By Kim Khor.
Cloud security is such a wide topic it really isn’t just one. Organisations using cloud services do so for specific reasons and those various reasons require various solutions, including security.
Conceptually, there are three basic areas of cloud services:
- Storage: Basic examples are online backups and photo-sharing. More complex examples include content delivery networks that have fast, local copies all over the world, and complicated version control and localisation.
- Services: This area ranges from low-level computing resources (elemental processing power) to sophisticated Software as a Service (SaaS) offerings. Webmail is an example of a basic model. More complex, are the contact managers for sales teams or project management systems for managers. Large complex customised systems can provide everything a large organisation uses in their core business.
- User Interfaces, Or Virtual Machines (Often Referred To As Integration Or Virtualisation): This provides a way for people to interact with the various systems as a whole. This might entail websites, apps, or the screen of a PC for staff to connect to remotely.
You can think of these three areas as layers – the user interfaces access the SaaS services (equivalent to the old software application), which in turn use the data in the cloud storage.
When buying these capabilities, one is faced with a choice of levels of detail. For example, to use a SaaS, one might simply get a hosted calendar and email system from the phone company. At the complex end, one will buy various low-level cloud computing components and build a system from scratch. Horses for courses.
The business reasons for using the cloud are also various. Generally, there are three:
- Cost: This is also related to evolution. In 1912 you might have had an in-house mechanic to run the staff cars. These days, you probably don’t own the car at all. As the technology revolution continues, optimisation of this kind will happen through natural growth. There is also a secondary market for unused cloud resources which are significantly cheaper again. This works something like standby tickets with airlines. Non-time-critical processing, such as research analytics, can be done at amazingly cheap rates.
- Reach: We can do things we otherwise couldn’t. We never had the speed/capacity/sophistication/reliability/horsepower before. You can probably see that this is, in fact, often the same as the first item, cost. This also includes third-party provisioning of security functions via the cloud.
- Pressure: The software, data or communication lines for one’s specific industry is now only available from the cloud.
Five Security Perspectives
There are many checklists and technical standards for cloud security but a template will always require tweaking. Before getting to that level of detail, I take a 30,000-foot view. I find these are the broad conceptual areas those technical things should be based on:
Data Protection: Firstly, the cloud is not for everyone. There are many industries and regulatory areas that are effectively or explicitly prohibited from storing data in the cloud.
For the rest, encryption is a big part of the solution. There are many systems and services that help you manage your information something like a safety deposit box. Even though you don’t own the shelf, you have the key to the box.
Disposal is also important. Many typical computer forensics techniques rely on residual data left on computers – something like fingerprints and fibres in the old world. If we do not exercise good hygiene, we leave all the treasure for the cloud companies and the bad guys to sift through as they please.
Redaction is a potential solution for some scenarios. In terms of available technology, a number of industries such as healthcare have a lot of functional experience in de-personalising data. Hiding or withholding identifying features of information can make the bulk data useless to an outsider. The maths can be quite advantageous with the appropriate kind of information
Finally, how do you do backups? How much of the data and system do you want to have direct control of in a backup of some kind? Rules about document retention and e-discovery apply to almost all organisations. The definition of a document or discoverable item of information has changed over time and will likely continue to do so.
Small Steps: Experience has taught us that migrations are messy projects. Like when you move house, security is compromised when messy projects happen.
Change your mindset to augmentation of your IT, rather than replacement. This will allow you to find more gentle paths to the benefits of the cloud and to begin a natural evolution towards the new ways. It will also allow your existing capital to remain productive for its full life.
Regarding technology, Single Sign-on (SSO) architecture is often the easiest for users as well as the most inherently-secure approach. It may seem to be a large and dispensable ledger item, but it provides many layers of leverage throughout the architecture. It will pay off.
Redundancy: Disaster recovery is always relevant but the redundancy aspect of your assurance efforts is key in the cloud. Amazon’s EC2 suffered outages a number of times in 2011. Many large businesses were briefly knee-capped. Security conditions are changed markedly in cloud outages, both in terms of the vulnerabilities and the resourcing of security operations. Consider what scenarios would really turn things upside-down.
You cannot assume the cloud will be 100 per cent reliable. Design of redundancy can be elsewhere in the business systems, like the old click-clack credit card impression machine backing up the early EFTPOS. That kind of solution can seem quite attractive once one examines the differences between cloud suppliers. It’s not as easy as having a second ISP for your Internet connection. Different cloud suppliers are unlikely to display much similarity or compatibility at all.
There is also an integrity issue here. While not completely accurate, one can think of it simply in this way: If something is lost during an outage and the cloud system restores a backup, how recent is it? Is it one full one or lots of different backups merged together?
Audit And Forensics: At the outset, it might seem that audit trails, preserving logs and digital hygiene generally, is a waste of energy and completely boring. Hopefully, you’re right. Unlikely though.
The leftover data will provide you with:
- investigation and evidence production capability;
- planning and decision information for data protection and disaster recovery;
- an important leg to stand on in dispute resolution with your cloud supplier.
Many suffer regulatory obligations of this kind and have no choice. There are many hidden HR issues as well.
The simple example is where you think you used five units of cloud but you get billed for five million units. How do you efficiently determine whether the supplier is overcharging? A cousin of the old phone-bill negotiation.
Another aspect here is to know your contract. Understanding the market and the details of your contract in context is a matter of competence. You must understand where your supplier’s obligations end and where you need to pick up slack. You must be able to oversee and assure the supply. Finally, you must know when it’s time to cut your losses and change supplier. Ouch – best to get it right first time.
The central governance library is still the authoritative reference for assurance, cloud or no cloud. Many IT departments quietly suspend the security policy when they enter the cloud. The old policy for the old systems and a new, half-baked second draft policy for the new project, just while we test things. We call those a country house where everyone in the family knows the patio door is left unlocked.
It is important for reasons of optimisation and integrity that you do not serve two masters. Gently evolve the central security policy suite and it will continue to give faithful service.
Professional decisions should be made with reference to higher doctrine or principles. Configure your security policy so that it gives decision guidance for all manner of decisions.
The Big Picture
All the things we like about cloud computing are also great for the bad guys. Online threats are generally perpetrated using rented resources. They might be sharing a processor with you right now.
As the level of abstraction increases and the commoditisation of sophisticated tools continues, the bad guys will be harder to see. On our side, continued financial and intellectual support of macro-level innovation is critical.
It is important more than ever that we each get our backyards neat because we are all links in the cyber-security chain.
Kim Khor is a computer forensics expert. Kim consults on network security, incident response, risk and compliance, investigations, and electronic evidence management in the Asia Pacific region. Email: firstname.lastname@example.org.