Understanding the Security Challenges of Cloud Computing

Document Sample
Understanding the Security Challenges of Cloud Computing Powered By Docstoc
					Understanding the
Security Challenges of
Cloud Computing


        an             Security eBook
          Understanding the Security Challenges
                  of Cloud Computing

                    This content was adapted from Internet.com’s Enterprise IT Planet, eSecurity Planet, CIO
                    Update, and Datamation websites. Contributors: Sonny Discini, David Needle, Robert
                    McGarvey, and James Maguire.


                     2      Enterprise Cloud Computing: Risk and Economics

                     4      Cloud Computing Faces Security Challenges

4    6               6      Cloud Computing Requires Security Diligence

                     8      Three Steps to Secure Cloud Computing

8    10
                     10 How Cloud Computing Security Resembles
                            the Financial Meltdown
                                      Understanding the Security Challenges
                                              of Cloud Computing

   Enterprise Cloud Computing: Risk and Economics
                                                          By Sonny Discini

                veryone is talking cloud these days, and                       greater agility of the cloud computing model.
                why not? The offerings are maturing, and
                the benefits are starting to appeal to                         Another area where costs have been traditionally high
                those who want to solve enterprise risk                        has been in IT talent. Cloud models will allow the
and economic issues still on the table. Things like pay-                       enterprise to tap talent pools for a fraction of the cost of
per-use models now have us looking at how we assess                            retaining in-house staff. This will give IT pros heartburn,
hardware and software costs. You can now pay for only                          but for those who are able to shift on the fly, IT pros will
what you use instead of buying a                                                                         be able to turn their focus to
full application suite. But can the                                                                      solving business problems. The
economic and risk factors drive                                                                          enterprise can then fully focus on
enterprises over to full cloud                                                                           business objectives and allocate
deployments?                                                                                             more resources to solve business
                                                                                                         problems, even the ones that
A New Way of Doing                                                                                       were practically insolvable with
                                                                                                         in-house staff. From another
Business                                                                                                 angle, the cloud model now
                                                                                                         gives small organizations
As I just mentioned, the
                                                                                                         access to IT services and talent
enterprise now has a new way
                                                                                                         previously out of reach. The
of looking at the economics
                                                                                                         small organization now has the
of operational IT. This extends
                                                                                                         ability to tap the same level of
from core apps right down
                                                                                                         talent and services as the large
to enterprise security. Cloud
computing is better at optimizing capital investments
because it enables lower capital investments in hardware,
software, and real estate; instead of investing in them,                       You Cannot Shift Risk
enterprises procure cloud services. This significantly
lowers total cost of ownership, which traditionally has                        Cloud computing offers computing architectures and
been a significant cost to the enterprise.                                     innovation potential never before seen in large and small
                                                                               enterprises. It is important to understand that risk does
When we think of large enterprise IT, we cannot let go                         not evaporate in the cloud; nor does it shift to the cloud
of the old assumption that it is slow to move when it                          provider. Enterprise security professionals have been
comes time to make a change. Cloud offerings may                               waving the red flag to C-level executives interested in
crush this old adage. Cloud computing typically requires                       migrating to the cloud. Questions must be asked such as:
significantly less time and effort to provision additional
resources for existing applications or new resources                                    •	 Which	risks	related	to	service	reliability,	
for new applications. The straightforward procurement                                   availability, and security arise?
model and use of shared infrastructure also leads to                                    •	 How	much	control	can	the	user	exert	over	the	IT	

       2     Back to Contents          Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
                                       Understanding the Security Challenges
                                               of Cloud Computing

     services provider?                                                         Cloud computing offers significant benefits to the
     •	 What	control	must	be	given	to	the	provider	and	                         organization in terms of economics, agility, innovation,
     what trust assurances exist?                                               simplicity, and even social impact. However, the devil
                                                                                is in the details, and while there are many benefits to
Given that cloud models are new, even with the SLAs                             the cloud model, the trust and risk aspect of the cloud
provided today, an enterprise can quickly find that what                        is still widely unknown, and hence, very dangerous.
it thought it was getting may not be the case at all. Legal                     When enterprise architects and security pros design
departments are also seeing cloud issues for the first                          controls around business processes, they will have
time, so it is extremely important to involve all enterprise                    to take traditional tools and refine them to provide
teams when looking at cloud contracts, potential                                sufficient protection to the enterprise in this new dawn of
litigation exposures, and of course security risks.                             computing.

       3     Back to Contents           Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
                                       Understanding the Security Challenges
                                               of Cloud Computing

           Cloud Computing Faces Security Challenges
                                                            By David Needle

            s cloud computing adoption hurt by security                         more secure than traditional datacenter solutions.
            issues, compliance concerns, or just a poorly
            chosen name?                                                        “Customers think security is the cloud issue, but it’s really
                                                                                a trust issue ... a governance issue,” Popp said. “Can I set
“The worst thing we ever did was coin the term ‘cloud,’                         the policies I want to and impose them? And second, can
which takes a business process and makes it sound ... out                       I verify that the policy works? It’s about governance and
there,” said Thinkstrategies analyst Jeff Kaplan.                               control issues.”

But John Weinschenk, CEO of security firm Cenzic, said                          “You never sell security,” he added. “You sell compliance
cloud security is far more of a                                                                           to those who need it. When
pressing concern. “It’s actually                                                                          we look at people embracing
impossible to secure the [public]                                                                         the cloud, it’s really from the
cloud today,” he said. “You just                                                                          big guys who control a private
don’t know if your information                                                                            cloud and can scale it to realize
is going to be processed in                                                                               the benefits. The other buyers
Czechoslovakia or Russia, and                                                                             are SMBs who are looking to
what they’re going to do with it.                                                                         outsource everything.”
And if anything goes wrong, who
do you sue?”                                                                                                              Randy Barr, chief security officer
                                                                                                                          at Qualys, said enterprises are
John Desantis, CEO of identity                                                                                            demanding their cloud service
management provider Tricipher,                                                                                            providers offer greater visibility
agreed. “There is a thin veil that                                                                                        to make it clear that the systems
is clearly being penetrated,” he                                                                                          are secure — a service his firm
said.                                                                                                                     provides.

But Weinschenk and Desantis                                                                               “You can get scans of the cloud
made clear they were talking about public, consumer                             system for vulnerabilities,” he said. “We’re seeing more
service-style cloud providers. Weinschenk said the future                       transparency from providers to meet this demand.”
for enterprises lies in private and semi-private clouds that
are more closed systems where the security parameters                           CIO Objections
and service guarantees are known.
                                                                                Security isn’t the only concern enterprise buyers have
Nicholas Popp, vice president of product development                            about cloud computing systems, which in theory can save
at domain management and security provider Verisign,                            an order of magnitude in costs over companies buying
however, disagreed to the extent that he said companies                         and managing their own computing infrastructure.
like his have the potential to make cloud services even

       4     Back to Contents           Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
                                     Understanding the Security Challenges
                                             of Cloud Computing

“From an enterprise perspective, the CIO wants to hold                        at Cisco, said that trends like the cloud and software-as-a-
off,” said Joe Tobolski, a partner at Accenture Technology                    service (SaaS) in particular are causing “one of the largest
Labs. But he warned that cloud services are already                           disruptions across the IT landscape.”
popular, if you include social networks like Facebook
and Twitter as well as e-mail services like Gmail, in the                     But Marc Benioff, CEO and founder of one of the best
mix. These services “are ridiculously easy to sign on to.                     known and most successful SaaS providers, Salesforce.
There is going to be a clash of the command and control                       com, conceded that “the vast majority of software is still
infrastructure that a lot of CIOs prefer to those people                      with companies in their datacenters.”
who want to get stuff done.”
                                                                              “That’s the opportunity,” Benioff added. “I try to educate
Charles Carmel, vice president of corporate development                       people because companies want to hold [us] back, like
                                                                              the people that want to sell more servers.”

       5    Back to Contents          Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
                                     Understanding the Security Challenges
                                             of Cloud Computing

           Cloud Computing Requires Security Diligence
                                                         By David Needle

               ffloading IT infrastructure to a cloud                         of security and data protection,” said Mohan. While
               computing provider can result in great                         managed service providers offer service level agreements
               cost savings and more streamlined, flexible                    (SLA) and security assurance, Mohan said companies can
               operations. Need more compute power                            and should take extra steps to ensure there information is
or storage? Cloud systems like Amazon’s readily scale                         safe.
so there’s no need to go through a time-consuming
purchasing process or scrambling to find more room for                        “There are many security endpoints with cloud services
an expanded datacenter.                                                       and that’s where authentication becomes very important.
                                                                                                     It’s a big area of investment
But the cloud is not a panacea,                                                                      for us,” said Mohan, noting
and the need to adhere to                                                                            Symantec’s $1.28 billion purchase
information management best                                                                          of VeriSign’s authentication
practices remains, Symantec                                                                          services unit.
executive Deepak Mohan told
InternetNews.com.                                                                                                       “Amazon is going to encrypt and
                                                                                                                        store your files, but the backup
Mohan should know.                                                                                                      data stream may be unencrypted.
                                                                                                                        So things like security in transit
In his position as senior vice                                                                                          are services we provide that
president of Symantec’s                                                                                                 support the hybrid, cloud and
Information Management Group,                                                                                           on-premise use cases.”
he oversees a range of products
and services including archiving                                                                       Mohan also said it’s important
and backup of information                                                                              for companies, particularly those
management and regularly                                                                               in highly-regulated industries
meets with enterprise customers.                                                                       like finance and health, to be
The company also works with leading cloud providers like                      sure their information on the cloud is organized both for
Amazon to ensure their services are compatible.                               retention and compliance.

He jokes that the cloud is very “cloudy” when it comes to                     “The cost of legal e-discovery can exceed government
enterprise adoption as companies are still experimenting                      fines. It’s very expensive to do on a reactive basis and
with the best way to leverage it and feel confident their                     lawyers love it because they charge by the hour and the
data is secure. Mohan said he’s frequently seeing a hybrid                    page,” said Mohan. “What you want to do is instrument
approach where companies rely on a cloud provider for                         your information on the way in, not after the fact.”
storage or certain applications, but also maintain on-
premise backup for security and recovery and to make                          Symantec is one of many providers that have services
sure they can adhere to compliance requirements.                              to index and protect data. Mohan said Symantec’s
                                                                              Enterprise Vault archiving platform follows the EDRM
“Inside the cloud, customers need the same level                              (Electronic Discovery Reference Model) and offers

       6    Back to Contents          Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
                                        Understanding the Security Challenges
                                                of Cloud Computing

different export formats for outside council that are
admissible in court.

“Some companies are ahead of the curve and moving
proactively to make sure their information is being
managed effectively,” said Mohan. “Another class of
companies really gets serious after their first litigation

       7     Back to Contents            Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
                                      Understanding the Security Challenges
                                              of Cloud Computing

              Three Steps to Secure Cloud Computing
                                                      By Robert McGarvey

               ou can close your eyes and pretend it is                        Capable Hands?
               not happening — many CIOs are doing
               exactly that — but face this reality: “Cloud                    The big cloud players — Amazon, Google, Oracle/
               computing is with us to stay. Everybody                         Sun, Salesforce.com — know more than a little about
will soon be using it.”                                                        maintaining online security and, considered in that
                                                                               context, worries about outsiders knocking down the
At least this is the prediction of Jim Haskin, CIO at                          security walls and having their way with your data indeed
Websense, a San Diego-based data security provider,                            seem over-wrought. “There’s been a lot of over-reaction,”
and others.                                                                                             said Sheynkman.

A scary thought? For many CIOs,                                                                                          “The question should not be
yes. “They are panicking about                                                                                           about data security in the cloud,”
this,” said Kirill Sheynkman, CEO                                                                                        elaborates Haskin. We need to
of San Francisco-based Elastra,                                                                                          be asking other questions that
a developer of applications                                                                                              probe exactly why we are afraid
currently deployed in association                                                                                        of cloud computing and certainly,
with Amazon’s cloud computing                                                                                            as a group, CIOs are resisting it.
offering. The panic is well-                                                                                             But just maybe that has to end
founded, isn’t it? Because of the                                                                                        because time to dither may be
security concerns that come with                                                                                         running out for CIOs.
jumping the firewall?
                                                                                                        Bill Appleton, chief technical
Sheynkman snorts: “Security                                                                             officer at Mountain View, Calif.-
is not the issue. Do you think                                                                          based Dreamfactory, a developer
your IT department knows more                                                                           of cloud-based applications,
about data security than Amazon                                                                         ominously warns: “The cloud
does?”                                                                         may skip IT and sell directly to end users. It might simply
                                                                               bypass the command and control system of IT.”
Reality check: “Data security in the cloud is no different
than data security at a remote data center,” said John                         And that may be the legitimate worry. That’s because
Lytle, a senior consultant with IT consulting firm Compass                     a CIO nightmare revolves around unauthorized use of
in Chicago.                                                                    public cloud resources by employees who may be putting
                                                                               sensitive internal data online at Web-based spreadsheets
In many cases, data at most companies “are more at risk                        or into slide shows.
in their own environment than in a well-managed cloud,”
said Mike Eaton, CEO of Cloudworks, a Thousand Oaks,                           “Most CIOs worry a lot about employees putting
Calif.-based provider of cloud-based services, primarily to                    data that shouldn’t be public in public places,” said
small and mid-sized businesses.                                                Christopher Day, senior vice president of security

       8     Back to Contents          Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
                                      Understanding the Security Challenges
                                              of Cloud Computing

services at Terremark Worldwide, a global provider of IT                        should only permit data to migrate to the cloud where
infrastructure. That fear is justified. What would the board                    two-factor, strong authentication is in use and, right
of directors say if it discovered the company’s strategic                       there, hackers probably are kept at bay. Take just that
plan was accessible in a public cloud? But Day also                             step, suggests Gunn, and considerable big company
suggests that CIOs can snuff out this potential firestorm                       opposition to cloud computing would instantly
simply by taking a direct approach.                                             evaporate. Most mainstream cloud providers are hanging
                                                                                back on this but, suggests Gunn, when enough users cry
“Just put into place clear policies, then educate                               out for safeguards the cloud companies will respond.
employees about them,” said Day.
                                                                                Here Today …
Pull your head out of the sand (or clouds as the case may
be) and directly attack this concern. That is how to make                       A final, big worry, particularly in today’s unstable
it vanish. Understand too that employees who upload                             economy, is the durability of the cloud provider, said
sensitive data usually mean well. They are just looking for                     Raimund Genes, CTO at Trend Micro, the global
better ways to work. Look for other, more secure ways to                        security company. “You need a provider that will be in
let them do exactly that, adds Day. Take those two steps                        business three years from now. When you give up your
and most likely cloud-based shadow IT will diminish in                          IT infrastructure, you need a reliable service provider.”
your organization.                                                              When a cloud provider goes bankrupt how accessible is
                                                                                your information, by whom? Better not to deal with such
Securing the Logon                                                              questions at all by instead going with cloud providers that
                                                                                have the wherewithal for a long-haul contest.
Another, lingering worry about cloud computing is that
— with many providers — log-ons are too primitive.                              Parting advice for CIOs who are still wringing their
“Large enterprise will not embrace the cloud until                              hands in worry over data in the cloud comes from
security significantly improves,” flatly predicts John                          Elastra’s Sheynkman who reminds us: “It’s not all or
Gunn, general manager at Chicago-based Aladdin, a                               nothing. It does not have to be. Put only the data you
developer of digital security tools. The worry here is that                     are comfortable with on the cloud. That is what most
when barebones log-ons are in use, old-fashioned social                         companies seem to be doing. We are still in an era of
engineering techniques will let hackers learn employee                          experimentation.”
log-ons and, watch out, data leakage will be at flood
stage.                                                                          Take it in little steps but start taking some steps, that’s
                                                                                the smart way to embrace the cloud.
But, said Gunn, the solution is simple: enterprises

       9     Back to Contents           Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
                                       Understanding the Security Challenges
                                               of Cloud Computing

                        How Cloud Computing Security
                       Resembles the Financial Meltdown
                                                         By James Maguire

               ow do you know if a cloud computing                              Hmmm… as a client of a cloud vendor, I’m feeling
               vendor is secure?                                                nervous. But SAS 70 really does mean something, doesn’t
                                                                                it? Well, probably.
               After all, you trust them with highly
sensitive data and business critical processes. Your entire                     More troubling, at this point you might have a moment of
business may rest on your ability to evaluate their level of                    déjà vu. Wasn’t a similar conflict of interest at the heart of
security.                                                                       the recent financial meltdown?

When they make claims about                                                                                              In the view of Jay Heiser, a
their nearly absolute level of                                                                                           Gartner analyst who specializes
safety, should you just take their                                                                                       in security, the connection is
word for it?                                                                                                             clear. He’s the author of the
                                                                                                                         research report “Analyzing
Goodness no, say the vendors,                                                                                            the Risk Dimensions of Cloud
we’ve got a third-party                                                                                                  and SaaS Computing.” After
certification to back up our                                                                                             reading Michael Lewis’s account
claims. Specifically, they point to                                                                                      of the financial debacle, The
their SAS 70 certification. SAS                                                                                          Big Short, Heiser told me, “I
70 is a set of auditing standards                                                                                        found more parallels between
used to measure the handling                                                                                             what happened in the financial
of sensitive information. It was                                                                                         services and cloud computing
created by the impressively                                                                                              than I anticipated.”
named American Institute of
Certified Public Accountants                                                                             Let’s rewind the tape a bit. A
(those folks know how to fill out                                                                        distressing fact about the Crash
forms). SAS 70 was around before cloud computing, and                           of 2008 is that the major credit rating agencies – the very
has been shoehorned into use by vendors seeking an                              groups tasked with protecting investors – were tacitly
impartial third-party credential to reassure nervous cloud                      complicit.
                                                                                The two biggest ratings agencies, Moody’s and Standard
But here’s where it gets dubious. Guess who writes a                            & Poor’s, failed to send up red flags about subprime
check to the SAS 70 certifiers? Believe it or not, it’s the                     mortgage-backed securities. These supposedly impartial
vendors themselves. If you were a cynical, non-trusting                         watchdogs evaluate the credit worthiness of securities,
type (which you should be if your company’s data is at                          enabling investors to make informed decisions. Yet
stake) you might wonder if that is a conflict of interest.                      instead of labeling junk as junk, they bestowed a top AAA
Don’t accounting firms have a vested interest in granting                       grade on highly risky assets.
SAS 70 certifications to those cloud computing vendors
who can pay for them?                                                           Shockingly, virtually all of the AAA-rated subprime-
                                                                                mortgage-backed securities issued in 2006 have now

       10    Back to Contents           Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
                                        Understanding the Security Challenges
                                                of Cloud Computing

been downgraded to a junk rating.                                                 digging. From Heiser’s report:

It was a clear conflict of interest. These ratings agencies                       Do not accept the claimed existence of a certification
are paid by the issuer of the security. Perhaps it’s not                          or other third-party assessment as being adequate
surprising that they labeled some rotting sausage as                              proof of security and continuity fitness for purpose.
high-grade beef. If one of the agencies had threatened to                         Thoroughly review the assessor’s written report to ensure
give a low (but accurate) rating, the issuer would simply                         that the scope of evaluation is adequate, and that all
shop at another ratings agency. The system itself was set                         necessary processes and technologies were appropriately
up to provide false assurance.                                                    addressed.

Now back to cloud computing and SAS 70. OK, let me                                But is it IT?
get this straight: the cloud companies pay accounting
firms for SAS 70 certifications just as the financial                             An additional question bedevils the debate over cloud
organizations paid Moody’s for an investment-grade                                security: Is SAS 70 — even if administered by an impartial
rating?                                                                           third party (which it’s not) — an insightful evaluation of a
                                                                                  cloud computing vendor’s security?
“Yes, if you see someone who claims to be SAS 70, they
have paid an accounting firm. Not only have they paid                             SAS 70 was never designed for this use, though in theory
an accounting firm to go do the test, but they’ve told                            it could address an IT risk scenario. “Call me a cynic, but
the accounting firm what processes need to be tested,”                            SAS 70 is an auditing standard originally intended to be
Heiser says.                                                                      used against processes relevant to financial statements,
                                                                                  secondarily to financial transactions,” Heiser says.
“And you see a distressing number of providers that are
claiming, ‘Well, we’re secure, or we have availability – it’s                     “So the thing starts very, very far away from anything
proven by the fact that we have a SAS 70.’”                                       that would traditionally be considered an information
                                                                                  security or a business availability assessment. It’s done by
This statement echoes a key finding that Heiser noted in                          accounting firms.”
his report:
                                                                                  A common perception of the financial evaluators involved
Third-party certifications are immature, are unable to                            with false credit ratings is that they were not the cream of
address all aspects of cloud-computing risk, and should                           the Wall Street elite. Those brighter talents were pursing
be relied on only after a thorough evaluation of the                              vastly more remunerative activities.
written report.
                                                                                  In contrast, “I would expect that whoever is doing a SAS
To be fair, a SAS 70 is likely more than a mere piece of                          70 is a fairly ambitious [staffer] at a CPA firm,” Heiser says.
paper. It may prove more than the fact that the vendor                            “Still, are they auditors? IT? Did they go to Purdue and
has the money to hire an accounting firm. Perhaps it                              get a Master’s degree in Information Security? What’s
should be thought of as a good starting point. Still,                             their background for all this?”
the responsibility remains squarely on the client to
evaluate the SAS 70’s written report and make their own                           The moral of this cautionary tale is best summed up with
determination. Were the right controls included? Were                             a last key finding from the Gartner report:
they evaluated to the appropriate degree?
                                                                                  Be skeptical of vendor claims, and demand written or in-
In other words, buyer beware. You have to do your own                             person evidence.

       11    Back to Contents             Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.

Shared By:
Description: Offloading IT infrastructure to a cloud computing provider can result in great cost savings and more streamlined, flexible operations. But the cloud is not a panacea, and the need to adhere to information management best practices remains. Download this Internet.com eBook to better understand the security aspect of cloud computing and help choose a provider that will keep your organization's data safe.