TMCnet News
Multiple Cloud Formations Require New Security Approaches [eWEEK](eWEEK Via Acquire Media NewsEdge) New-generation service providers are filling gaps in private-public cloud security. Reliable user authentication in deployment of a cloud service is of utmost importance. Even though a cloud service to which you subscribe may have two-factor or higher levels of secure authentication, certain protocols must be observed and rules must be followed to enter each session. Frequent changing of passwords is required, and those passwords often must be long and complicated. However, in this day of increasingly sophisticated hacking practices, conventional online authentication for access to these systems and services is often not enough - especially for systems moving highly sensitive data in industries like finance, health care and retail, as well as government. As cloud services gain more traction at all levels - from home users to large enterprises - providers are coming up with new ways to keep everything tight. Another factor in cloud computing security is coming to the fore as more of these service systems come online: Private clouds are now interacting with public cloud services and each other - especially in large enterprises with numerous partners, affiliates and contractors. These multiple cloud formations require a whole new perspective on security. Multiple-Level Security CloudPassage, a startup founded by CEO and RSA Security veteran Carson Sweet, is taking a leadership role in this area. Sweet describes the company's Halo Netsec service, launched Jan. 31, as the industry's "first and only server and compliance service that specifically provides multiplelevel security for elastic cloud servers." Halo Netsec features a firewall, two-factor authentication and intrusion-detection capabilities through a cloud service. Literally, this is a "secured security" service. At this point, Halo Netsec is alone in securing cloud services because it enables administrators to build a perimeter defense without having to worry about the physical network. It secures everything from the endpoint to the virtual server, even if some or all ofthat traffic is passing over a public Internet - or from cloud to cloud. This is of huge importance to IT administrators, especially when managing cloud services, because those administrators have no control or management capabilities for the public portion of cloud communications. Once installed and configured, administrators are able to apply firewall rules and policies to any connection accessing public, private or hybrid cloud services. A small (3MB) security daemon works with CloudPassage's computing grid to enforce rules, policy and monitor for intrusions. CloudPassage also added a physical aspect to cloud security: a USB key that creates a one-time password for each session. This may become a trend as time goes on and tighter security becomes mandatory. "When people look at adding security to a cloud system, they generally think they're buying a slice of something," CloudPassage founder and CEO Carson Sweet said. "So now we're doing full-blown dynamic firewall management, multicloud. We're going to cross-cloud [systems], so we can have servers in EC2 [Amazon's Elastic Compute Cloud], in Rackspace and in Terremark with one policy over all of them. The most interesting aspect of this continues to be that it all just works in the cloud." Replicating Problems Security doesn't work the same way in public and private cloud environments as it does in on-site data centers. "When individual servers, especially in a cloud system, become vulnerable, you can clone those things so fast," Sweet said. "And when you clone one of those servers, you're also cloning every vulnerability. Pretty soon, a big cloud server farm can begin to look like a chunk of Swiss cheese. You replicate the problems along with the actual server." Sweet gave the example of a legendary cloud server he knew about (but couldn't name) "that was just plopped out there. We called it Typhoid Mary because when that started to get replicated, it was really bad news," he said. 'We've gotten away with this in the data center for years because of the firewalls and other security on the hardware devices. But you can't do that in the cloud." A reliable cloud security service is becoming viable for smaller companies. Eric Maass, CTO of Rhode Islandbased Lighthouse Security Group, which makes a cloud security gateway, designed and deployed the cloudbased identity-access management system used by the U.S. Air Force. "Because of compliance issues that are raining down, we're seeing midrange and SMBs trying to become PCI- or SOX [Sarbanes-Oxley Act]-compliant," Maass said. "And they're being asked to step up their security to do business with Fortune 500 companies. "They're trying to figure out cloud security internally for the first time, and the approach of throwing lots of bodies, time and money at the problem to see what sticks is not amenable to organizations ofthat size. Large companies can do it, but smaller ones don't have the budget or expertise." The obvious answer: a clouddelivered security service that's flexible enough to work within a firewall and with public cloud services. Cloud Drives Security Forrester Research projects that the cloud security market will grow to $1.5 billion by 2015- a shift that will disrupt what it calls the "security solution ecosystem." In a report entitled "Security and the Cloud," Forrester analyst Jonathan Penn predicted that rather than reallocating portions of existing security budgets to cloud computing, companies will allocate money to security within cloud projects, creating "a whole new category of revenue for the security market." "I'd still say that there's a lot more activity on SaaS [software as a serviceenabling security solutions - security in the cloud - than solutions that secure clouds," Penn told eWEEK. "Concerns about cloud security have grown in the past few years," he added. "In 2009, the fear was abstract: a general concern, as there is with all new technologies when they're introduced. ... Today, however, concerns are both more specific and more weighty. We see organizations placing a lot more scrutiny on cloud providers as to their controls and security processes, and they are more likely to defer adoption because of security inadequacies than to go ahead despite them." Key Points to Ponder in Cloud Security Harold Moss, CTO of Cloud Security Strategy at IBM, gave eWEEKa list of key points that must be addressed by an enterprise when it deploys its own cloud system security. They are as follows: 1. Conduct a thorough security evaluation: Prior to migrating to cloud technologies, organizations should evaluate applications and infrastructure for vulnerabilities and ensure that all security controls are in place and operating properly. Ethical hacking is a secondary activity that organizations should use to check their cloud applications for common vulnerabilities. 2. Identify the foundational controls: Foundational controls are core to an organization's security philosophy. They represent maybe 60 or fewer security controls that protect the assets your organization values most. Focusing on them will ensure that as your business embraces cloud technologies, your approach is consistent with the security controls. 3. Cloud security should be workload-driven: Each workload has unique considerations, such as regulatory factors and user dependencies. By focusing on the workload and not solely cloud IT, you can implement a focused security program with the potential to offer more security than traditional implementations. 4. Implement a risk-mitigation plan: Cloud adoption often involves a number of parties, both internal and external. Organizations should adopt a documented risk-mitigation plan to allow administrators and staff to rapidly deal with issues in the cloud. This plan should include not only documentation of risk and responses to those risks, but also education and training. 5. Actively monitor performance: Failing to properly monitor cloud implementations can result in performance, satisfaction and security issues. Implement an active monitoring program that identifies threats to the success of the cloud implementation. - CP. eWEEK Editor in Chief, Features & Analysis, Chris Preimesberger can be reached at [email protected]. (c) 2012 Ziff Davis Enterprise Inc. |