6 STEPS FOR ENSURING CLOUD SECURITY WHITE PAPER

6 STEPS FOR

ENSURING CLOUD

SECURITY

Discovering the Cloud

Bringing Technologies Together

Debunking Cloud Myths

Addressing Security Concerns

6 Steps for Ensuring Cloud Security

Accessing Resources

Enabling Corporate Strategy

Mastering the New Paradigm

3

4

4

5

6

10

10

11

Contents

The cloud still represents a relatively new technological frontier for both companies and individuals. As such, it attracts both intense interest and uninformed speculation. The security profile of the cloud remains an area of serious contention. While some leaders still worry about storing critical data on networked resources that co-exist and interact with those of their competitors, the movement toward just that model has already begun. What began as a slow flow of users from on-premise tech solutions to web hosting has become a flood. CDW research has indicated that companies are reacting directly to their employees’ preference for the cloud. A combination of falling prices and promises of flexibility changed the image of the cloud, allowing companies to make their moves en masse. Security concerns remain, of course. Such a pronounced element of the early hype will take a significant amount of time to fully die out. Many of users’ early issues, however, are being revealed as myths and misinformation, and others are being invalidated by new developments.

Bringing Technologies Together

Research organization Gartner recently placed the cloud in its “Nexus of Forces,” a group of large trends shaping the future of IT. It sits alongside social, mobile and information, all major topics of conversation within the industry in 2012. Combined, the developments in these four areas create business value for users. Gartner noted that the cloud is the “glue” making sure the rest of the technologies work together.

The research firm stated that the entire view of IT and computing is shifting to a global model, largely moved along by the cloud. This means the consumer is now the key, with companies less beholden to their own limited view of progress. Development now occurs on a worldwide scale, with numerous sources contributing and reaping the benefits.

Debunking Cloud Myths

Many of the issues prospective users raise about cloud computing are based on an incomplete understanding of how it works or its current state of development.

Security expert Chris Hinkley noted that many leaders in the industry assume their companies cannot move into the cloud due to the many restrictions placed on various vital functions. This is often untrue, as the Payment Card Institute has drafted PCI-DSS rules that mention the cloud specifically, ensuring users know what actions to take. Hinkley also noted that many business users believe a successful hack of a peer using the same cloud provider could open their own data to attack. This is a misconception based on the difference between sharing resources and actually sharing space within the cloud. Even when companies draw on the same pool of digital resources, their files do not actually intermingle with those of other users. There are separate environments within hosted space, meaning an attack on one firm in the cloud is not a blanket attack on everyone hosted with that same provider.

The entire view of IT and

computing is shifting to a

global model, largely moved

along by the cloud.

Addressing Security Concerns

Though these basic misconceptions about the cloud can be easily dismissed, the cloud retains a persistent image as a less secure solution than on-premise hosting, as confirmed by the CDW report. In some sense, this seems inevitable. Companies know how their own systems work, more or less. Operating a dedicated data center is all some users know, and the image of the servers humming away within the building is easier to grasp than a nebulous “cloud.” Whatever the exact cause, there is definite unease among IT professionals regarding the role of online hosting.

A Ponemon Institute survey conducted in late 2011 found companies extremely uncertain about their own ability to manage the cloud and keep it secure. In fact, only 27 percent of respondents found their cloud server security management either excellent or good. The rest either rated their performance fair, poor or did not respond. The simple novelty of the cloud could be at fault here, with companies out of their comfort zone and adapting to new methods of protection.

While it may be easy to debunk specific concerns about the cloud’s interaction with certain industry standards like PCI, decision-makers must account for a variety of different laws and regulations, some of which are changing and evolving constantly. The medical field is especially concerned in these areas; few other sectors demand such absolute security for their customer data. HIPAA meaningful use guidelines are in the midst of a delayed rollout, with laws becoming more stringent every few years. Even firms with offline archives are hard-pressed to ensure files stay safe, meaning cloud users must face hard questions.

Every time a public cloud disruption strikes, businesses face a challenge they didn’t previously consider. These problems have struck several cloud service providers over the past few years, just as the technology has been rising to prominence. The IT media eagerly covers these disruptions, meaning leaders face serious questions about how to handle extended downtime and deal with reliability issues in case of a failure.

Placing trust in the hands

of an outside vendor

to continue to provide

reliable computing could

be very hard for some

veteran IT professionals.

The need to exert control over a computing environment is not trivial. Companies have been developed on the concept that servers are a vital part of the business, and the IT department has always had a modicum of control over them. Placing trust in the hands of an outside vendor to continue to provide reliable computing could be very hard for some veteran IT professionals. Considering the cloud’s possible benefits, however, it is a step that many businesses will have to take within the next few years. Shunning the cloud may lead to companies falling behind.

6 Steps For Ensuring Cloud Security

There are several steps companies could take to avoid the problems inherent in new technology. An outlook omitting the cloud is misguided, as the cloud has become one of the leading enablers of corporate success. Gartner’s listing of the cloud as the “glue” between the other trends accurately sums things up. Mobility and information manipulation simply do not work as well when they have been compromised by an insistence on staying with legacy equipment in the data center. When considering cloud technology service providers, companies should ensure their selection of provider covers all six of the following security bases: physical infrastructure, network, virtualization, data, application and compliance.

Data centers come in

all shapes and sizes and

some are built for specific

applications and data types.

1. Physical Infrastructure

Starting with the physical makeup and construction of a data center, the internal infrastructure is what houses the data and processes the workloads. The first consideration should be the provider’s data center when moving production workloads outside of corporate walls. Data centers come in all shapes and sizes and some are built for specific applications and data types. Depending on the business type (insurance, healthcare, credit services) data center providers will certify their internal processes for infrastructure management, security, user access and, most importantly, data handling and data integrity. It is important to ensure that the provider of choice understands a customer’s business and can support the regulations and certifications that the customer is required to maintain.

2. Network

Provider networks, much like data centers, come in all in shapes and sizes, designed to fit various business needs and growth requirements. How these networks are constructed from a security standpoint can vary widely. To ensure one company’s network is properly segmented from another’s, traffic should be routed separately and completely segmented from other portions of the infrastructure through network routing rules and policies. Redundant network routes also provide additional levels of protection by masking the flow of traffic through the different levels of infrastructure. Related to network protection are the practices of Intrusion Detection Scanning (IDS) and Intrusion Prevention Scanning (IPS). IDS and IPS should be combined in practice across all provider networks where production traffic is routed. The frequency of scanning should match organizations’ internal corporate standards and also be regularly reviewed for accuracy.

3. Virtualization

The next step after deciding to move production workloads outside of corporate walls and identifying a qualified infrastructure vendor is considering how the workload will operate, and what platforms will support it. Virtualizing workloads provides a number of benefits, from cost reduction, to performance enhancement, to enhanced security. By virtualizing workloads of production systems, a business is able to segment and spread discreet information across multiple aspects of infrastructure. This segmentation and spreading reduces the known

footprint and association of application data to malicious programs. These malicious programs have a harder time finding the pieces and putting them back together.

Virtualization of workloads also helps ensure the performance and availability of those workloads by spreading the work across multiple compute resources. The spreading effect mitigates single points of failure and provides real-time fail-safes to running systems. Virtual machines (VMs) are isolated from one another and don’t depend on each other to complete their jobs. If VM1 is not available, VM2 can step in and perform that job.

4. Data

The data that workloads depend on is often considered the most valuable IT asset within a company. Without the data, what would we process? How would we make money?

Considering the security of data and the practices around keeping it protected can sometimes make or break the selection of a particular service provider. It is no longer acceptable to just back up production data. Backed up data without a restore policy does no good in the event of a disaster or service interruption. Data encryption comes in varying levels of complexity, most of it regulated by the National Institute for Standards and Technology (NIST). Any business that holds customer data on file should be familiar with NIST and these encryption standards. The critical step here is ensuring that the service provider is also aware of these standards and can prove that they will maintain the same level of encryption of data while the data is running on their systems. An organization’s corporate policies should always trump the standard operating procedures of a service provider.

5. Application

For the application level, it really boils down to access. Who accesses the data, and how they access it, both need to be considered. For access into an application, companies should have very tight controls on all “root” and “administration” level access. Some technologies require administrative access for them to provide complete value, so there are times when this access is required. The important step here is to know and consistently audit who holds these levels of access, remembering to check the technologies that have been connected to

as Active Directory and LDAP, provide a single management interface into the application layer. If the service provider doesn’t leverage these types of technologies, an organization may want to consider the risk associated with having all of its user accounts individually tracked and managed without a central management technology.

Monitoring is applicable across all levels of a service provider’s

solution and should be evident when reviewing their capabilities. At the application level, the ability to monitor usage, log files and download application information may be absolutely crucial to ensure that regulatory and compliance requirements are met. Service providers will almost always ensure the infrastructure, network and platforms are monitored so they can meet their stated service level agreements. Application monitoring is customized to a business’ specific needs and should be implemented with compliance needs in mind.

6. Compliance

Compliance, regulations and the really scary stuff that the government says companies need to have all vary depending on the type of service a company provides, the type of data that is handled and the type of customers that are supported. A service provider should have a clear understanding of the business and the regulatory requirements with which the organization must comply. A service provider that is not PCI compliant would not be a good fit for a retail company looking to outsource its back-end data processing systems. This would be the same for a service provider not having an understanding of the Health and Information Privacy Protection Act for Information Technology (HIPAA for IT) to host a hospital’s client care system or billing applications. When selecting a provider, an organization should be sure that the provider understands the business and can pass all required audits.

Service providers will

almost always ensure the

infrastructure, network and

platforms are monitored so

they can meet their stated

service level agreements.

Accessing Resources

While the newness of the cloud may prevent users from developing an infallible list of best practices, there are very helpful resources currently available. The U.S. National Security Administration (NSA) spearheaded development of 20 guidelines collectively called the Critical Security Controls. Developed and tweaked through industrial input, they cover a wide variety of factors.

For example, the Critical Security Controls involve testing protocols users can run on their systems in order ensure no risks arise. They also lay out a few classic procedures companies must go through in the cloud. These involve defense against malware and application protection. Companies must also have backups for their data if they hope to remain fully secure. As the cloud is meant to serve many of the same functions as legacy infrastructure, it is perhaps unsurprising that so many of these procedures echo those for older systems.

Enabling Corporate Strategy

Once a company has access to the new, safe cloud and a contract that leaves no ambiguity about responsibilities, it can launch exciting new initiatives. With a reliable and trustworthy cloud structure in place, a company can extend the workplace and welcome remote employees into the main infrastructure. Instant connection, both internally and with partners, could mean a general increase in agility, a powerful and sought-after goal. Leaders with such options can stop thinking about new initiatives in a linear fashion and develop new plans that disregard physical distance or computing limitations.

Mastering the New Paradigm

Some of the best software and infrastructure development in the enterprise world is being directed at improving cloud functionality, and companies that choose to overlook the systems could become marginalized in their own industries. Staying on top of things takes some extra effort, but can be rewarded through the creation of the infrastructure businesses need to succeed.

The steps required to overcome the cloud’s drawbacks and master its use are fairly straightforward. Businesses need to remember that the systems are similar to legacy options in many ways, and not abdicate their responsibility for security. At the same time, leaders must bear in mind the important role cloud providers play in the overall equation. Embracing the nuances of hosted computing and online access to documents and files means stepping into a new paradigm. As confidence in cloud security grows, more and more businesses are taking this first step, and the cloud is set to become the way IT functions are accomplished.

Xtium, Inc.

650 Park Avenue, Suite 220

King of Prussia, PA 19406

800-707-9116

www.xtium.com

All other brands or products are trademarks or registered trademarks of their respective holders and should be treated as such.

Sources: www.gartner.com/it/page.jsp?id=2097215 www.securityweek.com/three-public-cloud-security-myths www.dome9.com/resources/ponemon-cloud-security-study www.sans.org/critical-security-controls/ searchcloudsecurity.techtarget.com/news/2240172452/Cloud-security-begins-with-the-contract-says-expert www.cdwnewsroom.com/cdw-report-work-imitates-life-in-cloud-computing-adoption/

Xtium, Inc. © 2013. All Rights Reserved. About Xtium

Xtium is the next generation business partner delivering secure, flexible cloud-based solutions that enable business growth. We extend your IT capability by offering enterprise class, fully managed cloud hosting solutions for your network, data and production applications. We are the only business partner that offers certified solutions from Riverbed, SAP, and VMware. We’re also the only partner that can provide your company with onsite disaster recovery and local failover paired with enterprise class cloud infrastructure that completes the trifecta of reliability and scalability for your business. Find out how Xtium can take your business to the next level at www.xtium.com.