Adopting the cloud without compromising security

The cloud promises many advantages - dynamic allocation of resources, CAPEX-based pricing and so on. But so far, there are no widely accepted standards for security in a cloud environment, leading some organisations to be wary of the technology. Patrick Eijkenboom*, Principal Consultant at NetIQ, discusses best practices for security when adopting cloud computing.

In an age that requires IT to do more with less, address physical data centre and energy constraints, and manage SLAs with increasingly shrinking budgets, cloud computing is a compelling proposition. It’s particularly appealing for enterprises facing a lack of in-house resources to implement, manage and support applications as well as a shortage of physical space, capacity and power sources. Cloud computing offers an attractive, pay-as-you-go pricing model that is more scalable and promises lower risk.

While cloud computing can provide considerable business benefits, it is important to point out that the proper tools and processes are still required to monitor, manage, respond and recover. The President and General Manager of NetIQ, US-based Jay Gardner, recently published an article ‘Three Considerations for Cloud Adoption in 2011’, detailing just those tools and processes. Unsurprisingly, most of these considerations are based on the issue of security - those incidents stemming from internal and external threats, and challenges to satisfy compliance from a regulatory, audit and industry standard perspective.

Although the Cloud Security Alliance (CSA) provides solid advice on cloud computing, it remains a set of recommendations so that in this ‘pre-standard’ era of cloud computing, organisations can be mindful of the myriad security issues surrounding the cloud.

Let’s examine the three important considerations introduced by Jay Gardner - integration and automation, security, and identity management - and take a closer look at the security and auditing challenges that companies will face when going to the cloud and provide best practice on how this can be achieved.

1. Integration and automation

As key services and applications move to the cloud, the way that information is stored, passed and shared across people and applications will transform. Therefore, CIOs will find that integration of data, applications and automation of processes is an important issue to solve. Watch for process automation and data or application integration tools to play a very critical role in efficient and effective cloud adoption. Finding ways to automate processes in order to manage consistency in a complex world of data, applications and users will result in cost savings if executed properly.

Integration and automation best practice

From a security point of view, integrating and automating outsourced services is challenging to say the least. The best advice is to conduct a full review, holding IT governance in mind, of the different cloud models - public, private, community or hybrid - as well as the specific cloud service - SaaS, PaaS or IaaS. This review should happen not just from the IT business sections of a company but across the entire organisation. Using integration and automation tools that easily tie in with the cloud can drastically increase benefits from a productivity standpoint, and can also ensure that the often disparate business units within an organisation are communicating quickly and effectively with each other and the security team on all facets of the IT environment.

From an infrastructure point of view it is imperative that you not only consider the automated path to the cloud but also a possible roll-back to your original state. Not many tools will allow you to migrate from physical, to virtual, to the cloud - and back again. Using an automated migration tool that also allows you to move back to your physical servers if required may alleviate a lot of pain.

2. Security

Security, governance of process and compliance to government, industry and corporate regulations and guidelines will remain ongoing initiatives. Data breaches will continue to be highly visible and will quickly become public knowledge. IT organisations must push cloud providers to ensure cloud infrastructure and operations are as secure - if not more secure - than traditional on-premise approaches to protect corporate data and critical systems.

Security best practice

Almost every week we hear of a high-profile organisation scandalised by data loss or theft, often crippling its public image and customer confidence. When contemplating a move to cloud computing, each organisation must ask how it can circumvent such incidents by minimising the liability and risk.

One way of ensuring a minimal risk is to adopt a regulatory standard applicable to the industry in which your organisation operates. This is usually a strict requirement and enforcing these security regulations will be beneficial. It may be worthwhile considering a multiple tenancy cloud architecture in which stronger IT controls and regulation are already a part of the cloud service and, if not, ensure that this is part of the service agreement. Standards such as the Center for Internet Security (CIS) or the Control Objectives for Information and related Technology (COBIT) framework all provide different security levels for IT controls by sets of hardening templates, encryption controls and best practices. In addition, the Cloud Security Alliance (CSA) provides good security guidance for cloud computing.

Some organisations may even consider increasing security controls when moving to the cloud. At the end of the day, a solution is required that is not only a log management tool, but one which combines security incident and security event management to ensure a complete view of the organisation’s security. The ideal cloud security solution would integrate with the identity and access management solution.

Certainly the cloud means there is less visibility of the security around valuable data, but it can still be made a secure environment. It is vital that due diligence is made to minimise the risk of loss, data or theft but always recognise your organisation’s accountability.

3. Identity management

Managing the identity of users, as well as provisioning and deprovisioning their rights, becomes a greater task within the cloud. It becomes more difficult to discern who is authorised to do what. Moreover, monitoring, responding, reacting and recovering when someone violates policy is more challenging when applications and data are spread across the cloud. IT departments will need to either extend existing identity management initiatives to include the cloud or establish a process to collectively manage identities across all systems to best protect corporate data and systems.

Identity management best practice

This consideration raises a simple question that each organisation should ask themselves: “Who can view your data?” It’s an age-old question, but one that needs to be revisited several times across the entire organisation when moving to the cloud. A simple answer could be to not put business critical and sensitive data in the cloud, but a better option is to ensure the cloud is sufficiently secure. Insider threats can be overcome by a strict identity and access management solution or even use an identity as a service (IDaaS) solution that will give IT managers visibility into who has privileged rights on sensitive data and allow them to assign, or revoke, these privileges. Support the identity management solution with security data logging and auditing which will allow management to know who does what, where and when, and that any changes are logged and audited sufficiently.

The task of fully listing all the access rights of all users with their various IDs from each different operating system, network, application, etc within an organisation is a very difficult one. This can only be achieved by integrating the identity tools with the access management tool; and in a perfect world situation, have this managed by an access governance solution. Such a comprehensive solution will allow you to govern identity and access management at all levels.

Cloud computing is a game-changing technology that can revolutionise the way your organisation works. Organisations need to be smart when thinking about cloud computing and ensure all due diligence is made before making the move across. The automation of all these different aspects - the migration and a potential roll-back, security, access and identity management, compliance and governance - will play a huge part in this.

As companies move towards consideration and adoption of cloud computing, enablement and governance for the cloud are vital planning topics for IT departments. A move to the cloud should include analysis of issues around integration, security and identity.

*Patrick Eijkenboom is the Principal Consultant with NetIQ Australia. NetIQ provides security and compliance management solutions and, as a corporate member of the Cloud Security Alliance (CSA), participates in the development and implementation of best practice recommendations for addressing security, audit and compliance needs specific to cloud computing.