Even a suggestion of security problems is enough to scuttle a cloud project and discredit the whole cloud planning...
process -- and the planners. To avoid this, enterprises must start with a relativistic view of security, focus on managing new risks and understand the notion of "acceptable" levels of risk.
Most problems arise when enterprises assess cloud security in a vacuum. Few businesses look to run a completely new application in the cloud; they are expecting to migrate a current application. That means that they shouldn't be looking at the security of the application overall, but rather at the security of the cloud relative to their current data center hosting.
Key management is the biggest issue for securing applications in the cloud.
Looking at cloud data security through this lens means determining acceptable risk. Security management, like all forms of risk management, is a trade-off of risk versus cost. It's important to gauge the risks associated with your current applications running in the current data center and worry about cloud risks that are greater than those you're already accepting. That will ensure that cloud security costs don't destroy the business case for cloud -- something that can happen all too easily.
Applications are traditionally secured at three levels: network interception, application access and physical data security. Research each, and focus on what the cloud may change from current procedures.
Network interception. Network interception is the risk of an unauthorized party viewing confidential data by monitoring network traffic. Interception risk is highest when applications are accessed wirelessly via Wi-Fi, 3G or 4G, but in most cases, moving an application to the cloud doesn't change wireless use. If an enterprise expects that cloud-based applications are accessed more often from public Wi-Fi hotspots, for example, then SSL encryption can protect the information stream. For applications accessed through browsers, provide a secure, https URL -- but remember that applications using custom client software may have to be modified to accept SSL-encrypted linkages.
Key management is the biggest issue for securing applications in the cloud. The most common practice is to store an application's security key within the app image. If this is done in a cloud application, the key becomes part of the machine image stored with the cloud provider, and it could be stolen by someone with access to the machine image storage. Use a public key storage service or technique to ensure that keys are never stored with application code or data in the cloud.
Application access. Access security in the cloud is often a major concern but often not an incremental risk at all. If the Internet is used to access your applications today, there's no incremental risk to accessing the same applications in the cloud via the Internet -- presuming you can manage SSL and encryption keys correctly, as noted above. The challenge would come if you intended to substitute Internet access for virtual private network access, and, in particular, create an Internet VPN.
Internet VPNs normally use the IPsec encryption system, which differs from SSL security in that it creates a community of users whose traffic is encrypted/decrypted by software or hardware between them and the network. When companies use IPsec on their own internal VPNs, no additional security risks exist for the cloud; however, cloud providers typically won't support adding security appliances to their cloud data center, so a software appliance may be needed to support the IPsec VPN connection to each cloud application. Typically, this would be part of the machine image for each application, a kind of middleware. Check with your current IPsec provider to ensure that you have a cloud-compatible IPsec agent available.
Physical data security. Physical security of data assets is the biggest concern to most users and the most difficult one to address as a planner. If confidential information is stored in the cloud, it's critical to validate the security certifications of your cloud provider. There are a number of cloud security compliance frameworks, notably the Cloud Security Alliance (CSA) Open Certification Framework (OCF); however, they're not all fully developed. If you plan to store confidential information in the cloud, confirm what framework(s) your cloud provider offers and how well it fits your needs. The biggest issue for most planners is determining if the cloud provider's framework supports your compliance guidelines and government regulations -- and this review should be completed by your internal audit or compliance office, in cooperation with government regulators where needed.
It's possible to reduce the issues of physical security in cloud projects by eliminating storage of confidential data. If applications use structured data access (DBMS/RDBMS query processing) rather than block-level I/O, it's possible to migrate applications to the cloud while retaining data storage in house.
Independent audits are another consideration for cloud planners researching cloud data security options. Companies subject to stringent compliance requirements may need to have a cloud strategy certified by an independent source. If you have a compliance audit firm in place for internal IT, that company is likely the best source of cloud compliance and security auditing. If you don't, make up a matrix of cloud providers and the security compliance auditing firms they recommend. Pick the top three names based on representation and then contact each firm for a bid.
About the author:
Tom Nolle is president of CIMI Corp., a strategic consulting firm specializing in telecommunications and data communications since 1982.