Security is still a major obstacle for IT when it comes to cloud adoption. That was made crystal clear at the Massachusetts Technology Leadership Council seminar on securing data, availability and reputation in the cloud, which attracted a mix of security, IT, entrepreneurs and business folks. As one attendee succinctly put it, "Why should we trust AWS [Amazon Web Services] when we have no visibility into their other side?"
Still, there are plenty of organizations thinking in terms of a "cloud first" strategy, including the federal government. For readers who are looking for guidance on cloud security, here are five quick tips from the seminar's expert panelists on how to minimize security risks before partnering with AWS or any number of Anything as a Service providers.
- Take your time. And take advantage of free checklists, risk assessment methodologies and related info available to get up to snuff on cloud computing security. Chris Wysopal, co-founder and chief technology officer at Software as a Service security provider Veracode in Burlington, Mass., suggests the Cloud Security Alliance as a place to get started. "[Cloud] is a new infrastructure, and you have to understand how to use it securely," he said. "You can't use all of the traditional security technologies, so a lot of it is educating yourself on how to do it correctly."
- Tailor your contract. Plan ahead by thinking about what should be drawn up in the service agreement. For example, how will your cloud provider deal with a distributed denial-of-service (DDoS) attack? "A lot of times that's overlooked," said Chris Ray, chief information security officer for targeted marketing firm Epsilon in Wakefield, Mass. "Make sure you have something in your contract."
- Centralize your logs. Panelists pointed to aggregating all logs into a central location as a best practice for organizations interacting with multiple network hosts. "The number one rule is: Always get the data," said Nick Levay, chief security officer at endpoint and server security provider Bit9 in Waltham, Mass.
- Guard the host. Spend more time focused on host-based rather that network-based security measures, because "you don't have as much control over the network," Wysopal said. He recommends host-based intrusion detection systems such as Threat Stack or Tripwire "as a way to get some visibility into what's happening at the host level."
- Ask for verification. "Always look for third-party assurance for service providers," said Wysopal. One way to do that is to inquire about a Security Organization Control 3 or, better yet, a SOC 2 report. The documentation comes from a third-party auditor who looks at security, availability, processing, integrity, confidentiality or privacy of an organization's internal controls. SOC 2 and SOC 3 reports cover the same ground, though a SOC 2 report gives a more detailed accounting than a SOC 3.
Why this guy trusts AWS
When Wysopal says "AWS can be as secure as your own internal data center," he's not surprised the comment is met with skepticism. So, how does he respond to a question like, Why trust the cloud service provider? He starts by talking about people.
"We have a good relationship with their security team, and I have a lot of confidence in them," he said. Talking with AWS, Wysopal was briefed on safeguards around its security operations center and network operations center, which are centralized monitoring centers for security issues and network performance. One such measure includes stringent authorization requirements to "access any of your infrastructure" and logging information anytime someone does. A lot of hosting providers don't do that, he said.
For hardcore cloud skeptics, Wysopal suggested looking into AWS' Federal Risk and Authorization Management Program (FedRAMP). Before hosting government data, FedRAMP-compliant cloud service providers like AWS have to adhere to the standards and safeguards established by the federal government.
"It's more expensive," said Wysopal, who is considering the move himself, "but you still get the benefits of an elastic infrastructure."
DDoS attacks are on the rise
If you're seeing an uptick in DDoS attacks where the bandwidth or other system resources are rendered unavailable, you're not alone. "Part of what's fueling the growth in DDoS is that you have increasing availability of toolkits that make it very easy to pull these things off," said Cricket Liu, chief infrastructure officer for Santa Clara, Calif.-based network controls provider Infoblox Inc. "You have websites you can go to and, assuming you still have sufficient Bitcoin available to you, you can order a big DDoS attack of someone online entirely anonymously."
Blame it on the robust (and growing) botnet infrastructure sending viruses or spam by unsuspecting computers (remember the news about zombie refrigerators?), too many open recursive name servers and too many vulnerable network time protocol servers for clock synchronization, which makes it easy to drum up "fantastic amounts of traffic," he said.
The power of next-gen firewalls
When Bit9's Levay mentioned Palo Alto Networks, a maker of next-generation firewalls, he practically cooed. "There are a number of things that define what a next-generation firewall is, and a big one is application identification," he said. In the past, visibility into network traffic was almost nonexistent. "It's all port 80 and port 443," Levay said, referring to the default HTTP and HTTPS ports.
The Data Mill
Ford's connected car revs up with APIs and external app developers
External social platforms replace the company intranet
Is contextual computing the love child of big data, IoT and mobility?
Palo Alto, on the other hand, "sees different Web applications as separate application locations." So it can differentiate, say, traffic to Facebook from traffic to an online banking site.
"[Palo Alto] drills even deeper than that" by identifying Facebook traffic as browsing, chat or image upload, he said. So if his company wants to block employees from uploading their latest vacation photos onto the social network at work, he said.
Is multifactor authentication in your future?
If Gmail can offer two-factor authentication to tens of millions of users, "it's something that can easily be scaled and adopted," Wysopal said. But does it go far enough?
According to Levay, the biggest enterprises don't think so. "The high end of authentication is to authenticate users based on something they know, something they have and how they're accessing it," he said. That might mean pin number, site key and device IP address. "It's very effective," Levay said, "but implementing it isn't easy."
And it might not be all that practical, as one audience member pointed out. "Every organization has a risk tolerance, and I'm not in charge of that," he said, adding that multifactor authentication wouldn't fly at his company. "My organization values people being able to do things quickly, and I have to operate in the context of what they'll accept."
This was first published in April 2014