Seeing Through the Clouds: Gaining Confidence when Physical Access to Your Data Is Removed

Written by

By David Lingenfelter

Cloud computing brings with it new opportunities, new frontiers, new challenges, and new chances for loss of intellectual property. From hosting simple websites, to entire development environments, companies have been experimenting with cloud-based services for some time. Whether a company decides to put a single application or entire datacenters in the cloud, there are different risks and threats that the businesses and IT need to think about. All of these different uses, all of these different scenarios are going to require thorough planning and development in order to make sure whatever gets put in the cloud is protected. When implemented properly, companies may actually find that they have improved their overall security posture.

When putting systems and information into your own datacenter, certain security measures have to be in place to ensure external threats are minimized. One of the big security measures is the datacenter itself, with a security boundary only allowing authorized personnel to have direct access to the physical systems. Within the datacenter, dedicated network connections ensure the data flows properly with little concern of unauthorized snooping.

These and other physical controls go away when working in a cloud environment. Regardless of whether you choose an Infrastructure-as-a-Service (IAAS), Platform-as-a-Service (PaaS) or Software-as-a-Service (SaaS) cloud model, the physical boundary has gone from a select few authorized people to an unknown number of people who are not even part of your company.

Other controls inherent to locally hosted systems include firewalls, network segmentation, physical separation of systems and data and a dizzying array of monitoring tools. When going to a cloud model, whether it’s a public or private cloud, most of these controls either go away entirely or have significant limitations to them. The controls may still be there, but may not be under your direct management. In other cases some of these controls may be removed entirely. The three tenants of security are confidentiality, integrity, and availability. When our data sits in our own datacenters we feel confident that we have a pretty good level of control over all three of those tenants. When we put our data in the cloud, we feel that we have lost control of all three. This doesn’t mean that a cloud-based solution is bad, rather it means we need to look at what it is we’re migrating to the cloud and make sure the three tenants are still covered.

Simply picking up an application or an in-house service and moving it to a cloud-based solution isn’t good enough, and will most likely leave information exposed. You need to review:

  • How the information is secured
  • How access is authorized
  • How integrity and confidentiality are controlled

It may require new technologies to help enhance these things, but it may also just be a matter of tighter IT processes around how systems are configured and managed.

One of the attractive components of moving to a cloud-based service is the ability to expand on demand. This model allows a company to handle high load periods and have those services pulled back when not needed. Implementing additional authentication and authorization controls, as well as data encryption at rest as well as in motion will also help increase the level of security and control kept by a company when using cloud services. Since there will be a number of components of cloud-based services outside of an administrators control, the implementation of additional security controls including host-based and next-gen firewall and monitoring activities will also help enhance security while providing peace of mind.

The cloud has several attributes that make it attractive to business besides cost savings, including:

  • The ability to have highly redundant, geographically diverse systems help companies handle both disaster scenarios and enhance customer experience.
  • The ability to quickly add more systems helps companies handle spikes in traffic.
  • Speed of deployment can also help a company to keep a competitive edge.
  • If implemented with the appropriate security controls in place, companies can have safe, secure systems that not only rival those they could have built within their own datacenters, but with more features and security than traditional IT deployments.

Expanding into the cloud requires the IT staff to think differently about security. Decisions in the past may have provided enough security for information stored within your datacenter, but when using the cloud security and monitoring has to be reassessed and modified to account for the changes in the risk boundaries.

David Lingenfelter is the information security officer at Fiberlink. Lingenfelter is a seasoned security professional with experience in risk management, information security, compliance, and policy development. As information security officer of Fiberlink, he has managed projects for SAS70 Type 2 and SOC2 Type 2 certifications, as well as led the company through audits to become the first mobile device management vendor with the FISMA authorization from the GSA. Through working with Fiberlink’s varied customer-base, Lingenfelter has ensured the MaaS360 cloud architecture meets requirements for HIPPA, PCI, SOX, and NIST. He has been an instrumental part in designing Fiberlink’s cloud model, and is an active member of the CSA, as well as the NIST Cloud working groups.

What’s hot on Infosecurity Magazine?