Cloud Security

Posted by Mark Greisiger

A Q&A with Robert Krauss, Partner at Director of Enterprise Sales and Alliances at BitDefender
Whether they are looking for robust third party business applications, cost-effective storage, or saving on IT operational maintenance, businesses are increasingly thinking about outsourcing their computing to the cloud (i.e., remote computing and storage environments). As cloud technology is gaining some acceptance, however, organizations should be aware of the risks that it poses. I spoke to Robert Krauss, director of enterprise sales and alliances at BitDefender, about some basic security concerns and strategies for safe cloud usage.

What are some legitimate security concerns about Cloud Computing?
Encryption
is a concern, since many providers don’t offer native encryption for data at rest. These days most providers are pushing customers to a third-party solution. This way, if an organization requests the data for a legal order the provider can hand over scrambled 0s and 1s and say that the organization will need the key from the end user. This cuts down on the resources required to service every request on the provider’s end. If I was implementing a solution today, I wouldn’t have all of my eggs in one basket. For example, I might have the cloud service provider host the data, but I would have the keys generated onsite or via the encryption solution provider, with my organization controlling the key generation. This way no one has all the control.

IDS/ Logging is another concern. If you want to implement IDS, you may be handicapped by the provider’s terms of use and the inability to sniff LAN traffic.
It’s true that there’s a limit to what you can get from the network from cloud service providers. You can do host-based IDS through a variety of vendors, or this functionality can be made available from the cloud service provider for an added fee.

I hear all the time from customers that their current vendors say that their applications should work exactly the same in the cloud. This isn’t always true, especially around security. There are many new products that are optimized for virtualized, cloud environments. So I would say don’t take a vendor’s response at face value.

What are some common misconceptions about security and cloud computing?
I think that the idea that the cloud offers a single point of failure is one of the biggest misconceptions out there. Actually, I think the cloud provides way more redundancy at a fraction of the cost of in-house data storage. Most cloud providers can provide better zonal coverage, which equals redundancy. For example, Amazon has five regions on four continents with redundancy in each. To do this in-house would be a massive undertaking and expense when it’s not a core part of the customer’s business.

Another issue is access controls. People often think that there is generally only minimal user authentication required for shared access. I disagree as access in the cloud is typically user configurable, and organizations can apply the same levels of authentication if they use the right tools, and there are many out there now.

People also tend to be concerned about timely patch management and this is another area that I actually think is easier in the cloud. Again, this comes back to how your organization does these activities today. The cloud provider doesn’t know or care what OS or applications you are running, so ultimately it’s the user’s responsibility to make sure there is adequate protection.

What security concerns are the same for cloud and private networks?
Here, too, there are many misconceptions. Most people believe that control of the data is more of an issue in the cloud, because when you have your data behind a firewall and on your servers, you know where it’s stored. However, I would say that if you take precautions to protect your applications and data you have similar control in the cloud as you do elsewhere.

Another concern that I’d argue is the same in the cloud as in private networks is data segregation. It is true that there’s a shared underlying infrastructure in the cloud. Do I worry about co-mingling of data or data being leaked? No, or at least not more than I would if the data was stored in-house. What’s to say a disgruntled employee at your organization couldn’t steal or leak data? It’s perhaps even easier when it’s in-house because that employee probably knows what he’s looking for. Keep in mind, too, that there are variations between cloud providers. Sure, you can go into your cloud service provider and pay for basic service. However, most offer options for dedicated storage and data encryption.

Back-up and retention of records involve the same risks whether you use the cloud or not. As with an organization’s physical network, all of the back-up functionality is built into the cloud. It is up to the organization to decide what gets backed up, and to where, and who internally has access.

The cloud can offer redundancy, so there should not be a threat of a prolonged outage resulting in business interruption. Again, this is exactly the same as if you provided the network in-house. It becomes a question of architecture. Months ago, we saw a cloud provider have an outage, and some of its customers were unaffected because they planned failover into their architectural decisions.

As far as SLAs go, most providers can provide higher security assurances for you, but you’ll pay more. Most providers have done compliance for PCI, SOC1, and will provide access to audit reports so you know what the vendor is responsible for.

What are some security solutions for cloud computing?
In terms of encryption, there is Trend Micro’s SecureCloud, and your readers should look at SafeNet for encryption as well. In general, the key here is that organizations should start slow with an application to get their feet wet, and avoid any data with confidential information at first. If an organization is going to put confidential information out there, they absolutely should use some sort of encryption technology. They should expect a slight overhead in the range of 8-10%.

In addition to protecting their data, organizations should leverage technology from organizations like BitDefender, which are specially designed for this sort of environment. Users need to think about this process in terms of protecting themselves from the hypervisor up. It’s not just about protecting data but the OS and the applications that interact with the data. Keep in mind that different infrastructure as a service (IaaS) providers offer different services. For example, AWS provides the core infrastructure. However, they provide a whole ecosystem of solutions for organizations to work with directly. Others like GoGrid can help you bundle solutions specific to your requirements.

In conclusion…
There are some concerns pertaining to cloud-based services that insurers and clients should strive to understand, but one may argue that for a small or medium-sized organization, a cloud provider may have the resources to protect network assets and information in a stronger manner than if the organization internalized that responsibility and function. Mr. Krauss did a nice job of summarizing some emerging third-party encryption solutions that can help organizations protect their outsourced data. Should a hacker breach occur they could still have some protection, including legal “safe harbor” to mitigate their data breach (liability) risk exposure.