halder & Co., discussed how these tools can be leveraged to develop a lasting competitive advantage in priority areas: customer analytics, financial crime prevention, regulatory compliance and risk management.
@CloudEXPO and @ExpoDX, two of the most influential technology events in the world, have hosted hundreds of sponsors and exhibitors since our launch 10 years ago. @CloudEXPO and @ExpoDX New York and Silicon Valley provide a full year of face-to-face marketing opportunities for your company. Each sponsorship and exhibit package comes with pre and post-show marketing programs. By sponsoring and exhibiting in New York and Silicon Valley, you reach a full complement of decision makers and buyers in multiple vertical markets. Our delegate profiles can be located in our show prospectus.
According to the IDC InfoBrief, Sponsored by Nutanix, “Surviving and Thriving in a Multi-cloud World,” multicloud deployments are now the norm for enterprise organizations – less than 30% of customers report using single cloud environments. Most customers leverage different cloud platforms across multiple service providers. The interoperability of data and applications between these varied cloud environments is growing in importance and yet access to hybrid cloud capabilities where a single application runs across clouds remains elusive to most organizations. As companies eagerly seek out ways to make the multi cloud environment a reality, these new updates from Nutanix provide additional capabilities to streamline the implementation of their cloud services deployments.