Cracking the cloud security conundrum
Cloud security matters, but have traditional vendors been taking the wrong approach?
While the pressure to move IT resources to the cloud mounts yet higher, security remains the number one stumbling block, particularly when it comes to public cloud infrastructure. So this is another chance for IT solution providers to strengthen their relationships with their customers and differentiate themselves.
When resources are moved into the cloud, the traditional segmentation within corporate environments disappears as services are grouped together, sharing hardware resources and improving efficiency. Highly sensitive data that would have been locked away in a secure environment now sits on the same box as less sensitive data that might only have been protected with a password.
This new mishmash of services introduces risks. Firstly, the Chinese walls that previously existed between different departments like finance, personnel and marketing have disappeared, although these are essential for governance and compliance. The separation of duties that had been tied down and is mandated in standards like the PCI Data Security Standards and Sarbanes-Oxley is all thrown up into the air again.
Secondly, external-facing systems are now linked to systems that would normally be internal. This means your customer’s corporate website now runs beside your payroll system on what is the effectively the same physical server. In the past, you would never have done that. And where different companies are sharing cloud infrastructure, data from one company may be sitting alongside data from another.
There really are enormous opportunities in providing expert professional services to help businesses develop, deploy and manage policies and technologies related to the changing infrastructure around cloud.
Pooling this data has real implications
With a consumer service like Amazon EC2 in the public cloud space, pooling all this data has real implications. In a sense, they are putting it all on a plate for cybercriminals, because once outsiders get inside this environment, they may access all the data, and their activity may be untraceable. They don’t have to break through the firewall, they can just sign up, become a customer, and attack it from the inside.
Encrypting sensitive data not only protects it from other customers but also from rogue administrators trying to access it from within the cloud service provider. Standard AES Encryption is a mature technology that has been deployed successfully for many years.
However, there is a real challenge around authenticating servers – which we at Trend Micro have been looking at for some years. There is no out-of-the-box answer because it's not straightforward like user authentication. If you think about encryption for a laptop, as someone turns the laptop on you would ask them to enter a pass phrase and that would unlock the disk and allow the operating system to boot up.
The trouble in the cloud computing world is that everything is much more dynamic. So what you need is a system that checks for two things – identity and integrity. There are a bunch of questions you should really ask when providing cloud security.
For example: is this really your customer’s machine, or is someone else spoofing your customer’s machine? Secondly, you need to know about the integrity of the system - is there a firewall, are the anti-virus signatures up to date, and when did you last check that there wasn’t a piece of data-stealing malware on the machine?
If you check those two items before you release the keys to the box, you can be pretty sure that you're protecting the data. Introducing a key server also achieves separation of duties. Either the cloud service provider is looking after your servers and the security vendor is looking after the customer’s key or the customer brings the keys back in house, leaving only encrypted data in the hands of the outsourcer.
If a piece of sensitive data ends up in the public domain, service providers surely don’t want it coming back to them, with a company claiming they must have leaked it. A provider can say that even if they had leaked the data, there’s no way it could have come from them because it’s encrypted and they don’t have access to the encryption keys.
And cloud, with its security issues, is going to be top of customer agendae for at least the next few years.
Caroline Hodson is head of UK channel sales and marketing at Trend Micro