By
Steve Kohler, VP Systems Development at B2BGateway
When our Director of Sales and Marketing
asked me how one goes about Securing the Cloud, I thought it was an interesting
subject, for certainly that depends on who you ask, what we mean by security,
not to mention what you mean by “Cloud”.
In today’s rapidly evolving IT environment, Cloud security is something we
should all be concerned with. Organizations
need to make sure their customer data is safe in the cloud, and end users
(consumers) should be aware of what the cloud is and how it affects the assets
they wish to protect.
The National Institute of Standards and
Technology defines cloud computing as:
“Cloud computing is a model for enabling
ubiquitous, convenient, on-demand network access to a shared pool of
configurable computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned and released with
minimal management effort or service provider interaction.”
The
NIST also defines five essential characteristics that compose the Cloud model,
three separate service models, and four deployment models. The essential characteristics are On-demand
self-service, Broad network access, Resource pooling, Rapid elasticity, and Measured
service. While the use of virtualization
is not a specific requirement for the Cloud, it typically plays a key role in
facilitating cloud offerings. Multi-tenancy
is another aspect of the cloud that is often treated as an integral component,
although not part of the formal definition.
The Service Models
Software as
a Service (SaaS). - Provides consumers with access to some service or application
running on a cloud infrastructure. The
customer does not manage or control the underlying infrastructure such as network,
servers, operating systems, or storage. The
customer has the ability to manage customized settings within the application
only.
Platform as
a Service (PaaS). – Consumers are granted access to an application hosting
environment where they have the ability to deploy custom applications they
create/acquire using tools/platforms supported by the provider. The customer
does not manage or control the underlying infrastructure such as servers,
operating systems, network, or storage, but has control over the deployed
applications and custom settings within those applications.
Infrastructure as a Service (IaaS). The consumer is able to
provision processing, storage, networks, and other fundamental computing
resources. This allows the customer the
ability to deploy custom software such as operating systems and applications. The customer does not manage or control the
underlying infrastructure but can have access to networking interfaces such as
firewalls.
The
Deployment Models
Private cloud - The cloud infrastructure is
provisioned for exclusive use by a single organization. It may be owned, managed, and operated by the
organization or a third party, and it may exist on or off premises.
Community cloud - is provisioned for exclusive
use by a specific community of consumers from organizations that have shared
concerns. It may be owned, managed, and operated by one or more of the organizations
in the community or a third party, and it may exist on or off premises.
Public cloud - is provisioned for open use
by the general public. It may be owned, managed, and operated by a business,
academic, or government organization, or some combination of them. It exists on
the premises of the cloud provider.
Hybrid cloud - is composed of two or more
distinct cloud infrastructures (private, community, or public) that remain
unique entities, but are bound together by standardized or proprietary
technology that enables data and application portability.
When we discuss security, we are usually concerned
with Logical security and Physical
security.
Logical
security protects data by utilizing software
safeguards such as authentication methods, authorization, and ensuring user permission
levels. Common examples of this layer are:
·
A username and password
combination that was assigned to access a network or shared resource.
·
Token based authentication - a
user is able to generate a token such as a cryptographic hash that identifies
the user and no password is actually shared as part of the authentication
scheme.
·
Two-way authentication - In
addition to providing credentials or a token, the user must respond to a
challenge presented by the system before gaining access to resources. An example would be for the system to present
a security question when the user is logging in from a new device or network.
Physical security is responsible for
securing access to the infrastructure, datacenters, buildings, and other assets such as employees. In addition to protecting against
unauthorized access or damage by individuals, physical security should also
address withstanding natural disasters, climate control and preventing
accidental damage.
As you move down the cloud stack, the
consumer becomes more responsible for implementing and managing security
measures. For example, an IaaS provider
will secure the infrastructure, but it is up to the consumer to implement
proper security measures in the operating systems and software they choose to
host on the providers system. At the top
of the stack, Saas providers are responsible for the most as they must secure
the infrastructure, as well as their networks and applications and provide
strong logical security measures to protect customer data. Regulatory compliance also comes into play, especially
when dealing with credit card, healthcare, and financial data (PCI, HIPAA,
SOX).
When assets or infrastructure are moved off
premise into the cloud, the consumer must make sure that their Cloud Service
Provider has adequate Physical controls in place, as well as logical controls
to mitigate potential threats that might emerge. Monitoring of Logs for example, becomes
difficult if not impossible when using a Saas provider since the server logs
will most likely not be available to the consumer, and contain information for
multiple customers.
Some potential threats present in a cloud
environment not found in a traditional datacenter have to do with
Virtualization and Multi-Tenancy.
Resource pooling on a virtual machine host increases the risk for noisy
neighbors and resource contention. A
guest OS handling high I/O and CPU workload for one Customer could result in
poor performance for other guest OS’s, creating a denial of service scenario
for the affected Customers. Attacks
against the hypervisor are also on the rise, if a guest OS maliciously attacks
and compromises the Host, the other resident guests are now at risk of being
compromised. It is critical to make sure
the Cloud Service Provider has adequate security zones (virtual networks,
vlans) configured per Tenant and that they adhere to best practices when
updating their virtual infrastructure to ensure a secure environment.
As companies move their data to the cloud
to take advantage of the time and cost savings, a comprehensive risk assessment
should be made on the assets being moved so that proper Monitoring and Incident
response plans can be crafted to deal with potential breaches. Encryption of data at Rest (at the cloud
provider site) and in Motion (data travelling to and from the CSP) are also key
elements that can increase a Secure Posture when dealing with a Cloud
Provider. SLA’s should address what logs
consumers will have access to in the event of a compromise, as well as detail
specific counter measures being taken to mitigate threats to the data. Cloud offerings hold tremendous reward for
Companies in terms of reducing overall expenditures and time savings , but
there is also risk as control over assets is passed on to another organization
and out of immediate physical control.
Proper vetting of Service providers and adherence to Industry standards
are crucial to maximize return.
To learn more about B2BGateway’s cloud
based EDI solutions, and how we protect your data in the cloud please call +1
401 491 9595 / +353 61 708533 or email Sales@B2BGateway.Net
