By Matthew Gardiner
One of the key advantages of the cloud, whether public or private, flows from a well-known econometric concept known as “economies of scale.” The concept of economies of scale refers to an operation that to a point gets more efficient as it gets bigger – think electricity power plants, car factories, and semiconductor fabs. Getting bigger is way of building differential advantage for the provider and thus becomes a key business driver for them, as he who gets bigger faster maintains the powerful position of low-cost provider. These efficiencies generally come from spreading fixed costs, whether human or otherwise, across more units of production. Thus the cost per unit goes down as unit production goes up.
One important source of the economies of scale for cloud providers is from the IT administrators who make the cloud service and related datacenters operate. A typical measure of this efficiency is the ratio of managed servers to number of administrators. With a typical traditional enterprise datacenter this ratio is in the hundreds, whereas cloud providers, through homogeneity and greater automation, often can attain ratios of thousands or tens of thousands of servers per administrator.
However, what is good from an economic point of view is not always good from a security and risk point of view. With so many IT “eggs” from so many cloud consumers in one basket, the risk from these privileged cloud provider administrators must be explicitly recognized and addressed. Privileged administrators going “rogue” by accident, for profit, or for retribution has happened so often around the world that it’s hard to believe cloud providers will somehow be immune from this. The short answer is they won’t. The question is, what should you as a cloud consumer do to protect yourself from one of the cloud providers’ administrators “going rogue” on your data and applications?
For the purposes of this analysis I will focus on the use of public cloud providers as opposed to private cloud providers. While the basic principles I discuss apply equally to both, I use public cloud providers because controls are generally hardest to design and enforce when they are largely operated by someone else.
I find the well worn IT concept of “people, process, and technology” to be a perfectly good framework with which to address this privileged administrator risk. As cloud consumers move more sensitive applications to the cloud, they first need to be comfortable with who these IT administrators are in terms of location, qualifications, hiring, training, vetting, and supervision. Shouldn’t the cloud providers’ HR processes for IT administrators be at least as rigorous as your own?
However, given that there is always a bad apple in a large enough bunch no matter the precautions, the next step is for the cloud providers to have operational processes that exhibit good security hygiene. Practices such as segregation-of-duties, checks-and-balances, and need-to-know apply perfectly to how cloud administrators should be operating. Cloud consumers also need to understand what the cloud providers’ practices, policies and processes are for the role of IT administrator. Is it a violation for cloud provider administrators to look at or copy customer data, or stop customer applications, or copy virtual images? It certainly should be.
The final area to consider is the various technologies that are being used to automate and enforce the security controls discussed above. This certainly is made more challenging due to the variety of cloud services that are available. What cloud consumers can do with public SaaS or PaaS providers (where they have little direct control or visibility into the cloud provider’s systems), is significantly less than that of IaaS providers, where the cloud consumer can install any software that they want at least at the virtual layer and above. With SaaS and PaaS providers it is important that cloud consumers push hard for regular access at least to logs related to their data and applications, so that normal historical analysis can be conducted. Of course, real-time, anytime access to system monitors would be even better.
For IaaS based public cloud services the security options for the cloud consumer are much wider. For example, it should become regular practice that cloud consumers encrypt their sensitive data that resides in the cloud – to avoid prying eyes – as well as use privileged user management software that combines control of the host operating system with privileged user password management, fine grained access control, and privileged user auditing and reporting. Using this type of privileged user management software enables the cloud consuming organization to control their own administrators and perhaps more importantly control and/or monitor the cloud provider’s administrators as well.
While there are huge benefits to using the cloud, it is equally important for organizations moving increasingly sensitive data and applications to the cloud think through how to mitigate all potential attack vectors. The unfortunate reality is that people are a source of vulnerability and highly privileged people only increase this risk. As the ancient Romans said – Quis custodiet ipsos custodes? – Who will watch the watchmen?
Matthew Gardiner is a director working in the security business unit at CA Technologies. He is a recognized industry leader in the security & Identity and Access Management (IAM) markets worldwide. He is published, blogs, and is interviewed regularly in leading industry media on a wide range of IAM, cloud security, and other security-related topics, and is a member of the Kantara Initiative Board of Trustees. Gardiner has a BSEE from the University of Pennsylvania and an SM in management from MIT's Sloan School of Management. He blogs regularly and also tweets.