A Prescriptive Approach to Cloud Security

November 25, 2014
| |
6 min read

My family and I were recently going on vacation to an international destination. My kids were excited and looking forward to exploring the new location. When we consulted our pediatrician for any advice related to the destination, she recommended that in addition to continuing basic hygiene, we should eat healthy food at places we trust, give our kids pre-travel shots to reduce the risk that they would fall sick and regularly monitor any changes in health and eating habits. We followed this advice, and while the destination was new to all of us, we had a lot of fun, and it remains one of our most memorable trips.

The cloud is a new destination for information technology (IT). We are seeing increased enterprise adoption at an unprecedented speed. Enterprise IT teams are moving their workloads to a cloud infrastructure, developers are rapidly composing services through application program interfaces (APIs) and businesses are adopting cloud service applications. With each enterprise going through such a transformational change, the questions I am asked most often by customers are, “What are the best practices to securely embrace this change?” and “How can I adopt the cloud while managing my risk across current application infrastructure and the cloud?” While the cloud disrupts traditional enterprise security postures and there are major concerns about risk, the cloud is actually an opportunity to radically transform security practices and improve enterprise security. It is an opportunity to redo security in this ever-changing threat landscape.

Enterprises should take an informed approach around managing risk when adopting the cloud — a hybrid cloud — that encompasses what they have in traditional environments and cloud environments. Those practices will help them meet their objectives and shared responsibilities they have with cloud providers. Much like the three-step prescription our doctor gave us, enterprises should follow a structured approach to the cloud and do the following:

  1. Manage access to cloud applications and data by identifying and authorizing user access based on additional criteria around user access (mobile device, remote location, etc.).
  2. Protect data they are moving to the cloud. The level of protection depends on which kind of data is made available from the cloud and how sensitive it is.
  3. Gain visibility across their traditional and IT cloud environments so that they monitor for unauthorized access, suspicious behavior and even compliance.

Enterprise cloud adoption varies based on their needs. They are moving workloads or building applications on infrastructure-as-a-service (IaaS) clouds, platform-as-a-service (PaaS) clouds or, like almost all companies do, they consume certain business applications as software-as-a-service (SaaS). Understanding the context and risks when adopting these clouds is important so that they can appropriately apply the three-step approach.

Manage Access to Cloud Applications

Identifying and authenticating users who access cloud applications is a very important step in managing cloud security. One customer was saying how identity is the new perimeter and a choke point to get security right. We prescribe an approach that is grounded in context- and risk-based access control — authenticate the user (ranging from user ID and password to stronger forms of authentication), factor in which device they are using, where they are now and what they are trying to do. With that in mind, the following are key use cases when managing users’ access to cloud applications:

  • In the case of IaaS, protect the workloads by deploying a cloud access gateway in your cloud so that it enforces user authentication and access across the Web and mobile devices. This is also the enforcement point where you can protect applications against app-level attacks such as SQL injections and cross-site scripting. You should also take steps to manage your privileged users as they start managing their cloud infrastructure.
  • In the case of developers building new apps in PaaS, you should enforce consistency in security across their usage. Standardize an authentication API so that applications can be integrated into your identity and access management infrastructure without needing developers to become security gurus.
  • When your employees are accessing SaaS applications, deploy a federated identity management solution so that you can create a trusted relationship with SaaS vendors and applications. This provides not only better usage with single sign-on, but also a way for security teams to govern employee usage of SaaS applications.

A key part of managing access is to integrate with appropriate identity systems, whether they are enterprise identity systems for customers or employees or integrating with a social login if you are building social apps. You could also think like a startup by managing identities in the cloud. While you’re at it, you can look at optimizing your security operations by consuming cloud identity services so that they don’t have to manage multiple systems but rather leverage the cloud delivery model and let a trusted security services provider do it for you.

Protect Data in the Cloud

Data is the new currency. Because we all understand that importance, keeping data secure is a top concern. I am clearly seeing a shift in the way chief information security officers (CISOs) are thinking about data security. They require data to be classified per their enterprise policies, and in the context of the cloud, they want this classified as part of their adoption. In other words, they want to do better in the cloud than they have done in traditional IT over the past couple of decades.

Protecting data takes a three-pronged approach:

  1. Encrypt data at rest as mandated by regulatory requirements and prevent damage if a data breach occurs. In an IaaS environment, this can be achieved by using vendor solutions around data security on top of what the cloud provider offers. On the other hand, in PaaS environments, where developers use data services, they can take advantage of built-in encryption capabilities.
  2. Perform data activity monitoring of your data sources and assess and fix vulnerabilities due to misconfiguration of data repositories. Given that the statistics show that the majority of data breaches happen due to a variety of issues, such as the misconfiguration of the database and vulnerabilities in the database that could be exploited, taking this step is a critical part of data security.
  3. Scan applications that access the data for vulnerabilities. What good is it if you control access to the database but the application allows for a SQL injection vulnerability? Or what if your mobile app has a vulnerability? Secure engineering should be a key part of your DevOps process, especially in the world of the cloud, where we are increasingly adopting a model of continuous integration and delivery.

Gain Visibility Across Hybrid Clouds

Cloud adoption leads to a shared approach in which enterprises and cloud providers share responsibilities. In that context, and where the workloads or data are moved to the cloud, CISOs want to ensure full visibility across the cloud and their traditional environments. They want to know which users are accessing their cloud applications; whether there are any suspicious network behaviors across hybrid cloud environments; whether there are security incidents they should be worried about and investigate further; and which administrative activities their admins are performing in managing infrastructure in their virtual data centers or cloud infrastructure.

They want a single pane of glass to assess security posture across hybrid cloud environments.

You should deploy a security intelligence platform that provides security information and event management and gives you the capability to conduct deeper analytics across hybrid cloud environments. Integrating logs and events from cloud providers and integrating logs from the infrastructure and workloads — such as firewalls, middleware, databases and applications — back to your security intelligence platform will provide complete visibility.

An important consideration for security intelligence, especially in the cloud, is that you need actionable intelligence. You don’t want to deal with millions of events per week, but you should address a manageable set of incidents that could be narrowed down to investigate and mitigate.

Assess and Optimize Cloud Security Operations and Approach

There are security experts from security services providers who are working with enterprises in their cloud journey every day. Organizations should consider consulting with these teams so that enterprises can perform an assessment of their security posture, map objectives for moving to the cloud and lay down a road map to evolve the maturity of adoption.

Enterprises are also facing a shortage of security skills and expertise. An enterprise can take advantage of leveraging a managed security services team to manage cloud security infrastructure.

One prominent value of applying this approach concerns security intelligence. With increasing threats every day, it is hard to keep up. By leveraging managed security services for monitoring your security across hybrid cloud environments, you can get the benefit not only of skilled professionals, but also the threat intelligence they gather when they manage thousands of such customers and their infrastructures.

The Cloud Is an Opportunity to Do Security Right

The cloud is different things to different people, and security within it is a broad topic. But what has become clear is that adopting a structured approach to managing cloud security will go a long way in the journey we are all embarking on. I strongly believe that we can actually get to a better security posture in the cloud than we originally believed possible. The most important part of achieving this is to think about security up front and not as an afterthought. There is no better time to do this than when you are in the process of making that enterprise transformation to the cloud.

I enjoyed my vacation to a new destination by following my doctor’s advice. The cloud is a new destination and not just a vacation spot. That is all the more reason to take a structured approach to security and adopt the cloud with confidence.

Nataraj Nagaratnam
CTO for IBM Security Solutions

Dr. Nataraj Nagaratnam is an IBM Distinguished Engineer, and CTO for Security Solutions, IBM Security Systems. As CTO for Security solutions, he drives techn...
read more