You've successfully migrated your organization's selected applications and data into the cloud, and everyone has said what a great job you've done. But you and I both know the task of maintaining the security of these apps and data has only just begun. In this tip, I'll review which technologies and processes must be initiated, monitored and secured after a cloud computing implementation or initiative is up and running.
Cloud computing turns us all into remote workers, which makes identity and access management (IAM) one of the key challenges after a cloud computing move. It is important to have robust lifecycle management regarding users and user access so that user accounts, credentials and access rights are always relevant and up to date, including disabling an account when an employee leaves. Also look to initiate an IAM strategy that can make full use of federated identity management, which enables users to securely access data or systems across autonomous security domains.
More specifically, consider introducing single sign-on (SSO) for enterprise applications and leveraging this architecture to simplify cloud provider implementations. A move to the cloud will appear far more seamless to your users if they are already used to SSO, and it'll make managing trust across different types of cloud services less onerous. You will also have logged baseline data to help you monitor and gauge changes due to cloud activity.
A SSO product should use one of the common standards for implementing federation, such as Security Assertion Markup Language (SAML) and Liberty Alliance ID-FF. These standards extend existing access and identity policies from the internal network beyond the firewall and out to the cloud, while still enforcing the appropriate authentication strength mandated by your information protection and data classification policies.
The increased Internet usage that cloud computing brings also increases the increased risk of network congestion bottlenecks. Web-based applications are extremely latency-sensitive, many barely functioning if the network is too busy. Downtime or slow processing frustrates employees and can lead to breaches in policy. Slow file or data transfers, for example, can lead workers to use alternative methods that may be far less secure and break security policy rules.
One answer to this problem is to deploy a WAN optimization product, which is designed to ease enterprise application traffic on the network by improving application traffic management and eliminating redundant transmissions. Products such as the Citrix NetScaler from Citrix Systems Inc. offer a Web application firewall and combine traffic management through Layer 4-7 load balancing. Other WAN optimization vendors include Riverbed Technology Inc. and Blue Coat Systems Inc.
Connections between the internal network and the cloud should certainly be encrypted; sending any sensitive or mission-critical data back and forth in the clear over the Internet is like offering attackers an invitation to steal the data. As a network engineer, ensure network devices can handle the processor-intensive, public-key encryption algorithms involved in SSL-encrypted communications. SSL accelerator cards or proxies that handle all SSL operations may need to be added to the infrastructure. However, encryption alone won't stop malware and other network attacks. It's important, therefore, to upgrade the firewalls protecting your internal network so that they can inspect SSL traffic. Encryption should ideally work in union with data loss prevention (DLP) products, which will classify and monitor data while enforcing policies.
Another important task after a cloud computing implementation will be to conduct an audit of all security policies to ensure they remain relevant. Also review, update and test disaster recovery and business continuity plans and procedures. Processes, and more importantly, people's roles, will have changed now that cloud computing infrastructure is a part of day-to-day systems management. The internal IT team will certainly need to work closely with the cloud provider so each understands the other's responsibilities within the context of the continuity plan, including which aspects of any recovery will be handled by whom. Being prepared for service disruptions will reduce the severity of any event.
Finally, don't take statements in your provider's SLA for granted. Check that it does perform backups and patch systems within the agreed timeframes. You should certainly request a copy of the findings of its own audits and ensure that any recommendations have been implemented. Engaging in constructive dialogue will make addressing both parties' security issues a lot easier, so make sure you are in regular contact, particularly during any application or system upgrades. This communication will help prevent changes from adversely affecting your compliance with relevant industry or government regulations.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.
This was first published in January 2010