Rethinking Security in the Cloud

Many technology experts envision cloud computing as the most sweeping information technology (IT) paradigm shift since the client server revolution. Enticing benefits that include reduced costs and dramatic increases in storage, flexibility and mobility make the cloud an attractive prospect—especially in an economy that has left many companies stuck between modest IT budgets and the need to expand capacity. A worldwide survey  of more than 2,000 chief information officers (CIOs) by Gartner Inc., a leading technology research firm, shows that Gartner does not see CIO IT budgets recovering to their 2008 peak until 2014, and that cloud computing is the top ranking technology priority for 2011.

About this Author

David Poarch

Vice President, Forsythe Security Solutions

read profile | recent posts

Despite all of the allure and traction that the cloud has gained, doubts remain. Anxiety persists over security, governance and risk management issues associated with all variations of the cloud. In some cases, these concerns inhibit companies from adopting cloud solutions altogether. In others, they arise after a security breach or negative audit finding. As many organizations are discovering, traditional security models and controls do not address the challenges of the cloud.

Effectively handling sensitive information issues is a constant challenge, and transformational technologies like the cloud bring a whole new set of risks. The limitations of traditional security tools require us to take a more agile approach to information security, and to change the way we have been thinking about the cloud. As the landscape of cloud providers, technologies and services continues to evolve, companies should shift their security thinking and develop new policies, procedures and incident-response planning. Assumptions about the benefits associated with cloud technology should be carefully re-examined; in reality, it is not as simple as migrating to the cloud and then sitting back to watch the savings roll in.

A successful cloud strategy begins and ends with security.

It is imperative to understand the limitations of traditional security tools ahead of a migration.

Limitations of Traditional Security Tools

When it comes to information security in the cloud, labels such as public, private and hybrid can be useful to summarily attribute ownership and divide responsibilities.

However, the overuse of these labels and their multipronged definitions detracts from the main goal. All clouds are multi-tenant environments in which the goal is to protect tenants (and their data) from each other and from unauthorized users. Each tenant—whether an individual, department or separate company—has identity and access characteristics that must be managed in order to provide the levels of security that are required both by business operations and by government and industry regulations.

Multi-tenancy in a transient, automated environment leads to confusion and complex questions about proving compliance, managing governance, and assigning responsibility for related issues. These are difficult problems to address given the current state of cloud security, which hovers between being dependent on traditional tools and transitioning to new, leading-edge technologies.

The solutions available for securing physical IT environments are robust, but few are able to extend the same kind of security to cloud environments. Traditional network security tools, for instance, rely on static network topologies. While traditional firewalls and intrusion detection systems can be made to work in the cloud, they impose design constraints, limit flexibility and ease of automation, and may not be able to provide the level of granular control that their new hypervisor integrated counterparts provide.

Traditional endpoint security controls, such as data loss prevention (DLP) and anti-virus tools that employ content scanning and data cataloging/indexing, are intensive from an input/output (I/O) perspective, which makes them ill-suited for a cloud environment. They work well in a static network environment because their management tools can limit, group and schedule scans for managed systems. This functionality acts as a mechanism for protecting performance and preventing, for example, all the members of a web cluster from running scans at the same time. But in the cloud—where endpoints and data are constantly shifting—it is virtually impossible to control the number of tools that run simultaneously on any given hypervisor. The result can be slow-downs that undermine performance to the point that systems become unusable or unavailable.

Security tools need enhanced flexibility in order to meet the challenges of the cloud. Cloud technology has been outpacing security vendors, but the vendors are quickly gaining ground and developing breakthrough technology. According to international market research firm Infonetics Research, renewed interest in software due to virtualization, cloud computing, and software-as-a-service (SaaS) combined with astronomical growth in security threats will drive the content security software and appliance market to grow to $3.2 billion in 2013. As the cloud security market continues its rapid evolution, it is up to companies and providers to implement new technologies as applicable, and to adapt existing security tools in order to maintain adequate security until all of the necessary tools become available in cloud-ready forms.

What are some developing cloud security technologies?

• Virtual firewalls

• Cloud-based antivirus

• Cloud-based email gateway

• Spam filters

• Web scanning engines

• Cloud-based data loss prevention (DLP)

• Authentication and log management technologies

Setting Expectations

Adapting traditional security tools can be time-consuming and costly. The Cloud Security Alliance, a non-profit organization that promotes the use of best practices for security within cloud computing, strongly recommends that a portion of the savings typically associated with the cloud be reinvested in security . While both of these options lessen the opportunity for the cloud model to live up to inflated expectations regarding cost savings, the alternative is increased spending on audits and the risk of heavy fines. This may disappoint corporate stakeholders, but there is no way to provide reliable security and fulfill all of the hopes for savings and IT automation that are pinned on the cloud without adding some cost.

Security in the cloud is not the same as security in a traditional data center and IT department. Rather than a finite location, the cloud is a method of storing, delivering and managing resources virtually. It requires a new approach—one that has less of a perimeter to guard, but a premium placed around data security, risk, monitoring and audits. With the increasing use of mobile devices and decreasing visibility into infrastructure in relation to the cloud, security policies, procedures, and incident response must change. Retrofitting is no longer an option. Companies must learn to balance the complexity of the cloud environment with their organizational goals.

Planning Ahead

Cost savings and effective security can both be delivered in the cloud if a company adjusts expectations and plans ahead. One approach is to migrate only assets that are well-suited to a cloud environment. Not all data, processes and applications are the same; some present greater risk and necessitate higher levels of security than others. Those with lower levels of risk are best suited for the cloud.

Moving low-risk information assets to the cloud and keeping those at high risk in a traditional environment can eliminate some capital and operating expenses. However, a holistic view of security requirements must be taken for all impacted data, processes and applications before migrating to a cloud solution in order to realize true savings. Without it, the cloud can ultimately cost more than traditional infrastructure.

A Readiness Assessment

A readiness assessment can help determine the best approach for your organization:

• Examine the security tools you have today. How would these be impacted by a move to the cloud?

• Assess the security requirements and business impacts of data and apps that migrate to the cloud. Can these requirements be easily met? If not, what are the probable costs associated with adapting traditional tools to effectively secure your files in the cloud?

• Understand your risk. What is the risk associated with a possible breach if your cloud security solutions fail?

• Look at the numbers. Your company should have a solid financial analysis of all anticipated savings and expenses associated with your overall cloud strategy, including realistic security costs. Only then can you determine how a cloud solution will really impact the bottom line.

Sourcing refers to the entity that operates the cloud; how you make a sourcing decision is as important as what you choose to outsource. Organizations should assess their business units and identify the role of each within the enterprise in order to determine whether associated IT functions would be well served by an external provider, or should be kept in-house. Outsourced cloud computing allows you to gracefully transition some control over your data while maintaining accountability, even if the operational responsibility falls upon one or more third parties. Insourced cloud computing allows you to provide cloud service through your organization’s IT department, and to maintain control and accountability by internally overhauling and updating all technical, operational and governance programs to match the models and technologies that can enable cloud services for your organization.

Realize the Benefits of the Cloud

Cloud computing can offer cost-saving alternatives to the traditional data center and can help you achieve your goals. Like all IT paradigm shifts, the cloud and all of its formations carry a new set of risks that are at odds with traditional security tools. A successful cloud strategy requires not only a change in tool sets, but a shift in the way organizations approach, implement and manage information security. With an understanding of your risks, realistic expectations and careful planning, your company can identify the best approach for your business, and adopt the cloud with confidence.