A multi-layer security defense is possible in a cloud-based computing environment.
Cloud computing represents a more efficient way for enterprises to procure, consume and manage information technology (IT) resources and applications. Many companies across a broad swath of industries have embraced the "cloud" to meet temporary capacity requirements, control costs, address seasonal computing demands, reduce the cycle time to implement new systems, launch new services or expand into new markets. Many are taking a conservative and opportunistic approach to cloud computing.
Whether there is an imminent need as a result of an acquisition or a data center consolidation program to reduce costs, the questions of speed and financing arise. Enterprise IT departments are faced with either providing the necessary upfront capital and internal support or using a third-party utility model that includes operating, maintenance and ongoing monitoring services. In many cases, the speed to implement becomes the critical deciding factor.
Oddly enough, manufacturers have been slower in making the transition to cloud computing despite the fact that the sector led the way in collaboration and exchanges. Over the past 15 years, manufacturers have gone to great lengths to IT-enable their global supply chains by facilitating enterprise connectivity between suppliers and customers. When it comes to cloud computing, however, many are concerned with securing business-critical infrastructure, applications and sensitive corporate data. The good news is that are cloud security best practices to help address the particular concerns of the manufacturing sector, such as protecting sensitive manufacturing process information, and supplier and customer data. In this context, the security and data privacy debate related to cloud computing is understandable and has come to the fore as a result of the enterprise resource planning (ERP) upgrade cycle and enterprise architecture modernization initiatives now under way. Whether it is remote monitoring and control, business analytics and data mining, supplier resource management (SRM), customer resource management (CRM), human capital management (HCM) or product lifecycle management (PLM), the following cloud security best practices will provide manufacturers with the confidence to fully embrace cloud computing as an essential part of their IT operations.
Going To the Cloud
While the transformative power of the cloud in terms of speed, cost and agility is widely known, one of the first questions that arise is what is right cloud environment for the organization private, public or hybrid? It depends on business requirements and risk tolerance.
Private clouds normally indicate an environment that is contained within an enterprises traditional network, or within a segmented area of a third-party service provider facility that is not shared with any other organization. This is "your virtual data center", but the security, network, support and equipment are provided on a utility cost model.
Public clouds are characterized as being used by many tenants hosted by a service provider and with access provided via the Internet. While applications and data can reside on the same equipment as other tenants, safeguards such as network segmentation and a variety of access controls should be in place to prevent data comingling. In a public cloud, the enterprise should make sure it has control over where data is stored and how it is accessed. There are also a number of variations of private and public cloud environments called hybrids.
For a manufacturer, the heart of the decision is to consider what advantages and disadvantages come with each cloud delivery model, and identify the enterprise applications that are best suited for migration. Once these foundational decisions are made, it is important to determine the security and infrastructure measures that must be put in place.
Security for cloud-based applications is detailed, especially for remote monitoring and control, as well as for certain elements of ERP, SRM, CRM, and engineering applications. Cloud computing is a reality, so it is best to have an approach that reduces the risk of using it.
Cloud Computing Infrastructure Security
It is important to recognize the significant role the security of network infrastructure and support systems play in protecting applications and data in a cloud-computing environment. The security of these foundational elements helps reduce the risk of applications and data being easily compromised. By integrating security into the cloud-based network infrastructure and support systems not unlike the approach taken with traditional IT environments -- a layered security defense posture is created to help protect against possible security breaches.
There are some aspects of cloud computing that can actually enhance security. Cloud computing can isolate environments without requiring separate physical hardware and create dedicated environments for testing and logical segmentation. The cloud environment can rapidly provision standard operating system (O/S) images, enabling timelier patch management and providing the ability to quickly reverse changes that may have introduced unanticipated vulnerabilities. This helps make complying with configuration standards and verification easier. Additionally, cloud-computing environments can more easily take a snapshot of a clean O/S image and use it to more quickly restore a hacked or infected system.
Depending on the cloud configuration, there can be a number of network, system, application, and data control matters that require special attention. Most security controls focus on limiting access, identifying accountability, controlling changes, and monitoring and logging significant events:
- Physical Security -- This is one of the foundational elements requiring verification. The physical environment containing the cloud-computing hardware, software and other components should be using biometrics for physical access control, video cameras for ongoing facility monitoring and be in a hardened facility. There should also be a 24x7 security presence.
- Network Security and Logical Separation -- Firewalls and intrusion prevention systems (IPS) protect traditional networks, and specialized versions should exist within the cloud itself. The ability to isolate or protect particular portions of the cloud environment, known as logical separation, containing sensitive systems and data, is an access control requirement for most security standards. If in an outsourced environment, the cloud services provider should conduct annual audits and examinations against industry-recognized standards, such as SAS 70 Type II and the Payment Card Industry Data Security Standard, as well as those based on ISO 27001/27002.
- Inspection -- Firewalls and IPS are best for most network traffic streams. However, anti-virus/anti-malware and content-filtering capabilities should be used in a cloud-based IT environment. Data Loss Prevention (DLP) should also be considered, especially when dealing with sensitive information, such as financial, personal data and proprietary intellectual property is used or leveraged in the cloud.
- Administration -- Cloud hypervisors provide the ability to manage the entire cloud environment itself and require special attention. It is critical to protect these vital cloud-computing components since they have the ability to control every aspect of the environment. It is important to note that many security and compliance requirements must have different network and cloud administrators to provide a separation of duties.
- System Configuration -- The cloud can make standardization of virtual machine (VM) builds, or configurations, easier since each O/S can be locked down from a security standpoint. This can make meeting security requirements for system and application controls straightforward since the VM configuration already has the proper control settings.
- Comprehensive Monitoring and Logging -- Clouds provide varying degrees of monitoring and logging for network, system, application and data. These two functions are found in almost all security standards requirements. The ability to perform monitoring and logging should be clearly understood prior to the migration of any application to a cloud-based computing environment.
Cloud Computing Application Security
Application security is dependant on system and infrastructure components. As in a traditional computing environment, cloud computing also requires multi-layered protection. In addition to security at the layers below the application, there are specific application security controls:
- System Security -- VMs need to be protected by a host firewall, IPS and anti-virus, as well as regular patch management. There are also security solutions specifically designed for cloud and virtual environments that should be strongly considered.
- Application and Data Security -- Applications should have their own database whenever possible. Application access to databases should to be limited to only what is minimally necessary. Monitoring and logging of applications and associated databases is also required.
- Authentication -- There are several areas of application authentication to address. User names and passwords should be upgraded to require two factors of authentication, such as a digital certificate or hardware token. Authentication and encryption should be required and used whenever and wherever it can be justified. Depending on the application, Security Assertion Markup Language (SAML) or eXtensible Access Control Markup Language (XACML) can be used to facilitate this protection since they provide important security features. Finally, authentication, authorization and accounting (AAA) packages should generally not be customized since this often leads to weakened protection due to improper implementation.
- Vulnerability Management -- As part of a solid software development lifecycle (SDLC), applications should be designed to be invulnerable to common exploits, such as those listed in the Open Web Application Security Project (OWASP) Top 10. Once applications are deployed in the cloud, they require regular patching, vulnerability scanning, independent security testing, and continuous monitoring.
- Data Storage -- The access to data stored in the cloud and the ability to retrieve it is a key issue. It is important to determine how different data is kept segregated. If an organization is using a cloud services provider, there should be specific contractual protections that outline the enterprises ability to immediately access and transfer data within or from the cloud in cases of provider instability or a dispute.
- Change Management -- The change management process typically needs to include the various network, system, application and data administrators. Depending on the type of cloud service, a providers administration needs to be taken into consideration. In addition, if using a third-party cloud services provider, change management activities may require close coordination and integration between the providers and customers change management processes.
- Encryption -- There can be compliance requirements for encryption of in-transit and at-rest data. For example, financial information should be encrypted both when stored and in transit. These types of requirements add the responsibility of protecting encryption and decryption points, as well as other key management responsibilities to maintain the integrity of this security control area. In most enterprise IT environments, the responsibilities for these areas are probably already established. In the cloud, encryption management can be more complex, requiring special focus and close coordination with the cloud services provider. In addition to meeting the security or compliance control requirements for encryption, specific contractual language needs to ensure access to encryption keys to maintain the ability for an organization to control its own data when a service provider is used.
Security for cloud-based applications must meet or exceed what currently exists in most traditional networks in order for manufacturers to be comfortable moving to the cloud. This starts with a heightened focus on creating and maintaining a more robust enterprise IT security posture.
Cloud security is dependent on all layers of the environment from the network all the way to the application and its data. Protecting these layers is very similar to traditional network environments, so it should be familiar territory for most organizations.
System and application security should be carefully designed, implemented, and managed for cloud environments. In addition to hardened operating systems, applications and data require segregation along with the use of strong authentication and encryption. If an outsourced environment is used, the cloud services provider's change management and monitoring capabilities will play a major role in the security of applications and data.
Therefore, it is best to devise an approach that reduces the potential risk of migrating to the cloud. A multi-layer security defense is possible in a cloud-based computing environment. At the end of the day, the benefits of cloud computing and cloud security requirements can coexist.
Donna Bauer is a business IT consultant with Verizon, focusing on supply chain management, manufacturing operations and enterprise transformation.
Ken Biery is a security consultant with Verizon, focused on providing governance, risk, and compliance counsel to enterprises moving to the cloud.