SBN

Considering Cloud Security

What are our options when it comes to cloud security?  
Cloud is largely a catch all phrase for things that we’ve already been doing for years like SaaS, IaaS, and virtualization.  As a result there are some pretty good techniques and technologies for securing your organizations data.   Let’s take a closer look at what we can do to secure data in any facility used as a service, particularly one that you don’t own.

For the sake of brevity we will sum the challenge up with services operated by organizations that are not yours where your users are storing data.  A few examples are;

  • IaaS – Infrastructure as a Service where you would assign compute and storage resource and deploy custom applications including Operating Systems, like Microsoft Azure.
  • PaaS – Platform as a Service where you would load your own applications onto someone else’s cloud infrastructure and the provider manages everything all the way to the Operating System, like Amazon’s EC2.
  • SaaS – Software as a Service where it is an application you may have in someone elses facility, like Box.com, or your web hosting provider.
SaaS becomes the biggest challenge because of the flexibility.  You may have your website hosted in someone elses network where they manage the actual server software and Operating System.  What most people don’t realize is that is where the service stops.  There are no Intrusion Detection or Web Application Firewall type systems, largely because they don’t know how you need the site to be secured.  
SaaS based storage solutions are the ones that are making the biggest impact on data security today.  Box, Dropbox, Google Drive, Amazon, Microsoft Skydrive. They all give you ubiquitous data. All of your stuff appears on your laptop, tablet, and phone. I am a huge fan of these services.

The point is you spend thousands of dollars (in many cases millions) on securing your corporate data center and with one save of a critical file to a cloud storage provider all of that security is circumvented. Who actually runs many of these services? Rather than hacking into millions of computers and stealing data, why don’t I just setup a cloud storage service? Make it pretty, easy to us, and free! Rather than me stealing your data why not just give it to me? This is what your CIO is hopefully at least pondering.
The same goes for infrastructure services and things like hosted email and web applications. Who are these people and what are they doing to secure my data? They typically will publish a document outlining what their security posture is like. How do you know it’s actually like that? And how do you know if their system gets popped and your data is compromised? Is this risk that you are willing to take?  I’m just saying.
Authentication and authorization is a great first step. Using your existing authentication services Like Active Directory is ideal. This way if you want a user to no longer have access to several applications, including internal ones, it is one place to go disable the account. Services like Amazon and Google get huge bonus points for integrating a two-factor authentic action system for you. Centralized authorization is also key. You may be OK with marketing teams to collaborate with cloud services and probably would prefer that anyone in finance or human resources does not. There are cloud brokerages services that do this and also on-premise solutions if you prefer more control.
Application Control can be very helpful. If there are pieces of client software for laptops and other mobile devices and you don’t allow the applications to start on the clients in the first place this may prevent the users from getting data there even with an account. However there are some caveats before it is effective. You will need to be managing the laptops, tablets, and phones. You will also need a Mobile Device Management solution capable of this. All of the leaders in this space today are capable. On its own this solution is cumbersome and difficult to manage.
Web Filtering is effective because all of these applications access a URL they can easily be blocked. A typical web filter will have categorization for these services, so if you only know about a couple of them but the users find new ones, the web filtering company is responsible for keeping that category updated with all of the sites. This also gives you decent control to allow or deny certain sites depending on what group the user is in. The challenge is to find a solution that will work from the network, their laptop, phone, and tablet.
Data Loss Prevention offers the most granular controls. Where the other solutions are good at identifying where the user is going, DLP is more concerned with what is going. If you don’t want files with account numbers, credit card numbers, social insurance/security, or anything else that can be identified from leaving, this is a good fit. Furthermore DLP can often be integrated with encryption so you may allow confidential data from leaving and encrypt it before it does so that it stays private. Yet again we run into the situation where we can easily do DLP in our network and on our laptops. Other mobile devices suffer from a lack of available solutions today.
While it looks pretty gloomy, we can paint a pretty picture of what to do. It is best practice to use these solutions together. Figure out who you want to be able to get to these sites and plug that into your directory server.  Then use either Application Control or a Web Filter to allow the specific applications you want those users to use. Then figure out which data you definitely don’t want leaving the environment and stop it from leaving with DLP. If DLP is configured well users will not be able to get confidential data onto their phones because you can stop it in email. Even though from their phones and tablets they may be able to use any service they want they won’t have local access to corporate data to put it there.
As always please feel free to reach out if you would like to discuss this further.

*** This is a Security Bloggers Network syndicated blog from Insecurity authored by asdfasdfasdfasdf. Read the original post at: http://stephenperciballi.blogspot.com/2013/02/considering-cloud-security.html