What is the cloud?
There are many different definitions you can find, but for the small business owner it means essentially outsourcing your IT infrastructure (possibly including applications, servers, data storage, etc) remotely. Why would you move to the cloud? The most commonly cited reasons are focused upon the core business and cost savings, but in reality every company should consider carefully any move to the cloud to ensure it is the correct move for them.
For small to mid-size business owners migrating some or all of their systems to the cloud environments presents the usual IT issues, but the problems are compounded by having data stored and managed remotely, by external organizations and often in multiple locations. Among these issues are special considerations for privacy, interoperability, data and application portability, data integrity, business continuity, and security.
In this posting I’m going to focus upon the security issues, technical challenges, and best practices associated with a move to the cloud. In a discussion with one of our cloud security gurus, Mike Johnsen, he highlighted some of the key issues that a business owner should be aware of and factor into the decision-making process:
System Complexity. A public cloud computing environment is extremely complex compared with that of a traditional data center.
Shared Multi-tenant Environment. Public cloud services offered by providers have a serious underlying complication—client organizations typically share components and resources with other consumers that are unknown to them.
Internet-facing Services. Public cloud services are delivered over the Internet, exposing the administrative interfaces used to self-service and manage an account, as well as non-administrative interfaces used to access deployed services.
Loss of Control. While security and privacy concerns in cloud computing services are similar to those of traditional non-cloud services, they are amplified by external control over organizational assets and the potential for mismanagement of those assets.
Governance. With the wide availability of cloud computing services, lack of organizational controls over employees engaging such services arbitrarily can be a source of problems. While cloud computing simplifies platform acquisition, it doesn’t alleviate the need for governance; instead, it has the opposite effect, amplifying that need.
Compliance. Achieving industry-specific security compliance becomes more complex due to the different paradigm the “Cloud” brings.
Data Location. When information crosses geographic borders, the governing legal, privacy, and regulatory regimes can be ambiguous and raise a variety of concerns.
Risk of Unintended Data Disclosure. A fundamental underlying vulnerability is the difficulty of collecting meaningful consent for the processing of data available on the cloud.
There are, however, some benefits of a cloud based environment from a security perspective. Some of these benefits would include:
In general, security measures are cheaper when implemented on a larger scale. The cloud provider or third parties can generally offer managed security services which may be cheaper than maintaining an in-house security staff full time.
Standardized Interfaces for managed security devices which creates a more open and readily available market for security services.
Rapid and smart scaling of resources which facilitates the ability of the cloud provider to dynamically reallocate resources for filtering, traffic shaping, authentication, encryption, etc., to defensive measures (e.g., against DDoS attacks) has obvious advantages for resilience.
Audit and evidence-gathering which can provide dedicated, pay-per-use forensic images of virtual machines which are accessible without taking infrastructure off-line, leading to less down-time for forensic analysis.
More timely, effective, and efficient updates and defaults which can facilitate images and software used by customers to pre-harden and update with the latest patches and security settings according to fine-tuned processes.
Benefits of resource concentration which provides the advantage of cheaper physical limitation and physical access control and the easier and cheaper application of many security-related processes.
So what can you do as a small business owner to accurately assess your need to move to a cloud environment and execute the move, if required? Here is a thorough, although probably not all inclusive list of some of the best practices a business owner should use when looking at a move to the cloud.
Plan. Carefully plan the security and privacy aspects of cloud computing solutions before engaging them (e.g., SLA negotiations)
Ascertain. Understand the cloud computing environment offered by the cloudprovider.
Policy. Ensure that a client-side and provider-side cloud computing solution satisfies organizational security and privacy requirements.
Continuity of Operations. If the cost of losing access to an application is severe, it is recommended that subscribers perform the work locally unless a provider is willing to agree to pay for pre-defined damages for specific types of service interruptions.
Compliance. A subscriber should determine: (1) whether the capabilities for defining the necessary controls exist within a particular provider, (2) whether those controls are being implemented properly, and (3) ensure that the controls are documented.
Administrator Staff. Subscribers should make sure that processes are in place to compartmentalize the job responsibilities of the provider’s administrators from the responsibilities of the subscriber’s administrators.
Legal. Subscribers should investigate whether a provider can support ad hoc legal requests for: (1) e-Discovery, such as litigation freezes, and (2) preservation of data and meta-data.
Operating Policies. Subscribers should ascertain the operating policies of providers for their: (1) willingness to be subjected to external audits and security certifications, (2) incident response and recovery procedures/practices, (3) internal investigation processes with respect to illegal or inappropriate usage of IT resources, and (4) policies for vetting of privileged uses such as the provider’s system and network administrators.
Acceptable Use Policies. Subscribers should ensure that all subscriber personnel read and understand the provider’s acceptable use policy, and negotiate an agreement for resolution of agreed upon policy violations in advance with the provider.
Licensing. Subscribers should ensure that both the provider and subscriber properly license any proprietary software installed into a cloud.
Patch Management. Subscribers and providers should agree on a set of procedures a subscriber needs to perform to take an application offline (whether a software patch is going to be installed by the provider or subscriber), the testing that must be performed to ensure the application continues to perform as intended, and the procedures needed to bring the application back online. Plans for system maintenance should be expressed in the SLA.
Subscriber-Side Vulnerabilities. Subscribers should minimize the potential for web browsers or other client devices to be attacked by employing best practices for web browser security and patching, and seek to minimize browser exposure to possibly malicious web sites.
Data-at-Rest and Data-in-Transit Encryption.
Physical. Subscribers should consider physical plant security practices and plans at provider sites as part of the overall risk considerations when selecting a provider.
Authentication. Subscribers should consider the use of authentication tokens, which some providers offer, to mitigate the risk of account hijacking.
Identity and Access Management. Subscribers should have visibility into to the following capabilities of a provider: (1) the authentication and access control mechanisms that the provider infrastructure supports, (2) the tools that are available for subscribers to provision authentication information, and (3) the tools to input and maintain authorizations for subscriber users without the intervention of the provider.
Performance Requirements. Subscribers should benchmark current performance scores for an application, and then establish key performance score requirements before deploying that application to a provider’s site.
Visibility. Subscribers should request that a provider allow visibility into the operating services that affect a specific subscriber’s data or operations on that data.
Although this list of best practices may seem daunting, the more of these best practices that the business owner can use, the less risky, and more secure their eventual cloud implementation may be.