October 30, 2013

Security and the Cloud

James Giese | UWEBC Communications Director

The characteristics that make Cloud computing useful for an Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), or Software-as-a-Service (SaaS) are the same ones that can make Cloud security problematic. These characteristics are on-demand self-service, broad network access, resource pooling, rapid elasticity, and allocated service.

Hartman
Hartman discussed Cloud security at the Oct. 30 Information Technology Peer Group meeting. 
Kenneth G. Hartman, Security Architect for TDS Hosted & Managed Services, discussed Cloud computing characteristics and Cloud security challenges during the UWEBC's IT Peer Group meeting on October 30, 2013. In his role, Hartman refines security controls, architects security solutions, and provides subject matter support to customers.

“I like to use a Mark Twain quote to illustrate the concept of reducing the scope of the systems and networks that contain sensitive data,” said Hartman, “Put all your eggs in one basket, but watch that basket very carefully!” Hartman emphasized that this is where you should focus most of your security controls.

Cloud security is all about risk management and risk is defined as the likelihood that a threat would exercise a specific vulnerability. These threats can be against the confidentiality, availability, or the integrity of data. Address these risks in rank priority based on the potential adverse impact to the business, and understand that risks can rarely be eliminated in entirety.

“Remember; when it comes to security, there is no magic bullet! You cannot buy a security product, whether it is a Web-application firewall or intrusion detection system and expect to plug it in like a toaster and think you are secure. It will need constant care and feeding…like a bonsai tree,” said Hartman.

The defense in depth (DiD) principle calls for multiple, overlapping security controls such that if one control fails, the other controls will function as designed. These security controls can be administrative controls, preventive controls, and detective controls. Since it is impossible to mitigate all risk, an organization should have a formalized risk acceptance process for risks that are not significant enough to address in a cost effective manner.

When discussing security controls, most people think of preventive controls, such as a firewall, which are designed to prevent an attack. However, there are also deterrent controls and detective controls.

Examples of a deterrent control might be a log-on banner. Of course, these will not dissuade a determined attacker, but they help keep honest people honest and support a case if a company should decide to pursue legal prosecution.

The purpose of a detective control is to alert you that an attack has occurred, usually because one or more preventive controls have failed. Examples of this control are alerts from an intrusion detection system and honey tokens. Detective controls require human intervention and generally speaking, the more timely the response, the less damage.

“Detect an attack early and minimize the impact,” said Hartman.

In regards to security controls, Hartman suggests that you identify which controls are preventive and which are detective or deterrent controls. Controls should overlap because adjacent controls do not provide defense in depth protection.

“Use layers of control and understand what your controls are,” said Hartman, “Recognize that certain controls may fail over time and design for it.”

Information security is about managing risks, according to Hartman. A documented security policy is a statement by management that provides high-level, directional guidance about how to manage risks. These are administrative controls. They document management’s expectation about how security is to be implemented and sets the auditing standards. Policies are approved by executive management and can provide countermeasures to address risks.

Auditors are looking for evidence that the management understands the compliance requirement and has codified it with a corresponding policy. They will then go on to look for additional evidence that the policy was implemented by looking for other artifacts. In addition to the role that policy plays in an audit, the policy also creates a mandate for the organization.

Depending on the nature of your sensitive data, there are either regulatory or industry best practices that dictate how the information should be handled. Generally these are codified in policy that dictates what types of systems can process the data and how it must be encrypted and destroyed when no longer needed. Make sure that your Cloud vendor understands your data handling requirements and can meet them. Invest the time and discuss this with your Cloud service provider.

What makes your information valuable? Make sure that the right people can access information when needed and that the wrong people cannot. This creates and preserves competitive advantage. Authorization is the process used to define the set of “right people” and access control is the means of limiting access.

“With the Cloud, you now have a vendor that can access your sensitive information. Nonetheless, a good vendor’s authorization process can dovetail with yours and still leave you in control. Discuss authorization and access control with cloud providers. Can they provide a record of exactly who has accessed your systems and when?” said Hartman.

Hartman closed his presentation with the following security takeaways:

  •  Risk management drives security. Do everything in rank order of risk.
  •  Use service-level agreements to define exceptions.
  •  Inspect what you expect with IT audits.
  •  Define and understand the specific security roles and responsibilities with service providers.
  •  Define and defend your trust boundaries with service providers.
  •  Leverage the Defense in Depth (DiD) practices for security controls.
  • Attack yourself to discover and understand your vulnerabilities.

"The cloud presents certain risks, but they can be managed with the disciplined approach of information security risk management. 

Member companies can access Ken Hartman's Mediasite recording and other meeting materials here.

© 2000-2020 UW E-Business Consortium, University of Wisconsin-Madison. All rights reserved. Site credits»