-(002).png?lu=245)
01 May 2014
Cloud is now mainstream and yet concerns about security still hamper widescale deployments. RAHIEL NASIR finds out how to dispel the fear, uncertainty and doubt.
Cloud computing has achieved mainstream deployment in the UK according to the Cloud Industry Forum (CIF). Last autumn, it surveyed 250 senior IT and business decision-makers and found that 69 per cent had formally adopted at least one cloud-based service – an eight-point increase since the forum conducted its first survey in 2010.
But while the CIF believes that cloud is now accepted as a “viable IT deployment model”, it adds that data security still ranks as the highest concern. Amongst those who had adopted a service, 69 per cent said that this was uppermost in their minds during the decision-making process to migrate, whilst data privacy and the dependence on internet access was a worry for 51 and 37 per cent of respondents respectively.
Cloud, connectivity and colocation specialist C4L says security often comes up right at the start of the discussions it has with customers. “It gets asked much earlier than when people come and talk to us about just putting their own equipment into a data centre. There’s a bit of nerv- ousness from them about trusting all their data to somebody else for the first time,” says marketing manager Gary Barter.
He adds that moving to the cloud gives a lot of companies an opportunity to take stock of their security settings and to do it right for the first time. IaaS provider Databarracks agrees. It believes that as cloud technology has matured, so has the customer’s level of understanding.
Citing evidence from its annual Data Health Check study published earlier this year, Databarracks says firms are no longer stalling in the face of security concerns, with many proactively implementing policies to overcome their anxieties. For example, the study – which surveyed over 400 IT pros from UK-based organisations – found that 64 per cent are considering, or have already put in place, an official policy restricting employee use of consumer cloud services such as iCloud and Dropbox. Forty-three per cent are also reviewing their security policies in light of last year’s PRISM revelations.
“Security is always going to be the major priority for those considering a move to cloud services, as you are often trusting a third party with your company’s most sensitive data,” says Databarracks’ MD Peter Groucutt. “However, the differ- ence highlighted in our research is that organisations are no longer seeing this as a roadblock, but rather an opportunity to review their current security practices and implement effective new policies that protect their data and enable a more confident move to cloud services.
“We hear the blanket response of ‘we can’t use cloud services because they aren’t secure’ far less than we did even 18 months ago. That is a good indication of the increasing maturity of the UK market. IT departments have moved on from the ‘general’ concerns of cloud security and are looking at more specific issues.”
Some of those issues include a lack of understanding over basic data protection. For example, the Data Health Check revealed that more than two thirds of respondents didn’t know the legal limits on the amount of personal data an organisation can hold, while 80 per cent were unaware of the restrictions on moving data outside of the EU.
Groucutt says it is also worth pointing out that security is not black and white: “Organisations will benefit from realising you don’t have to encrypt everything (which, according to our research, 33 per cent of organisations currently do). Cloud service providers [CSPs] need to do more to help focus organisations on the real issues, like the specifics of when and where encryption is needed, and help them to stop worrying about general cloud security, which often causes unnecessary barriers to adoption.”
Barter adds that what people often don’t understand is that the scare stories they hear don’t necessarily apply specifically to cloud: “They haven’t yet made the connection that it’s not just cloud that’s insecure – it’s having any unprotected data that’s insecure. When people say cloud is not secure or ask how secure is it, we almost have to turn the question round and say what is it you’re trying to protect against? Are you trying to protect against brute force attacks from the internet? In which case, data on your improperly secured laptop at home is just as insecure as sticking it on Amazon’s cloud somewhere.”
No cooperation, no standards
What’s long been needed when it comes to cloud security are globally agreed industry standards – and that’s exactly what the specialist trade bodies are now pushing for.
For instance, as well as announcing work to define its CloudE 1.0 standards, the CloudEthernet Forum (CEF) has also created the Open Cloud Project. This aims to develop an open test and iterative standards development programme for CSPs, vendors and over- the-top (OTT) service providers.
Initially it will focus on security as well as traffic load balancing and application performance management. According to the CEF, the project’s open test programme will lay the groundwork for a fully inter-working cloud environ- ment, and the advancement of best prac- tices to manage OTT and cloud services.
Nan Chen, president of the Metro Ethernet Forum which is a close affiliate of the CEF, says: “Network security and application performance management are two critical areas for future work. The Open Project is intended to create an open test process for NFV, SDN and Carrier Ethernet applications. We also plan to work in conjunction with other relevant industry forums to maximise efficiencies and avoid any duplication of work.”
The CEF believes it is vital for the industry to work together on developing standards, as cloud services rely on the end-to-end interoperability of so many different players: “Unless we can define industry best practices and global standards to establish an open cloud environment, cloud services run the risk of becoming more and more fragmented and difficult to integrate,” warns James Walker, CEF president and VP of managed services for Tata Communications.
Other industry bodies agree. For instance, the Cloud Security Alliance (CSA) is supporting the CUMULUS (Certification infrastrUcture for MUlti- Layer cloUd Services) project that was set up early last year by various partners from Europe’s scientific and industrial communities. The project’s aim is to develop an integrated framework of models, processes and tools to support the security certification of IaaS, PaaS and SaaS. The CSA will contribute expertise from its research products (such as the Governance, Risk management and Compliance Stack toolkit), to help define the model, process and mechanisms. It will also help to validate scenarios, and publicise CUMULUS activities.
In a separate initiative announced last September, the CSA teamed up with business standards company BSI to launch the STAR certification programme. It describes this as a “rigorous” third-party independent assess- ment of the security of a cloud service provider. The technology-neutral certification is based upon achieving ISO/IEC 27001 and the specified set of criteria outlined in the CSA’s Cloud Controls Matrix. Its 11 controls areas cover: compliance; data governance; facility security; human resources; information security; legal; operations management; risk management; release management; resiliency; and security architecture.
The CSA points out that while no accreditation can ever guarantee data is 100 per cent secure, the combination of ISO/IEC 27001 and STAR certifications ensures a cloud provider has an appropriate system for the type of information it is handling. Databarracks’ Groucutt adds: “Accreditations like these are a good indicator that a cloud service provider follows strict and regularly audited security policies. To reassure customers that their data is in safe hands, we are accredited to ISO 27001 for information security and work to the Cloud Industry Forum’s Code of Practice.”
The BSI says an information security management system (ISMS) such as ISO 27001 ensures businesses understand the risks to their data, and can be confident that they have the right policies, procedures and controls in place to protect them. Its risk specialist Suzanne Fribbins says: “The beauty of ISO 27001 is that it takes a risk-based approach, resulting in an appropriate and affordable level of security. It is therefore suitable for SMEs through to large corporates.”
She adds that BSI pioneered the development of the world’s first ISMS (BS 7799) which went on to become ISO 27001. The standard is now part of the ISO 27000 series which, according to Fribbins, provides best practice recommendations on information security management, risks and controls within the context of an overall ISMS.
The suite also includes ISO 27033, a multi-part standard, that provides detailed guidance on implementing the network security controls specified in ISO 27001.
Another new standard in development within this suite is ISO 27044 on Security Information and Event Management. This seeks to improve an organisation’s information security posture by showing them how they can take relevant data, produced in multiple locations (logs, etc), and look at it all from a single point of view in order to spot trends and see patterns that are out of the ordinary.
Are your nuts and bolts safe?
While industry bodies such as the BSI offer a more ‘holistic’ view of security, other infosec specialists warn about ignoring the individual nuts and bolts of the network.
Citing a recent Arbor Networks report on infrastructure security, Infoblox says that more than a third of companies fell victim to a DDoS attack on their DNS last year. “Despite this, over a quarter of businesses don’t assign formal responsibility for DNS security,” says EMEA technical director Chris Marrison. “Employed by all IP-connected devices, DNS translates domain names into IP addresses. Therefore, even the purchasing department, for example, can inadvertently put an organisation’s DNS infrastructure at risk when buying domain names.”
Marrison believes lack of clarity over who is responsible for DNS is one of the key reasons DNS security is often compromised across organisations. In a number of cases he says only very few, technically-trained employees understand the workings of the DNS, but these are not the staff who deal with it on a daily basis.
“DNS has continually evolved to become the core component of the internet, yet the general lack of vigilance across organisa- tions makes it an easy and attractive target for cyber criminals. DNS can be targeted through cache poisoning, protocol and man-in-the-middle attacks, tunnelling, domain phishing and DoS/DDoS attacks. Moreover, firms are not only at risk of falling victim but of also becoming an accessory in someone else’s attack.”
Marrison goes on to say that DNS traffic tends to be filtered less vigorously than other types of traffic, such as web or email, as it is one of very few services to be almost universally allowed through firewalls. In sharp contrast to web traffic which is funnelled through perimeter proxies, the majority of network operators do not inspect DNS traffic or keep detailed audit trails for DNS lookups.
Infoblox claims to have developed the industry’s first DNS appliance capable of protecting itself. By “intelligently” integrating security directly into a DNS appliance, the vendor says its Advanced DNS Protection system delivers a depth of defence against DNS attacks that is “far more robust and insightful than relying on a jumble of separate devices and services”.
Marrison adds: “By recording and analysing statistics, administrators can examine their data for query rates, socket errors and other attack indicators, while distributing external authoritative name servers helps to avoid single points of failure. Cloud-based DNS providers can also be configured as secondaries for an organisation’s own.”
CSPs could also bolster their networks using dedicated software. For instance, digital security specialist Gemalto claims its recently launched Protiva Cloud Confirm offers a strong authentication software system for service providers. It says the “user friendly” and “easily deployable” SaaS platform enables robust, multi-factor authentication, and enhances the security and convenience of overall cloud computing for corporate customers.
Protiva also includes a mobile one-time password application and security token, as well as what Gemalto describes as a “state- of-the-art”, multi-tenant authentication server for the highest level of data protection. The vendor reckons that its complete end-to-end solution enables self- service end user activations, significantly reducing the need for helpdesk calls related to password resets.
“For CSPs, this value added service can often represent a substantial reduction in costs,” claims Gemalto. “Protiva Cloud Confirm ensures the trust that brings peace of mind to users, which is essential for mainstream adoption of cloud services and the BYOD movement. The hosted services ecosystem is constantly evolving, and Gemalto’s solution offers form factor versa- tility for identity authentication in addition to a detailed reporting platform for CSPs to monitor user activity and account creation.” BYOD is clearly a big security headache for network managers. Louise Bulman, VP of EMEA for network security specialist ForeScout, says its rise has led to an exponential jump in the number and type of devices connecting to the network. “IT organisations don’t have visibility into these unmanaged personal devices using their traditional management and security tools. They have a visibility gap – you can’t secure what you can’t see. This leads to security gaps, and security practitioners often spend an inordinate amount of time tracking devices, users and applications. ”
Bulman goes on to identify two other big security challenges that CIOs and IT managers need to address. Firstly, there is inadequate collaboration between an organisation’s existing IT security systems which tend to operate in silos. As a result, these systems often don’t have the information context needed to perform optimally. Secondly, she says these systems lack adequate automation for quick mitigation of security risks to keep ahead of cyber attacks and exposures – most of the security controls are reactive and mitigation is manual.
“IT security professionals need to put in place automated tools and processes that address these issues and allow them to move to a model of continuous monitoring and mitigation, thus reducing their organisation’s risk exposure.”
According to Bulma, ForeScout’s CounterACT platform gives IT organisations real-time visibility into all devices on their network – managed or unmanaged, wired or wireless and BYOD – without the need for agents. “CounterACT enables security profes- sionals to manage and automate a variety of tasks based on contextual data about users, devices and applications along with the enforcement of predefined policies. For example, it allows for streamlined onboarding and management of devices.
“It also offloads routine tasks such as guest registration, ensuring all users have the most current software and that anti- virus and other security agents are installed, configured and running on all systems connecting to the network. This frees-up precious IT resources allowing the security team to focus on more strategic initiatives.”
She goes on to explain that using ForeScout’s ControlFabric interface, CounterACT shares the real-time data it obtains about devices and users with other IT security systems, making them context- aware and enabling them to make smarter security decisions. Existing data gathering and alerting IT security systems can also use the interface to trigger automated endpoint- and network-level risk mitiga- tion actions using the ForeScout platform.
Cloud confidence
Few would disagree that the industry needs to define what cloud security should look like and then adhere to it. “In the same way that everybody has a different idea of what a cloud is, what a secure cloud is also varies widely,” says C4L’s Barter. “Clarity will help people move forward.”
Databarracks supports the view that there is confusion. For instance, Groucutt says that when comparing IaaS and the ongoing hosting of workloads with cloud-based disaster recovery (DR), the security concerns should be the same. “When you failover to a DR environment, the two services are almost identical. Yet, security is often seen as a bigger issue for IaaS than cloud-based DR.”
What does remain clear is that security will always take centre stage when it comes to cloud adoption – but then again, it should always be a top priority with any kind of network service, not just cloud. “Wherever your data is – whether on-premise, your laptop, in a data centre or in the cloud – you’ve still got to secure it. It doesn’t really matter what the platform is. And actually it can be vulnerable and insecure in any one of those instances,” says Barter.
He goes on to suggest that a lot of people use security as an easy and convenient excuse for not moving to the cloud. Furthermore, he blames many providers for still selling the cloud as a “techy thing”.
“It’s almost packaged up to be for the very early adopters who are expected to be very tech savvy engineers and IT people. But actually it’s the CEO and the senior decision makers in the business that are now asking the questions about the cloud. And they’re suddenly realising that it’s hard and using security as a reason not to do it. But from a business perspective, if you under- stand how much cloud is going to save you and how easy it’s going to be, you’ll actually take security in your stride – just as you would with any other piece of data.”
