This tip is part of SearchCloudSecurity.com's Cloud Security School lesson, Understanding cloud-specific security technologies. Visit the lesson page for related course materials. For more
information security learning courses, visit our Security School course catalog page on SearchSecurity.com.
Amid growing enterprise adoption of cloud computing, it's no surprise that security professionals have been searching for security mechanisms to secure cloud-based server hosting. The effort often begins by looking to the same technologies that were used to secure the data center, such as firewalls, antivirus and intrusion detection systems. It's a logical approach; cloud-based resources must be secured as if they were local resources.
Cloud-based configuration management is a game-changing technology that no security team working with virtual infrastructures should be without.
However, the types of risks traditional security technologies were created to combat focus on risks to local resources only, which limits their effectiveness when attempting to secure a cloud-based resource. Fortunately, there are several new types of cloud-based security products, offered as a service, that have been introduced to mitigate cloud computing risks.
Cloud Security as a Service provides the same benefits of cost and scale to security professionals as Software as a Service offers to the enterprise. The model of paying only for services used, with the ability to ramp up quickly, works just as well for the information security industry as it does for other areas of IT. In fact, information security professionals now have access to a dizzying array of new tools with enhanced capabilities.
So what features are important when considering Security as a Service? In this tip, we'll examine the features that are most important, particularly in a cloud server security platform.
Cloud Security as a Service: Encryption
The cloud computing model seeks to reduce IT costs by utilizing shared computing platforms for multiple customers. This means a company’s most confidential data may only be kept separate from other customers through a key index field in a database. Cloud-based encryption can ensure this data is kept private. These services can easily integrate with the major cloud hosting providers and offer compliance with mandates like FIPS-140-2, PCI DSS and HIPAA-HITECH.
Cloud-based encryption offers several advantages. One is the ability to manage private encryption keys. During an encryption implementation, the storage of private keys can be cumbersome or overlooked entirely. This creates the possibility for data loss, if the keys are lost, or a data breach, in the case of stolen or mishandled keys. There are cloud encryption service providers that offer a single management console through which private keys can be stored and managed. These same systems can be used to implement segregation of duties. A cloud-based encryption offering enables an administrator to access cloud-based servers for maintenance and not have access to unencrypted company data.
Cloud Security as a Service: Identify management
Identity management has always been a struggle for enterprises, even when using only internal information systems. The cloud introduces new identity management challenges. Company employees often find themselves with multiple login credentials to multiple websites or SaaS applications. These applications have different password complexity rules and aging schemes, which cause employees to write down account information or create weak passwords. There are protocols that will allow the security team to tie these accounts together via a single sign-on system, but this is often a tedious and time-consuming option. Various cloud providers may use different authentication methods and protocols such as SAML, OAuth and OpenID, increasing complexity and rendering an SSO project prohibitively expensive.
Fortunately, there are cloud-based options that can aid in this area as well. Cloud identity management providers specialize in weaving together disparate authentication protocols into one management framework. They can also link into internal authentication resources, such as Microsoft Active Directory. This allows for a much-needed single sign-on experience for users of cloud-based resources. Cloud IdM also enables standardized account configuration, including password complexity, aging and intruder-lockout status. Access hours can be configured centrally, as can the requirements for strong authentication. This is one of the areas where cloud-based security services really shine.
Cloud Security as a Service: Configuration and vulnerability management
It can be easy to lose track of the number of virtual servers created in a cloud environment. The advantage of using cloud computing is these virtual servers can be created quickly to meet business needs. Yet as servers are created across multiple cloud-service providers' environments, tracking, configuring and hardening each virtual server quickly becomes a sizable challenge for most enterprises. Providers often aren't much help. Amazon, for example, uses different management tools for its virtual environment than Rackspace. How can a company securely configure and manage its virtual servers amid all of these technology obstacles?
There are several promising cloud-based security offerings in the area of configuration and vulnerability management. They can provide full configuration management -- including monitoring patches, service configurations and even firewall settings -- from a single management host. These tools can provide insight into vulnerabilities that may be present through configuration or file integrity monitoring. These cloud-based configuration services allow a single configuration to be pushed to all registered servers, regardless of hosting location or operating system. This includes internally hosted servers, which creates an aggregated view of a company’s technology assets, both cloud and on-premise, from one management console.
The only limitation with these offerings is there is still limited support for Windows-based technologies. These products are evolving and should soon be able to offer the same level of support for Microsoft-based systems as they do currently for Linux-based systems. However, cloud-based configuration management is a game-changing technology that no security team working with virtual infrastructures should be without.
Cloud Security as a Service: Availability
The last feature is one that cloud-based Security as a Service providers tend to do very well. Availability is important because a cloud-based server infrastructure is often more vulnerable to losses in connectivity through malicious acts than local servers. Denial-of-service (DoS) attacks, now much easier for even novice cybercriminals to initiate, are common today as attackers attempt to take down websites and other enterprise infrastructure for a variety of reasons.
Cloud-based security providers have responded with capable defenses to help ensure availability. Several of the providers in this area are also content delivery networks. These providers maintain large amounts of bandwidth that can be used to "blackhole" or negate a denial-of-service attack and keep a client’s cloud service running. They have built on their products to include other options, such as cloaking the original website or hiding the original DNS server. In turn, the attacker cannot find the target company’s resources, and is only able to direct an attack at the cloud security provider. Any company using cloud-based servers should consider these types of defenses, or else it risks being taken down by the next hacktivist.
Cloud Security as a Service offerings have developed almost as quickly as other commercial cloud applications. This rapid development has resulted in a vast array of security services choices that often exceed their internally hosted counterparts in features and functionality. Security professionals should develop a working knowledge of the security services that are available in order to properly mitigate risks introduced by the use of cloud-based infrastructures. They can offer more insight than ever before into their overall security operations, as well as automate some of the tedious work so they can focus on their core objective: securing their organization.
About the author:
Joseph Granneman has more than 20 years of technology experience, primarily focused in health care information technology and information security. He is an active independent author and presenter in the health care information technology and information security fields. He is frequently consulted by the media and interviewed on various health care information technology and security topics. He has been focused on compliance and information security in cloud environments for the past decade with many different implementations in the medical and financial services industries.
This was first published in May 2012