“Cloud computing” is not a buzz phrase anymore, but it is essential for most businesses looking to achieve sound business continuity alternatives combined with a comprehensive security model.
What is cloud computing, and what does it do? Very simply, for the end-user, a cloud computing experience is no different than using a desktop/laptop computer. The difference lies primarily on accessing the information directly from a storage media (i.e. hard drive, memory stick) versus using the Internet to access the data.
Today, the phrase represents the logical and physical infrastructure of a sometimes-complex data processing and storage environment. Nonetheless, the end-users’ experience should not echo the intricate configurations of private and public systems when they access the data. They will benefit from managing large storage spaces at a lower cost, and they should have the ability to access their data from anywhere as long as they have access to an Internet connection.
There are some inherent risks associated with cloud computing when the business entrusts a third-party or a cloud service provider with confidential and sensitive information. Yet businesses have been taking similar risks for years with other platforms.
A good example is the PCI standards for the “Payment Card Industry.” This platform was designed and implemented with strict rules and controls for protecting customers’ information stored and managed on third-party platforms. Would you say that PCI is a perfect model for security standards? No, but it provides the industry and consumers with regulations and guidelines to help protect a massive amount of sensitive information stored around the world.
As for the cloud security industry, it is still in its infancy and is continually developing new standards and processes, as well as updating current ones as the industry evolves. Nonetheless, the primary foundation of its infrastructure comes from a variety of traditional frameworks already built with tested security in mind.
By itself, prior to starting the design and implementation of a significant project like a cloud environment, stakeholders have to look at the type of cloud deployment models and cloud service models that best suit their businesses. The following summarize the basic models at a high level as the complexities of some of the models are out of scope for this paper.
The most common deployment models are “Private,” “Public,” “Hybrid,” and “Community.” In brief, the “Private” cloud refers to an infrastructure serving only one business organization operating and maintaining it internally. This can be done on-site or off-site, depending on the business compliance requirements. Still, it is also possible to have a third-party vendor manage a private cloud environment, as it is no different than other business operations that the organization might be contracting out. In this case, it is evident the business would need to have strong vendor security policies in place, as well as structured and well-defined contracts with a focus on data protection, ownership and multi-tenancy agreements, to name a few.
In the case of a “Public” cloud infrastructure, it will normally use a network open for public access or use cloud services owned by a large industry group managing the cloud infrastructure. In this case, the business does not own the infrastructure handling its data, but it still owns its intellectual property the service provider is managing for them.
Currently, most businesses deploying a cloud environment will use a “Hybrid” model. This is to be expected when making a strategic decision and adopting a technology environment, such as a cloud infrastructure that is still in its infancy. Using a hybrid model will often facilitate the business to move its intellectual property in phases from a private infrastructure to a public one while the business is adjusting to its environment and increasing its general comfort zone with the technology.
Lastly, the “Community” cloud infrastructure will normally be shared by several businesses with common requirements and/or interests such as financial institutions, health care, and law enforcement, for example. It may be managed by the businesses/organizations or by a third-party subject to various requirements, regulations, or laws. For instance, financial institutions are subject to a number of regulations and compliance policies very specific to their functions and operations. As such, a cloud environment fostering their specific industry requirements makes for a great channel for them to share sensitive information or audit their business activities without having to necessarily share with third-party entities.
All deployment models have positive and negative characteristics to take into consideration if you are in a position to decide on choosing the most fitting one. However, one should be aware of some basic facts inherent to the different models. For example, the private and public cloud models have very similar architecture elements, but their scalability and flexibility are quite different. The private cloud infrastructure is more limited to the individual business owning the infrastructure versus a public cloud environment. The public and community models have the capability of sharing resources over a large cluster of businesses and resources, hence the higher amount of possible configurations to share resources and processing power.
The flexibility and scalability of a public model infrastructure meeting the business demand and requirements makes for a very attractive product for businesses starting up or wanting to grow without the substantial expenses of upgrading and maintaining the additional resources. However, the public cloud environment will store multiple business owner data in the same virtual container (“multitenancy”) safeguarded with various encryption tools and security policies.
For this type of configuration, it might not be as accessible and recoverable because of the location of the data that is not as clearly defined as a private model infrastructure.
Once a business has decided on a deployment model fitting their environment, it will be essential to identify the proper type of services model that will most benefit the business and its security requirements. There are three main service models: Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS).
- The SaaS model is essentially a platform for a business to run providers’ applications using the cloud infrastructure. A good example is the Microsoft Office 365, which enables users to run key Microsoft Office applications on their system and mobile devices with the help of an Internet connection. With this model, there is no need to maintain or purchase the latest application version; by leasing the service access, a user can run the application anywhere as long as s/he is connected. In this particular environment, the clear disadvantage is the connectivity condition of the thin client application and the variety of devices’ requirements running the application.
- The IaaS model offers access to a pool of resources necessary for the proper operations of a computing environment such as connectivity essentials, various computing hardware, Application Programming Interfaces (“APIs”), and facilities.
- Finally, PaaS provides a service where there is no need to manage the core servers, the networks, storage infrastructure, or any other components necessary for an application platforms such as a database where the users need to run Python, PHP, or other coding programs for instance.
For a business to consider converting its operations to a cloud model, it is necessary for stakeholders to understand and review the different cloud services and deployments models in order to implement the most suitable models in line with the industry where the business operates. In addition, it is important to recognize the potential risks similarities between the more traditional business network infrastructure environments versus the ones using a cloud computing environment.
Some of the typical risks needing attention are:
- DDoS – Distributed Denial of Service attacks
- Data loss or damaged accidentally or intentionally by a rogue employee
- Theft of data internally (employees) or externally (hackers)
- Various legal orders that might expose the business data because it is hosted in a multitenancy architecture for example.
In a nutshell, a cloud computing infrastructure is simply another option for a business to have the ability to operate within a sound information security model and maintain simple CIA (Confidentiality-Integrity-Availability) practices and procedures.
About the Author: René Hamel (@hamel_rene) is a forensic technology investigator. His cyber security and forensic technology career spans over seventeen years. His broad spectrum of working experience includes Government, corporate and financial services. He has a strong investigative background having been a member of the Royal Canadian Mounted Police “RCMP” for sixteen years. He is a well recognized and respected leader in his field having work in North and South America, Europe and Asia. René has also been appointed as an expert witness in both criminal and civil courts in Canada and Ireland. His evidence and testimony has often been instrumental in the recovery of large financial assets.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
This is a Security Bloggers Network syndicated blog post. Read the original at: The State of Security 2017-09-12.