Cloud computing represents a huge change in the way a business functions, and that's especially true for an organization's IT infrastructure. Nobody is affected more by this transition than the network administrators tasked with keeping an organization's data and network users safe.
Sharing data, applications and IT infrastructures can present significant cost and productivity benefits, but it all takes place outside of the comfort zone of the corporate firewall and physical environment. As a network administrator, your task during a
Prior to moving any data or applications to the cloud, it is essential to take stock of the current state of internal network security. This is an ideal time to undertake a network audit to see how your network defenses match up to your own data security, integrity and availability policies, regulatory requirements and industry best practices.
The benefits of such an audit are many. Using one or more of the many free and commercial network audit tools available will no doubt uncover configurations and practices that are less than ideal. Once these have been remedied with better security controls and revised procedures, establish an acceptable baseline for the network, the devices, users and applications it hosts and the traffic it handles. This baseline can be referenced during future audits and security configuration checks to determine how the security of the network is affected with the move to cloud computing.
Next, it is important to develop an understanding of a cloud provider's security policies and procedures. Look for a level of security that meets the enterprise's compliance requirements and is on par with what exists inside the firewall. To avoid any confusion over who is responsible or accountable for various aspects of your security, such as backups, accessibility, and data destruction, I would look to contractually specify which party is responsible for ensuring compliance with any relevant policies or standards.
Firewall settings may need adjustment, depending on how cloud services are delivered. To ensure these and other perimeter defenses, such as IDS/IPS systems, are tuned correctly, work closely with the provider, as it should already have experience dealing with the network security configuration issues that may arise. If it is necessary to make changes to firewall rules and open additional ports, be sure once those changes are made to update the network security baseline with another network scan. Use a tool such as Nmap to check that only the correct ports are open and no trust relationships or connections violate security policy.
Whenever a new service is added to the network, ensure that there is sufficient separation of duties and access permissions so that nobody is inadvertently given the ability to maliciously or accidentally damage the company's data. Reviews of accounts and privileges against HR employment registers will be essential to ensure permissions remain appropriate and that unused accounts are terminated. If, as part of a move to the cloud, you open up network access to third parties, such as suppliers and clients, then any network access control (NAC) system configurations should be reviewed too. Be sure the current NAC product can handle a dramatic increase in users. Many organizations are actually looking at SaaS-based NAC solutions to ensure scalability and interoperability.
Because a cloud computing implementation somewhat blurs the distinction between data at rest, in motion and in use, data encryption becomes one of the most important defenses. Encrypted data is intrinsically protected so all data and communications will need to be encrypted, even if other services protect them. Furthermore, encryption renders data unreadable, alleviating some of the concerns over destroying data stored in the cloud. It also allows the separation of roles and data as encryption keys control access to the data. I would run routine checks on the network using an analysis program such as Wireshark to ensure communication channels are being encrypted.
Finally, don't be afraid to test network security by first developing and experimenting with internal or hybrid clouds. This can include offering an application service in the same way a cloud computing provider would, but doing so entirely within the network perimeter, or experimenting by testing a cloud provider's capabilities with a limited, non-mission-critical function. I would also recommend reading the Cloud Security Alliance's guide, which will help you understand the main areas of concern for organizations adopting cloud computing.
However, preparing your network for cloud computing is only a first step. To make your move to cloud computing truly successful, you will need to ensure that your baseline security is sustained once you turn on your cloud services. You will also need to adapt and evolve your defences and security controls to handle new threats. We will look at some of these challenges in our next tip.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.
This was first published in January 2010