Knowing your Provider's Capabilities is Critical to Cloud Security
By Bill Bradley, SVP, Cyber Engineering & Technology Services, CenturyLink [NYSE:CTL]
Bill Bradley, SVP, Cyber Engineering & Technology Services, CenturyLink [NYSE:CTL]
In the past, security was more self-contained. Information was stored on servers you managed within your own private network. You focused on protecting your assets inside the network by setting up firewalls, Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS), installing anti-virus software on your workstations, and by encrypting sensitive data before transmitting it online.
Fast forward to today, where the playing field is much more complex. Cloud services allow businesses of all sizes to store their information and run business applications off-premises. Because they pay only for the resources they use, their organization can reap considerable cost savings. These businesses are very likely sharing hardware/infrastructure resources with other tenants in the cloud, so how do they ensure the security and integrity of their data while it’s hosted in a shared environment?
Understand the Security Capabilities of your Provider
To take full advantage of the cloud, it’s important to understand the security capabilities of your provider. Categorize your internal applications/data and make sure your cloud provider has the same security controls that meet your expectations as if the resources were in-house. For example, consider whether your applications contain sensitive data or personally identifiable information (social security numbers, etc.), and what controls you use to protect this data. Your cloud provider should offer the same, or better, controls. Otherwise, be wary of offloading to the cloud.
Additionally, your cloud provider should follow proper standard security controls based on your particular information risks as outlined by frameworks such as ISO 27001, NIST, and SANS. The controls provided will depend on how much of the environment you’re willing to manage. With Infrastructure as a Service (IaaS), the provider typically is only responsible for the underlying infrastructure for you to scale up your own server pool and storage space. With Platform as a Service (PaaS), the provider ensures there are sufficient resources while you focus on developing your applications. With each approach, there is shared responsibility for securing the environment.
“To take full advantage of the cloud, it`s important to understand the security capabilities of your provider”
Your IaaS provider typically will provide separate virtual networks such as VLANs (Virtual Local Area Networks) or virtual public clouds that keep customers’ data, network, and metadata separate from other customers’ data in a multi-tenant cloud.
Your service provider should include security services such as firewalls and IPS to block malicious traffic, and secure connections into the cloud, such as through VPN, IPSec, or a dedicated network connection. Depending on your provider, customers must provide security around their applications, which includes implementing data encryption, managing access, and securing Virtual Machines (VMs). Here are some specific questions to ask:
• Will you automatically delete my organization’s data when it’s no longer needed, so that the next customer always gets a blank volume, with no way to retrieve that data?
• Do you offer role-based authentication that ensures only certain users can access the cloud, provision servers, or access applications in production vs. test? There should be logging and reporting implemented so you can see who performed what actions.
• What do you monitor, and what incident management capabilities do you provide? Make sure they have a plan that covers how incidents are handled.
• Do you conduct regular vulnerability assessments to ensure the overall environment remains secure?
With PaaS, the provider assumes additional responsibilities, including ensuring the PaaS platform and virtual machines are patched, so there are no known security vulnerabilities. The provider also ensures that the database is secure, including making certain that data is encrypted at rest.
Customers Also Have a Responsibility for Security
Customers that develop cloud-hosted applications are still responsible for making sure they write applications that follow secure coding practices. An application could still be impacted if it’s not patched or there are vulnerabilities, such as due to misappropriate application-database interactions that could lead to SQL injection. Also, you must ensure that only valid users access your website. I recommend using two-factor authentication for all your applications.
There are other options for your workloads, including private clouds and hybrid IT. Private clouds provide the same IaaS and PaaS security features, but your network and physical resources are separate and dedicated to your operations in the cloud. With hybrid IT, you can run part of your operations on-premises and then, when there are capacity constraints, you can “burst” into the cloud over a secure connection such as VPN.
Regardless of your chosen cloud security provider, you are still responsible for comprehensive threat protection in your environment. The bad guys continue to get more sophisticated so unless you have the expertise in-house, it can be challenging to implement and monitor all protections. This is where Managed Security Services is effective. A managed security services provider can ensure you have the controls to secure all assets, including malware mitigation, web/spam filtering, application/ network vulnerability scanning and remediation, firewalls, VPN support, and endpoint security.
Organizations need to monitor and respond to threats 24x7, preferably through internal or managed Security Operations Centers (SOCs). These centers often utilize Security Information and Event Management (SIEM) solutions which ingest your security logs and external threat intelligence, correlate events, and alert you to critical threats. It is then the responsibility of your team or your managed security service provider to prioritize and know how to appropriately respond to threats.
Maintain a Strong Relationship with your Network Provider
No matter who provides your cloud service, it’s important that you maintain a strong relationship with your network provider. Leading network providers can help mitigate large botnet attacks, such as from IoT devices, against your cloud assets. These providers can detect attacks and then mitigate them using either an automated or on-demand approach, depending on customer needs. An automated approach will mitigate attacks once a certain customer agreed-upon traffic threshold is met. With an on-demand approach, the customer can request mitigation when they experience attacks; in order to do this, using an industry-recognized DDoS service is a must.
Enterprises need a managed services provider that not only has experience scaling the cloud, but also doing it securely on global networks. These organizations need to leverage highly skilled professionals with deep expertise to stay ahead. In today’s increasingly risky digital world, that’s easier said than done.