There are many types of cloud-based infrastructures available today, ranging from Storage as a Service to full virtual server infrastructures. There is also a range of vendors looking to cash in on the latest cloud provider trends with an even wider range of capabilities.. If there ever was a time for “buyer beware” in regard to cloud services, it’s now. Let’s examine some of the risks that should be considered when evaluating
One of the more obvious areas that should be evaluated with IaaS providers is performance. Cloud-based services derive their cost savings from scaling hardware and bandwidth across many different customers. In a SaaS solution, this is less critical than in an IaaS solution. For example, the bandwidth requirements for a cloud-based storage service are more demanding and require tighter tolerances than a hosted application service. One risk is that another customer monopolizes the system through large requests that leave your business suffocating for data. How does the cloud service provider divide up their resources among different customers?
Another issue that should be considered is also derived from the concept of shared resources. Not only is the performance of your cloud-based infrastructure at risk, but so is your data. Many IaaS providers utilize shared databases where the only separation between your data and your competitor’s data is a single field. What would be the impact to your business if your data was intermingled with another company’s data and breached?
IaaS providers are not just a boon for legitimate businesses looking for additional capacity or lower cost services. Criminals have also discovered that they can quickly and easily deploy services for DDOS attacks or malware command-and-control servers. There also could be servers that are offering content that is questionable or even illegal. What happens when your business is hosted on the same physical services as one of these illicit services? The server could be overwhelmed with traffic, taking all of the other virtual instances down with it. Or the servers could be confiscated due to a criminal investigation, putting your data completely out of your control. It’s critical to understand how your virtual servers will be deployed across the IaaS provider’s infrastructure and limit each server instance to a single business process. It is also important to perform periodic backups of these IaaS services locally or on a completely separate IaaS provider.
Administration and management
Administrative functions must be evaluated. It’s important to remember that cloud-based infrastructure outsources administrative tasks such as system provisioning and hardware maintenance to the cloud provider. These administrators will have access to your confidential data and you may not have access to monitor what they have accessed. Even Google reportedly had issues with rogue administrators accessing email and voice messages of users without permission.
In addition, organizations need to consider the management of cloud-based infrastructure services. If the IaaS provider doesn’t use some type of encryption for the management interface, your virtual infrastructure could be accessible to anyone that captures your unencrypted password off of the wire. Some IaaS providers create trusted connections through the use of a secret API key that would also be vulnerable to a man-in-the-middle attack if not encrypted. Procedures should be established for secure handling of these API keys within your company as well; a Post-It note with a secret API key for an IaaS service would provide anyone with access to your infrastructure..Use the same information security standards that you would if the system was hosted internally: Encrypt all passwords and API keys, limit administration to specific IP addresses, and require strong authentication for administration.
Standardized procedures such as change control and server provisioning authorization are also important in the daily operation of an IaaS implementation. This is no different than if the servers were being housed internally at a corporate data center. These procedures are critical to document the location of data and services as well as determine the risks and appropriate mitigation strategies; they also provide a side benefit of helping to control costs. Virtual servers and storage are typically priced on a pay-as-you-go model and the cost savings associated with utilizing IaaS could quickly evaporate without proper procedures and authorizations.
It’s probably apparent that with all of the risks of using cloud-based infrastructure, compliance with SOX, HIPAA or PCI becomes very difficult. For example, HITECH requires electronic protected health information (ePHI) to be encrypted with algorithms defined in the FIPS-140 encryption standard.. Since encryption causes higher server utilization, many IaaS providers will not offer this level of encryption by default. SOX requires data providence and data lineage, which is difficult to accomplish in the cloud. How do you verify all of the sources and the accuracy of the data when the servers are sharing bandwidth, CPUs, and even databases? Cloud providers won’t typically allow access to their firewall logs either or allow you to install an IDS or IPS as it would require sniffing network traffic, which is usually against the terms of service.
So with all of these potential risks, should companies pursue using IaaS providers? Yes, as long as they are aware of the risks and find an IaaS provider that can provide the level of segregation, encryption and contract terms required to meet their compliance and security requirements. Keep in mind, though, that information security doesn’t change in the cloud; the only difference is location of the data If a company spends time to evaluate each IaaS vendor’s security capabilities and put the proper controls and procedures in place, it will be successful in deploying the promise of cloud-based infrastructure services.
About the author:
Joseph Granneman, CISSP, has over 20 years in information technology and security with experience in both healthcare and financial services. He has been involved in the Health Information Security and Privacy Working Group for Illinois, the Certification Commission for Health Information Technology (CCHIT) Security Working Group, and is an active InfraGard member.
This was first published in April 2011