By Chris Hinkley
Cloud Security is not a myth. It can be achieved. The biggest hindrance on debunking this myth is for enterprise businesses to begin thinking about the Cloud differently. It is not the equipment of co-location dedicated servers, or on-premises technology, as it is changeable, flexible and transforming everyday at the speed of light. With these changes come better security and technology to protect ‘big data’. The other issue to take into consideration is the human factor, there will always be people involved in building clouds and managing them, and there will always be people who want to attack them. Therefore we need to consider these two key factors when enterprises choose their Cloud with security in mind.
First, technology and layers of security. "It's more about giving up control of our assets and data (and not controlling the associated risk) than any technology specific to the cloud." – This quote is from ‘2011 Data Breach Investigations Report’, a study conducted by the Verizon RISK Team. If architected with security in mind, it seems there is no evidence that specifically proves the Cloud is any more or less secure than a dedicated environment. In fact, regulatory compliance such as PCI-DSS 2.0 for credit card information and HIPAA for healthcare data is regularly achieved in the public cloud. It seems the biggest reservation of organizations resistant to moving into the Cloud is the fact that a majority of the infrastructure is shared.
Depending on your goals, there are essentially two key ingredients for true security in the Cloud. The first and most important is separation. This is absolutely essential – not only should your data be segregated from other tenants on the infrastructure, your network traffic, virtual machines and even security policies should be separate.
For instance, although a firewall or web application firewall may be shared, it's imperative that policy modification does not impact anyone other than the tenant it was modified for.
The other key ingredient is transparency and auditability. So you've decided to move to the cloud? Great. But how do you know you are getting what was advertised? Simply put, you don't. Transparency is essential in keeping tabs on your Cloud hosting provider. Being able to see behind the curtain should allow you to see exactly how your environment is being protected. Not only does it give you peace of mind, but it's required to perform regulatory compliance audits.
With data separation and being able to keep a watchful eye on your resources, most organizations are better off moving to the Cloud security-wise. Reducing cost by only paying for resources you need, when you need them is a substantial benefit, but being able to leverage a provider's security infrastructure is much better. Most organizations don't have the expertise, much less the budget to implement security measures such as high-end firewalls, DDoS mitigation, VPN with two factor authentication, web application firewalls, IDS, IPS, patch management, anti-virus and a host of other security measures. As a result, some may actually be more secure in the cloud.
Secondly, defending against attacks. Cyber attacks are created and launched by people, and they happen in many ways, some more common than others. In April 2011, Sony PlayStation players were compromised. It is estimated that 100 million players’ data containing names, addresses, e-mail accounts and passwords were stolen. Some customers were hacked over and over again, as much as 10 times per customer. This was the result of a planned and calculated hack. In a letter to the U.S. House Commerce Committee the Chairman of Sony said they had shut down the affected system while it investigated the attack and beefed up security. This larger breach followed another, and Sony believes while they were tracking and defending the large DDoS attack the vulnerability was exposed, allowing the larger and more troubling breach to happen. While Sony was working to address and mitigate the DDoS attack, the group Anonymous was able to infiltrate the system and cause an even greater breach. Security updates and bug fixes must be constantly monitored and applied to all applications.
Last year, CitiGroup was hacked by criminals who stole more than 200,000 Citigroup customer bank account details. Unfortunately for Citigroup, this damage was done through what was apparently a trivial, insecure direct object reference vulnerability – number four on the OWASP top ten. By simply manipulating the URL in the address bar, authenticated users were able to jump from account to account, as they did tens of thousands of times. This vulnerability could have easily been detected by not using direct references to account numbers, secure code review, or web application firewalls and application log monitoring and review.
From a security perspective, there are a number of perceived obstacles to implementing a public Cloud infrastructure. All of these may appear, at first sight, to be perfectly valid. This is largely because many existing public Cloud environments have been built with capacity, connectivity, scalability and other core attributes for hosting as a priority, with security implemented as a secondary layer. A truly secure public Cloud is possible, but only if it is built upon a secure framework – this ensures that, no matter how hosting technologies change and develop – as well as the arrival of new tactics devised by hackers to exploit them – there is always a secure foundation underpinning the entire architecture.
Chris Hinkley is a Senior Security Engineer at managed hosting provider FireHost where he maintains and configures network security devices, and develops policies and procedures to secure customer servers and websites. Hinkley has been with FireHost since the company’s inception. In his various roles within the organization, he’s serviced hundreds of customer servers, including Windows and Linux, and overseen the security of hosting environments to meet PCI, HIPAA and other compliance guidelines.