By Ken Biery
Can a cloud be as secure as a traditional network? In a word, yes! I agree that some may find this statement surprising. Depending on the network, that may be a low bar, but good security principles and approaches are just as applicable to cloud environments as they are to traditional network environments. However, the key is to know how to extend a multi-layered defense into the cloud/virtualization layer.
One of the cloud security benefits frequently mentioned is standardization and hardening of VM images. This can help reduce complexity and ensure that all systems start from a good security posture. Also, it helps enable a rapid response to fix identified issues. Some people claim that complexity, or the diversity, of different systems in a traditional network environment is a security benefit because a single vulnerability is not capable of compromising all systems. However, the reality is it is usually more difficult to manage the disparate systems because of the tools and expert resources required to maintain them.
Hardening is not only for VMs. It has to be extended throughout the cloud environment to include the hypervisor, management interfaces, and all other virtual components, such as network devices. This requires some time and expertise in understanding how to control functionality without losing productivity. If you ask your service provider or internal team about hardening the virtualization layer and you get blank stares back, you may have a problem. Also, you should not accept the default statement that “the hypervisor is essentially a hardened O/S” as a complete answer. Securing the virtualization layer is one of the new and key areas to providing protection for cloud environments.
Strong authentication and authorization methods are critical to address, since this is an often neglected area in traditional networks. It is important to do it right. It is worth noting that the Verizon 2011 Data Breach Investigations Report cites “exploitation of default or guessable credentials” and “use of stolen login credentials” as some of the most used hacking attacks. Whether a private or public cloud environment, there needs to be a solid layer of protection from unauthorized access. Two-factor authentication is a must for remote and administrative access; it is a best practice to require two-factor authentication throughout the virtualized environment, wherever it is practicable.
Encryption should be utilized for both data in-transit, as well as data–at-rest. In addition to providing confidentiality and integrity, encryption plays a critical role in protecting data that is in environment where it may not be able to be destroyed by normal methods. Once encrypted data is no longer needed, the encryption key for that data set can be destroyed. However, this requires that the organization retain and manage the encryption keys and not the service provider.
Encryption is also being used in innovative ways to create an isolated environment within a cloud. This can be used to extend security and compliance controls from an organization’s traditional network into a cloud. This can help overcome barriers to cloud security by enabling enterprises to run selected applications and maintain data in the cloud with the same protection and control available internally.
In Closing
Clouds, like a traditional network environments, require careful security planning, design, and operations. The various types our clouds and delivery models will have varying degrees of security and flexibility, some with the ability to layer in additional levels of security controls. This is why it is important to have a firm understanding of security and compliance requirements prior to moving to the cloud.
It is fortunate that good security practices are applicable to the cloud. However, the virtualization layer is a new area – one that requires specialized attention understanding and proficient when it comes to implementing security controls. Hardening, access control, and encryption are three primary areas of focus in building a multi-layered defense in cloud environments. Clouds can meet security and compliance requirements, but only if essential security practices are applied throughout them.
Ken Biery is a principal security consultant with Terremark, Verizon’s IT services subsidiary, focused on providing governance, risk, and compliance counsel to enterprises moving to the cloud. With extensive knowledge in the area of cloud computing, he enables companies around the globe to securely migrate to the cloud and crate more efficient IT operations.