Is My Public Cloud Too Public? Part 4

Is My Public Cloud Too Public? Part 4

Secure Identity, Information, and Infrastructure

Continued From Part 3

Public cloud computing requires a security model that reconciles scalability and multi-tenancy with the need for trust. As enterprises move their computing environments along with their identities, information and infrastructure to the cloud, they must be willing to give up some level of control. To do that, they must be able to trust cloud systems and providers, and verify cloud processes and events. Important building blocks of trust and verification relationships include access control, data security, compliance and event management—all security elements well understood by IT departments today, implemented with existing products and technologies, and extendable into the cloud.

Securing the Public Cloud

Identity security

End-to-end identity management, third-party authentication services, and federated identity will become key elements of cloud security. Identity security preserves the integrity and confidentiality of data and applications, while making access readily available to appropriate users. Support for these identity management capabilities for both users and infrastructure components will be a major requirement for cloud computing, and identity will have to be managed in ways that build trust. It will require:

  • Strong authentication: Cloud computing must move beyond weak username-and-password authentication if it is going to support enterprise. This will mean adopting techniques and technologies that are already standard in enterprise IT, such as strong authentication (multi-factor authentication with one-time password technology), federation within and across enterprises, and risk-based authentication that measures behavior history, current context and other factors to assess the risk level of a user request. Additional tiers of authentication will be essential to meet security service level agreements (SLAs), and utilizing a risk-based authentication model that is largely transparent to users will reduce the need for broader federation of access controls.
  • More granular authorization: Authorization can be coarse-grained within an enterprise or even a private cloud, but in order to handle sensitive data and compliance requirements, public clouds will need granular authorization capabilities (such as role-based controls and information rights management (IRM)) that can be persistent throughout the cloud infrastructure and the data’s lifecycle.

Information security

In the traditional datacenter, controls on physical access, access to hardware and software, and identity controls all combine to protect data. In the cloud, this protective barrier that secures infrastructure is diffused. To compensate, security will have to become information centric. The data needs its own security that travels with it and protects it. It will require:

  • Data isolation: In multi-tenancy situations, data must be held securely in order to protect it when multiple customers use shared resources. Virtualization, encryption and access control will be workhorses for enabling varying degrees of separation between corporations, communities of interest, and users. In the near future, data isolation will be more important and executable for IAAS, than perhaps for PAAS and SAAS.
  • More granular data security: As the sensitivity of information increases, the granularity of data classification enforcement must increase. In current datacenter environments, granularity of role-based access control at the level of user groups or business units is acceptable in most cases, because the information remains within the control of the enterprise itself. For information in the cloud, sensitive data will require security at the file, field, or even block level to meet the demands of assurance and compliance.
  • Consistent data security: There will be an obvious need for policy-based content protection to meet the enterprise’s own needs as well as regulatory policy mandates. For some categories of data, information-centric security will necessitate encryption in transit and at rest, as well as management across the cloud and throughout the data life cycle.
  • Effective data classification: Cloud computing imposes a resource trade-off between high performance and the requirements of increasingly robust security. Data classification is an essential tool for balancing that equation. Enterprises will need to know what data is important and where it is located as prerequisites to making performance cost/benefit decisions, as well as ensuring that data-loss-prevention procedures focus on the most critical areas.
  • Information rights management (IRM): IRM is often treated as a component of identity, a way of setting broad-brush controls regarding which users have access to what data. But more granular, data-centric security requires that policies and control mechanisms on the storage and use of information be associated directly with the information itself.
  • Governance and compliance: A key requirement of corporate information governance and compliance is the creation of management and validation information—monitoring and auditing the security status of the information with logging capabilities. Here, not only is it important to document access and denied access to data, but also to ensure that IT systems are configured to meet security specifications and have not been altered. Expanding retention policies for data policy compliance will also become an essential cloud capability. In essence, cloud computing infrastructures must be able to verify that data is being managed according to the applicable local and international regulations (such as PCI and HIPAA) with appropriate controls, log collection and reporting.

Sensitive data in the cloud will require granular security, maintained consistently throughout the data life cycle.

Infrastructure security

The foundational infrastructure of a cloud must be inherently secure, whether it is a private or public cloud or the service is SAAS, PAAS or IAAS. It will require:

  • Inherent component-level security: The cloud needs to be designed to be secure, built with inherently secure components, deployed and provisioned securely with strong interfaces to other components, and, finally, supported securely by vulnerability-assessment and change-management processes that produce trust-building management information and service-level assurances. For these flexibly deployed components, device fingerprinting to ensure secure configuration and status will also be an important security element, just as it is for the data and identities themselves.
  • More granular interface security: The points in the system where hand-offs occur—user-to-network, server-to-application—require granular security policies and controls that ensure consistency and accountability. Here, the end-to-end system needs to be either proprietary, a de facto standard, or a federation of vendors offering consistently deployed security policies.
  • Resource life cycle management: The economics of cloud computing are based on multi-tenancy and the sharing of resources. As customer needs and requirements change, a service provider must provide and decommission those resources—bandwidth, servers, storage, and security—accordingly. This lifecycle process must be managed for accountability in order to build trust.
By Gopan Joshi

Gopan is Product Manager: Cloud Computing Services, Netmagic Solutions Pvt. Ltd. and has expertise in managing products and services in various market scenarios and life cycle stages. His experiences ranges from introducing cutting edge innovations in existing products, existing markets to new technology, new markets

About CloudTweaks

Established in 2009, CloudTweaks is recognized as one of the leading authorities in connected technology information and services.

We embrace and instill thought leadership insights, relevant and timely news related stories, unbiased benchmark reporting as well as offer green/cleantech learning and consultive services around the world.

Our vision is to create awareness and to help find innovative ways to connect our planet in a positive eco-friendly manner.

In the meantime, you may connect with CloudTweaks by following and sharing our resources.

View All Articles

Sorry, comments are closed for this post.

What the Dyn DDoS Attacks Taught Us About Cloud-Only EFSS

What the Dyn DDoS Attacks Taught Us About Cloud-Only EFSS

DDoS Attacks October 21st, 2016 went into the annals of Internet history for the large scale Distributed Denial of Service (DDoS) attacks that made popular Internet properties like Twitter, SoundCloud, Spotify and Box inaccessible to many users in the US. The DDoS attack happened in three waves targeting DNS service provider Dyn, resulting in a total of about…

Don’t Be Intimidated By Data Governance

Don’t Be Intimidated By Data Governance

Data Governance Data governance, the understanding of the raw data of an organization is an area IT departments have historically viewed as a lose-lose proposition. Not doing anything means organizations run the risk of data loss, data breaches and data anarchy – no control, no oversight – the Wild West with IT is just hoping…

The Fully Aware, Hybrid-Cloud Approach

The Fully Aware, Hybrid-Cloud Approach

Hybrid-Cloud Approach For over 20 years, organizations have been attempting to secure their networks and protect their data. However, have any of their efforts really improved security? Today we hear journalists and industry experts talk about the erosion of the perimeter. Some say it’s squishy, others say it’s spongy, and yet another claims it crunchy.…

Staying on Top of Your Infrastructure-as-a-Service Security Responsibilities

Staying on Top of Your Infrastructure-as-a-Service Security Responsibilities

Infrastructure-as-a-Service Security It’s no secret many organizations rely on popular cloud providers like Amazon and Microsoft for access to computing infrastructure. The many perks of cloud services, such as the ability to quickly scale resources without the upfront cost of buying physical servers, have helped build a multibillion-dollar cloud industry that continues to grow each…

Beacons Flopped, But They’re About to Flourish in the Future

Beacons Flopped, But They’re About to Flourish in the Future

Cloud Beacons Flying High When Apple debuted cloud beacons in 2013, analysts predicted 250 million devices capable of serving as iBeacons would be found in the wild within weeks. A few months later, estimates put the figure at just 64,000, with 15 percent confined to Apple stores. Beacons didn’t proliferate as expected, but a few…

Cloud-Based Services vs. On-Premises: It’s About More Than Just Dollars

Cloud-Based Services vs. On-Premises: It’s About More Than Just Dollars

Cloud-Based Services vs. On-Premises The surface costs might give you pause, but the cost of diminishing your differentiators is far greater. Will a shift to the cloud save you money? Potential savings are historically the main business driver cited when companies move to the cloud, but it shouldn’t be viewed as a cost-saving exercise. There…

Your Biggest Data Security Threat Could Be….

Your Biggest Data Security Threat Could Be….

Paying Attention To Data Security Your biggest data security threat could be sitting next to you… Data security is a big concern for businesses. The repercussions of a data security breach ranges from embarrassment, to costly lawsuits and clean-up jobs – particularly when confidential client information is involved. But although more and more businesses are…

Are Cloud Solutions Secure Enough Out-of-the-box?

Are Cloud Solutions Secure Enough Out-of-the-box?

Out-of-the-box Cloud Solutions Although people may argue that data is not safe in the Cloud because using cloud infrastructure requires trusting another party to look after mission critical data, cloud services actually are more secure than legacy systems. In fact, a recent study on the state of cloud security in the enterprise market revealed that…