technical data security cloudviewer.media.bitpipe.com/1127859424_295/1297095813_497/...technical...
TRANSCRIPT
technicalguide on
S EAR C H C LO U DS EC U R ITY.CO M
contents5 Exploring data security in the cloud
8 Be ready for risk management challenges
12 The risks and benefits of cloud computing
18 Preparing the network for cloud implementation
22 Maintaining security after a cloud implementation
DATASECURITYcloudand
the
The UlTimaTe enTerprise ThreaT and risk managemenT plaTform.The ArcSight ETRM Platform is the world’s most advanced system for safeguarding
your company against data theft, complying with policies and minimizing internal
and external risks. Finely tuned to combat cybertheft and cyberfraud, the ArcSight
ETRM Platform gives you better visibility of real-time events and better context for
risk assessment, resulting in reduced response time and costs.
ArcSight Headquarters: 1-888-415-ARST | © 2011 ArcSight. All rights reserved.
Learn more at www.arcsight.com/etrm
3 S E A R C H C L O U D S E C U R I T Y. C O M Technical Guide on Data Security and the Cloud
| DATA S EC U R ITY AN D TH E C LO U D
insight
contentsSEARCHCLOUDSECURITY.COM presents a comprehensive guide to data security in thecloud. Our experts cover all the angles in order to help you keep data safe as youmove infrastructure and services into the cloud.
Data Security and the CloudInformation technology is undergoing a radical change because of cloudcomputing. Information security must change its approach to data protection right along with it.
5 Exploring data security in the cloudCOMPLIANCE Questions surrounding compliance and security issues are essential to consider when deciding whether to use cloud service providers. BY DAVID MORTMAN
8 Be ready for risk management challengesMANAGEMENT Cloud computing changes the way enterprises do IT, and how security approaches risk and compliance. BY MICHAEL COBB
12 The risks and benefits of cloud computing servicesRISK ASSESSMENT Cloud engagements provide immediate business benefits, but risks cannot be ignored. BY RON CONDON
18 Preparing the network for a cloud implementationNETWORK SECURITY Meld your current network security with a cloud provider’s for the smoothest transition. BY MICHAEL COBB
22 Maintaining security after a cloud computing implementationOPERATIONS The real security job begins after you’ve migrated your data and applications to the cloud. BY MICHAEL COBB
26 SPONSOR RESOURCES
Digital Locksmiths, Inc. – Global Headquarters: Montreal, Canada
phone: (888) 422-5514 | fax: (514) 595-0330 | email: [email protected] | web: www.digitallocksmiths.ca
For companies that require digital interaction
between stakeholders and need to ensure the integrity
and fidelity of information, Digital Locksmiths is a
trusted provider of digital security assessment and
analysis services. We are focused on the
implementation of world-class data defense solutions,
and we are a leader in providing security services for
cloud computing environments and mobile devices.
Customization and
Innovation
• Cloud Computing Security
• Smartphone Security
• Biometric Security
• RFID Security
• Network Security Consulting
Implementation and
Remediation
• Corporate Security and Policy Development
• Governance, Risk Management, and Compliance (GRC)
• Identity and Security Management
• Security Information and Event Management (SIEM)
• Digital Forensics
Assessment and
Testing
• Vulnerability Assessment
• Threat and Risk Assessment
• Penetration Testing
New in 1Q 2011:
Digital Locksmiths Penetration TestingWe now offer an on-demand penetration testing service that combines the benefits of automated
testing with the advantages of human intervention. The service sits in the cloud and is accessed from anywhere and at
any time via an online vulnerability management portal. Testing covers both web applications and networks and produces
reports that are compliant with PCI, SOX, HIPAA, and ISO 27001. Implementation takes only days rather than weeks.
To learn more about this service, just download the solution brief from the Digital Locksmiths resource page of this E-Book.
Exploring Data Security in the Cloud
Questions surrounding compliance and security issuesare essential to consider when deciding whether to
use cloud service providers. BY DAVID MORTMAN
5
TABLE OF CONTENTS
COMPLIANCE
MANAGEMENT
RISK ASSESSMENT
NETWORK SECURITY
OPERATIONS
SPONSOR RESOURCES
aAMID AN EVER-INCREASING bevy of regulations that enterprises need to worryabout—from SOX and PCI DSS to HIPAA/HITECH and the FTC’s Red Flags Rules—and a growing number of cloud service providers to choose from, enterprises have a lotof options and a lot of questions to consider concerning cloud computing compliance.
While migrating services to the cloud may provide many benefits, it does not absolvean enterprise of certain responsibilities. Mostnotably, the enterprise is still required to remaincompliant with the assorted regulations and lawsthat it would fall under had it retained that serviceinside the company.
In some cases, as with PCI DSS, there is defi-nite potential to reduce a company’s compliancescope by outsourcing certain services. Mostnotably, by wholesale outsourcing the creditcard processing to a third-party provider, anorganization’s PCI scope will be significantlysmaller (though not go away completely). Withthe FTC’s Red Flags Rules, however, that is notthe case, as the FTC has mandated that any outsourcing must entail equivalent orbetter security than the enterprise would have implemented internally.
As you start to investigate moving services to the cloud, it’s important to ask severalcloud computing compliance questions:
1. Does this data that will be moving to the cloud fall under any compliance-related regulations or requirements? This includes data such as personally identifiable information (PII), personal health information (PHI), or corporate finance-relatedinformation.
2. If the answer to question one is yes, which regulations does it fall under and what controls are necessary?
3. Can the cloud provider actually offer the identified or equivalent controls that
While migrating services to the cloud may providemany benefits, it does notabsolve an enterprise ofcertain responsibilities….The enterprise is stillrequired to remain compliant.
CO M PL IAN C E
S E A R C H C L O U D S E C U R I T Y. C O M Technical Guide on Data Security and the Cloud
| DATA S EC U R ITY AN D TH E C LO U D
6
TABLE OF CONTENTS
COMPLIANCE
MANAGEMENT
RISK ASSESSMENT
NETWORK SECURITY
OPERATIONS
SPONSOR RESOURCES
your organization’s data requires?4. Does the cloud provider have the necessary policies, processes and procedures
to properly maintain those controls?5. Does the provider have appropriate disaster recovery and business continuity
processes to meet your organization’s business needs?6. What happens if the cloud provider goes bankrupt? Can the enterprise’s data be
sold to a creditor or at auction as a provider’s asset?7. Should I decide to change providers, is there an easy way to export my data in a
useable format?8. Is the provider willing to alter its default terms of service in order to guarantee
or provide service level agreements (SLAs) around questions 3-7?
That last question is particularly important because many cloud providers refuseto use anything other then their default contract language. As a result, they haveeffectively eliminated themselves from being potential providers of compliance data-related services. Several of the compliance regulations, most notably HIPAA/HITECH and the FTC Red Flags Rules, specifically mandate that an enterprise musthave contracts with its service providers mandating appropriate controls, processesand procedures in accordance with each regulation’s guidelines.
Similarly, if the providers can’t meet the requirements of questions 3-7, they shouldalso be eliminated from contention for your company’s business. Lack of ability to meetrequirements is a problem especially when it comes to PCI DSS and HIPAA/HITECH.Thus, you will quickly find that your options for cloud service providers are limited—atleast in the short term—though rumor has it that several of the larger cloud providers areworking on retooling their systems to meet these compliance needs. There are a handfulof cloud providers on the healthcare side that have built applications specifically to meetthe needs of the healthcare industry, but I have not yet seen any security evaluations ofthese applications to determine their effectiveness.
In the meantime, I recommend passing the above questions to providers that you’reevaluating, much like you would pass them a request for information (RFI )for anyother outsourcing project, and then choose the provider that can best meet your needs.
Alternately, if none can, investigate ways of removing or obfuscating the relevantdata (such as hashing or encrypting information prior to moving it to the cloud), soyour organization can still get the business benefits of the cloud.w
David Mortman is director of operations and security at C3 LLC.
S E A R C H C L O U D S E C U R I T Y. C O M Technical Guide on Data Security and the Cloud
| DATA S EC U R ITY AN D TH E C LO U D
The industry’s best protection just got better. Trend Micro OfficeScan again ranked #1 in the June 2010 independent, real-world test of corporate endpoint solutions by NSS Labs.
Why is Trend Micro a good choice to protect your data
• Best Overall Protection. Blocked over 95% of all threats vs. the industry average of 84%
• Best Time-To-Protection. Protected against unknown zero-day threats in under 5 hours–4X faster than the closest competitor and nearly 10X faster than the industry average
• Best Web Threat Blocking. Blocked 88% of web infections at their source vs the industry average of 65%
• Consistent Results. Trend Micro ranked #1 for second consecutive time in NSS Labs Corporate results.
Trend Micro Ranks #1 Again Real Malware, Real Test, Real Solution, Real Protection for the Real World.
Corporate Test Results
>>LEARN MORE
Try Trend Micro™ OfficeScan
Client-Server Suite
>>FREE TRIAL
Contact Us: 877-252-2065
In NSS Labs real-world,
independent test, Trend
Micro scored top in
protection—blocking
more threats at the
source and overall.
Contact Trend Micro
877-252-2065
facebook.com/fearlessweb
twitter.com/trendmicro
Be Ready for Risk Management ChallengesCloud computing changes the way enterprises do IT, and howsecurity approaches risk and compliance. BY MICHAEL COBB
8
TABLE OF CONTENTS
COMPLIANCE
MANAGEMENT
RISK ASSESSMENT
NETWORK SECURITY
OPERATIONS
SPONSOR RESOURCES
aAS INFORMATION SECURITY program managers identify key themes that will affectan enterprise security strategy, cloud computing arguably stands out above all others.
The tough economic climate does help make the case for cloud computing verypersuasive. Because on-demand resources are dynamically scalable and flexible, theyare attractive to businesses large and small and will surely continue to change the waywe do IT.
For everyone involved in trying to protecttheir organizations’ network users and data, amove to cloud computing will present a hugechange and challenge. Compliance regulationswill most likely prevent an enterprise from movingall its data and operations to the cloud, so thetransition is in fact an additional security chal-lenge on top of protecting existing network infra-structures. Moving to the cloud requires data andapplications to be placed outside the comfortzone of well-established perimeter defenses and physical access controls. An increasingnumber of users who don’t come under the controls of HR, such as suppliers, clientsand partners, will access your data via Web-based collaboration tools. IT administratorsalready struggle with the task of securing mobile users who access corporate networks,but cloud computing is on a different scale altogether.
For me, one of the key security challenges is how to efficiently manage and enforceaccess control for employees, customers and partners beyond the enterprise firewall.Cloud computing turns us all into remote workers, and cloud applications and data,by definition, are outside the enterprise. This means that you can no longer rely onmultiple layers of authentication, firewalls and other perimeter defenses to do the jobfor you.
Strategically, managing these challenges requires a number of actions. HR securitypolicies must be reviewed and tightened up so they enforce robust lifecycle managementof users. A detailed identity and access management strategy must also be put in place,one that makes full use of federated identity management, an arrangement that
Moving to the cloudrequires data and applications to be placedoutside the comfort zone ofwell-established perimeterdefenses and physicalaccess controls.
MANAG E M E NT
S E A R C H C L O U D S E C U R I T Y. C O M Technical Guide on Data Security and the Cloud
| DATA S EC U R ITY AN D TH E C LO U D
9
TABLE OF CONTENTS
COMPLIANCE
MANAGEMENT
RISK ASSESSMENT
NETWORK SECURITY
OPERATIONS
SPONSOR RESOURCES
enables users to securely access data or systems across autonomous security domains.I recommend enabling single sign-on (SSO) within your own enterprise applicationsand leveraging this architecture to simplify cloud provider integration and implemen-tation.
Cloud computing also requires an even greater reliance on Internet connections,so even smaller operations will need to establish some form of redundancy to ensuredata and applications are available at all times. Despite the hype, cloud services are still quite immature, with many experiencing outages of some form or another. Somecould easily go bust; it’s a new industry in a fragile economic environment. Multipleservice providers will give you better network diversity and business continuity so anycloud-based project should employ applications and data structures that are vendor-neutral. This includes backups in a cloud-independent format, and one independentof the machine image, too. You need to make the transition as straightforward as possible or have contingency plans to pull operations back to an internally hostedcloud. Although cloud computing may reduce certain continuity concerns, it willnever eliminate the need for well-tested business continuity plans.
In the near future, cloud-based services and cloud computing technology will comeunder increased and prolonged attack because they’re attractive targets for hackers andcyberterrorists. Building a data encryption strategy and implementing technology tosupport it, therefore, is the best proactive defense. Encrypted data is intrinsically protected,which is why so many laws and regulations mandate the practice. All data and com-
S E A R C H C L O U D S E C U R I T Y. C O M Technical Guide on Data Security and the Cloud
| DATA S EC U R ITY AN D TH E C LO U D
123
Three more risk management challenges
Although cloud computing is likely to dominate IT strategies going forward, there are other areas secu-rity managers will need to watch. Closely linked to cloud computing is, of course, virtualization. The indus-try is still grappling with defining security best practices for virtualized environments as applications anddata move from standalone servers to living on the network. It will be important to track developmentsin security controls, as well as threats to these systems.
Smartphones are another addition to the network environment that security managers still struggle to bring under full control. We are starting to see viable attacks against mobile devices, and they will become more widespread. Security software that doesn’t kill either the battery or the CPU willbecome essential.
Finally, as the uptake of VoIP continues to grow, so will the number of attacks by organized criminals.System administrators need to concentrate more on securing VoIP channels with encryption than tinker-ing with quality of service.
Yes, security is a never-ending job.w —MICHAEL COBB
10
TABLE OF CONTENTS
COMPLIANCE
MANAGEMENT
RISK ASSESSMENT
NETWORK SECURITY
OPERATIONS
SPONSOR RESOURCES
munications should be encrypted, even if other services protect them. Encryption alsoallows you to separate roles and data as encryption keys control access to your data.
Continually, you will certainly see many new cloud-based services coming online,many offering substantial economic benefits for enterprises. Some will no doubtchange long-established risk-reward relationships, and you will need to review yourorganization’s business strategy and appetite for risk when assessing the ROI of aswitch to a cloud-based service. Cloud computing is changing IT, so be sure to considerhow to embed security into any new business processes so that infrastructure, data andusers remain protected.w
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancythat offers IT training and support in data security and analysis. He co-authored the book IIS Security andhas written numerous technical articles for leading IT publications.
S E A R C H C L O U D S E C U R I T Y. C O M Technical Guide on Data Security and the Cloud
| DATA S EC U R ITY AN D TH E C LO U D
It’s Time to Recognize the Industry’sBest Security Professionals
Information Security magazine and SearchSecurity.comannounce that nominations are open for the seventh annualSecurity 7 Awards. Find the nomination form at:http://www.surveygizmo.com/s3/462797/Security-7
Prestigious Industry AccoladesThe honor roll of past Security 7 Award winners is a prestigious listof distinguished security practitioners and dignitaries, includingDorothy Denning, Gene Spafford, Michael Assante and ChristoferHoff. Since 2005, we’ve recognized the most innovative and stalwartsecurity practitioners in the industry. It’s time to do it again.
Seven Industries, Seven WinnersThe Security 7 Award honors innovative security practitioners in seven vertical markets. We recognize the achievements and contributions of practitioners in the financial services, telecom-munications, manufacturing, retail, government/public sector/non-profit, education and healthcare/pharmaceutical industries.
How to Nominate Your PeersDo you know someone worthy of recognition? Nominate them by filling out the form. A panel of editors and industry experts will review the nominees and select our winners.
Information Security magazine
CALL FOR NOMINATIONS
7SECUR ITY
2 0 1 1
—MARK WEATHERFORD
2008 Security 7 Government winner
Former CISO for the states of California andColorado and current CSO at the North American
Electric Reliability Corporation (NERC)
Recognize the Security Industry’s Best Today!
For more information, please visit our website: www.searchsecurity.com
ECURITYSI N F O R M A T I O N
®
The Risks and Benefits ofCloud Computing ServicesCloud engagements provide immediate business benefits,but risks cannot be ignored. BY RON CONDON
12
TABLE OF CONTENTS
COMPLIANCE
MANAGEMENT
RISK ASSESSMENT
NETWORK SECURITY
OPERATIONS
SPONSOR RESOURCES
nNOT LONG AGO, a researcher at pharmaceutical company Eli Lilly and Co. needed to analyze a lot of data fast. If the results turned out as he believed, the company couldhave a world-beating drug on its hands.
The only trouble was that the researcher would need 25 servers to crunch the hugevolume of data, and he knew it could take up to three months to get approval for theinvestment. In an industry where the cost of delaying a product is very high, $150 persecond according to Eli Lilly’s former global head of security Adrian Seccombe, thatthree-month wait would be very expensive.
Benefits of cloud computingSeccombe takes up the story:
“[The researcher] went to a tame IT guy who’d been playing around in this thingcalled ‘the cloud’. The guy got out his credit card, plugged it into Amazon Web Services,and had 25 servers up and running in the cloud within an hour.”
The two realized they’d built the serverswrongly so they had to take them down and startagain. The second time, it took them 40 minutesto get the servers up and running.
“Within two hours, they were crunching thedata. The research time had suddenly collapsedfrom three months to two hours,” Seccombe said.
And there is more. When they realized theanalysis would not be complete by the time theywanted to go home, they were able to crank up the power and bring on more servers to speed things up. “They wanted to get the data back from the cloud as they felt a littleuncomfortable leaving it out there overnight.”
They completed the task and were given a bill from Amazon for $89. At $150 persecond, a three-month wait would have cost more than $1 billion.
Cloud computing services: Balancing risk and convenienceThe cost comparison is mind-boggling and demonstrates the sheer power of the cloud
They completed the taskand were given a bill fromAmazon for $89. At $150per second, a three-monthwait would have cost morethan $1 billion.
R I S K ASS ESS M E NT
S E A R C H C L O U D S E C U R I T Y. C O M Technical Guide on Data Security and the Cloud
| DATA S EC U R ITY AN D TH E C LO U D
13
TABLE OF CONTENTS
COMPLIANCE
MANAGEMENT
RISK ASSESSMENT
NETWORK SECURITY
OPERATIONS
SPONSOR RESOURCES
computing concept. But for Seccombe, the example also underlines some problemswith the model and highlights some risks of cloud computing.
“They repatriated the data results, and did it securely over a secure line that goesend-to-end into the Amazon cloud. It was secure and quick.”
Or was it? How could they prove there was no trace of their data left in the Amazoncloud? They had to take Amazon’s word for it.
It is just one of many questions being raised with the advent of cloud computing,Software as a Service (SaaS) and the new collaborative model that relies on companiessharing their digital assets.
And it is why Seccombe, wearing his other hat as a member of the Jericho Forum,a security think-tank, has been working recently with others in the group to come upwith some kind of framework to chart how cloud computing can be done effectivelyand securely.
The result of this work is a three-dimensional cube that attempts to map out ingraphic form the key decisions that companies will have to make when decidingwhich tasks can be safely consigned to the cloud, which should be kept under lockand key, and how to tie all the various ways of working together.
For the last six years the Jericho Forum has been challenging conventionalthought about information security and mapping out the requirements of a“deperimeterized” world where solid boundaries are replaced by mobility and collaboration between organizations.
Two years ago, Jericho laid out its Collaboration Oriented Architecture (COA)guidelines, which defined how systems could work together without jeopardizingsecurity. Now it is going further to map out the security requirements of cloud computing. The results of this latest exerciseraise some challenges for the security industry,but outline some interesting opportunities forthose with the vision to seize them.
The cloud collaboration modelThe main message of the group is that the cloudcan incorporate a variety of approaches, accord-ing to the level of control needed over a process.
The cloud collaboration model looks like aRubik’s Cube with four faces on each side—thereby creating eight separate sub-cubes that represent different types of working.
The three dimensions of the cube are:• Open/proprietary• Perimeterized/deperimeterized• Internal/external
The model is intended to help companies categorize their business processes and
The cloud collaborationmodel looks like a Rubik’sCube with four faces oneach side—thereby creatingeight separate sub-cubesthat represent differenttypes of working.
S E A R C H C L O U D S E C U R I T Y. C O M Technical Guide on Data Security and the Cloud
| DATA S EC U R ITY AN D TH E C LO U D
14
TABLE OF CONTENTS
COMPLIANCE
MANAGEMENT
RISK ASSESSMENT
NETWORK SECURITY
OPERATIONS
SPONSOR RESOURCES
ultimately plan the kind of systems architecture they are going to need going forwardto fully utilize the benefits of cloud computing services.
“It’s a mistake to see the cloud as one thing,” Seccombe said. “You can have internalproprietary Perimeterized clouds, and you can have external, open, deperimeterizedclouds.
“Inside Eli Lilly, we are trying to decide where we want to do what businessprocesses. For example, bringing together the ingredients for a pill—we probablywouldn’t do that with an open, external deperimeterized cloud. That is more likely tobe proprietary, perimeterized and internal, still using cloud technologies possibly, butI need more control over it.”
The key going forward is to build efficient and secure interfaces between the varioussub-clouds so that business in the cloud can work in a seamless way, and create thenecessary services to make it happen.
One of these, for example, could be an independent service to check the repatriationof data from the cloud once a task is finished. “It’s not that we don’t trust Amazon, butit is a question of separation of duties,” he said. “You don’t want the auditor to be theone who’s providing the service.”
Working up Jericho’s ‘cloud layers’Given the huge advantages of working in the cloud, the goal now is to see how muchwork you can safely entrust to the cloud as a whole.
Jericho envisages this potential as a series of layers as follows:
S E A R C H C L O U D S E C U R I T Y. C O M Technical Guide on Data Security and the Cloud
| DATA S EC U R ITY AN D TH E C LO U D
Securely Collaborating in Clouds
“The Cloud” could be said to refer to all the Cloud Types as an integrated whole. Though we are clearly far
from this state of affairs at present.
Cloud Types
Deperimeterized
Proprietary OpenPerimeterized(Cloud-based Silos)
External
Internal
15
TABLE OF CONTENTS
COMPLIANCE
MANAGEMENT
RISK ASSESSMENT
NETWORK SECURITY
OPERATIONS
SPONSOR RESOURCES
• Value/Outcomes• Process• Software• Platform• Infrastructure
As companies move up the stack and entrust their infrastructure, platform, soft-ware, and so on, to a cloud-based service, they can achieve what Seccombe describes as ‘abstraction’: “Abstraction means that you don’t really care what’s going on beneath,because somebody else is looking after it for you, and will deal with it in a responsivemanner.”
He admits that most cloud activity is down at the infrastructure and platform level (as with Amazon Web Services) or with software (as with Salesforce.com or NetSuite Inc.).But he cites one example of Value-as-a-Service, which came from personal experience.
When looking for a new BlackBerry battery, he clicked on the Amazon website,which brought up five shops. He chose a shop and ordered, and the battery quicklyarrived in an Amazon box. “Amazon brought to me the value experience of getting thatbattery, but I can’t remember which shop I bought it from. This was my first experienceof Value-as-a-Service. I did one click and got the battery delivered the next day.”
The example underlines the move towards customer-centric computing supportedby increased collaboration in the cloud. And it is not just about shopping.
Seccombe cites the website where people with various complaints can compare notes.
S E A R C H C L O U D S E C U R I T Y. C O M Technical Guide on Data Security and the Cloud
| DATA S EC U R ITY AN D TH E C LO U D
Cloud Layers
Outcome/Value
Process
Software
Platform
Infrastructure
Security and IdAMOrch
estra
tion
Abst
ract
ion
occu
rs h
ere!
Last!
3rd
2nd
1st
16
TABLE OF CONTENTS
COMPLIANCE
MANAGEMENT
RISK ASSESSMENT
NETWORK SECURITY
OPERATIONS
SPONSOR RESOURCES
For a drugs company, a resource like that would present huge opportunities to get patientfeedback, but only if the right controls are in place.
And there’s the rub. The cloud is very appealing, but diving in without the rightlevel of security in place is a recipe for disaster. As Seccombe says, you can’t bolt onsecurity after the fact. “If you enter the cloud naively, then you lose sight of your data.You lose control,” he said. “That’s why we are trying to get this done up-front.”
The future of cloud computing servicesCloud computing could have a huge bearing on how we do IT. Even if companies continue to run their own systems in-house, they might develop and test applicationsin the cloud rather than buy their own systems for the purpose.
Off-site disaster recovery centers will start to look like a waste of money whencloud-based services offer the necessary backupwithout the up-front cost.
But the services need to be easier to use. TheEli Lilly researchers had to configure their ownservers manually, but in the future, that kind ofservice could be automated with new serverscoming on stream automatically to cope with the demand.
Identity and access management will also take on a new importance as more collaborationtakes place in the cloud, and where collaborativeactivities may be very short, lasting minutesrather than years.
“The old model, which assumes that everyoneinside your silo is trustworthy and where youbuild an Active Directory for those players to use resources inside your organization, isdead or dying. We have to find ways to change it,” Seccombe said.
Politics and regulation will also play a part in how we use the cloud. Personal infor-mation is governed by local jurisdictions, and in many cases cannot be legally storedin another part of the world. As Seccombe found when looking at sites like patients-likeus.com, he could not deal with them and be compliant unless they could guaranteethat European patient information stayed in Europe.
The answer, he says, may be to give data a metatag that defines where it can reside,and which forces it to self-destruct if it goes outside the prescribed area.w
“The old model, whichassumes that everyoneinside your silo is trust-worthy and where youbuild an Active Directoryfor those players to useresources inside yourorganization, is dead ordying. We have to findways to change it.”
—ADRIAN SECCOMBE, global head of security, Eli Lilly
S E A R C H C L O U D S E C U R I T Y. C O M Technical Guide on Data Security and the Cloud
| DATA S EC U R ITY AN D TH E C LO U D
fififififififi SGP_10_36fififififififififififi IMN.IMNIT.10022.K.011 fififififififififififiIBM Capabilities-Dubai
fifififififififififififififififififififififififififififififififiOgilvy & Matherfififififififififififififi Fortune, Forbes, Tech Review, Info Week, Windows IT pro, SQL Server, EETimes, EWeek,
Baseline, CIO, CSO, Network World, ComputerWorld, Information Management, The Atlantic,Economist, HBR, New Yorker, Stores, CIO Insight, Business Finance, Health Data Management
fififififi Page fifififififi 4/c, Bleed fifififififi 8.375”w x 11”h fifififi fi 7.625”w x 10.5”hfifififififififififi 7” x 10”
fifififififififififififififififififi Tom Godici/Greg Ketchum fifififififififififififififi Chris Van Oosterhout fifififififififififififi Rob Jamiesonfififififififififififififi Reva Bottles fifififififififififififififififi Mike Piscatelli fifififififi fifi Rachel Fuller
99026_0_SGP_10_36
IBM, the IBM logo, ibm.com, Smarter Planet and the planet icon are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at www.ibm.com/legal/copytrade.shtml. © International Business Machines Corporation 2010.
IBM
, the
IBM
logo
, ibm
.com
, Sm
arte
r Plan
et a
nd th
e pla
net i
con
are
trade
mar
ks o
f Int
erna
tiona
l Bus
iness
Mac
hines
Cor
p., re
giste
red
in m
any j
urisd
iction
s wo
rldwi
de. O
ther
pro
duct
and
ser
vice
nam
es
migh
t be
trade
mar
ks o
f IBM
or o
ther
com
panie
s. A
curre
nt lis
t of I
BM tr
adem
arks
is a
vaila
ble o
n th
e Web
at w
ww.ib
m.co
m/le
gal/c
opyt
rade
.shtm
l. © In
tern
ation
al Bu
sines
s Mac
hines
Cor
pora
tion
2010
.
A data visualization of the settlement prices for gold, silver and other commodities from March 1 to September 1, 2010.
It means that the futures contract for that gold can trade instantly and more securely. The Dubai Gold & Commodities Exchange (DGCX) has maintained their complex network of worldwide members for four years without a single security breach due to malware, and without any unplanned downtime. The DGCX worked with IBM Security Solutions to help implement an intrusion prevention system that builds security into every aspect of their online trading services and proactively adapts to ever-evolving threats. A smarter business is built on smarter software, systems and services.
Let’s build a smarter planet. ibm.com/exchange
Smarter technology for a Smarter Planet:
What 99.9% system uptime means to a kilo of gold.
99026_0_SGP_10_36.pgs 10.27.2010 23:47 PDFX1a
Preparing the Network for a Cloud ImplementationMeld your current network security with a cloud provider’sfor the smoothest transition. BY MICHAEL COBB
18
TABLE OF CONTENTS
COMPLIANCE
MANAGEMENT
RISK ASSESSMENT
NETWORK SECURITY
OPERATIONS
SPONSOR RESOURCES
cCLOUD COMPUTING represents a huge change in the way a business functions, andthat’s especially true for an organization’s IT infrastructure. Nobody is affected more bythis transition than the network administrators tasked with keeping an organization’sdata and network users safe.
Sharing data, applications and IT infrastructures can present significant cost andproductivity benefits, but it all takes place outsideof the comfort zone of the corporate firewall andphysical environment. As a network administra-tor, your task during a cloud computing imple-mentation is to ensure users and data remainsecure after transitioning data, applications, aninfrastructure, or all of the above to the cloud.Although there is a shared responsibility with thecloud provider for the security of enterprise data,ultimately enterprise security pros are responsible.In this tip, we’ll discuss how to prepare an enter-prise network for the security aspects that comewith extending network infrastructure into thecloud.
Prior to moving any data or applications to the cloud, it is essential to take stock of the current state of internal network security. This is an ideal time to undertake anetwork audit to see how your network defenses match up to your own data security,integrity and availability policies, regulatory requirements and industry best practices.
The benefits of such an audit are many. Using one or more of the many free andcommercial network audit tools available will no doubt uncover configurations andpractices that are less than ideal. Once these have been remedied with better securitycontrols and revised procedures, establish an acceptable baseline for the network, thedevices, users and applications it hosts and the traffic it handles. This baseline can bereferenced during future audits and security configuration checks to determine howthe security of the network is affected with the move to cloud computing.
Next, it is important to develop an understanding of a cloud provider’s security
As a network administra-tor, your task during acloud computing imple-mentation is to ensureusers and data remainsecure after transitioningdata, applications, aninfrastructure, or all of the above to the cloud.
N ETWO R K S EC U R ITY
S E A R C H C L O U D S E C U R I T Y. C O M Technical Guide on Data Security and the Cloud
| DATA S EC U R ITY AN D TH E C LO U D
19
TABLE OF CONTENTS
COMPLIANCE
MANAGEMENT
RISK ASSESSMENT
NETWORK SECURITY
OPERATIONS
SPONSOR RESOURCES
policies and procedures. Look for a level of security that meets the enterprise’s compli-ance requirements and is on par with what exists inside the firewall. To avoid any con-fusion over who is responsible or accountable for various aspects of your security,such as backups, accessibility, and data destruction, I would look to contractuallyspecify which party is responsible for ensuring compliance with any relevant policiesor standards.
Firewall settings may need adjustment, depending on how cloud services are deliv-ered. To ensure these and other perimeter defenses, such as IDS/IPS systems, are tunedcorrectly, work closely with the provider, as it should already have experience dealingwith the network security configuration issues that may arise. If it is necessary to makechanges to firewall rules and open additional ports, be sure once those changes aremade to update the network security baselinewith another network scan. Use a tool such asNmap to check that only the correct ports areopen and no trust relationships or connectionsviolate security policy.
Whenever a new service is added to the net-work, ensure that there is sufficient separation ofduties and access permissions so that nobody isinadvertently given the ability to maliciously oraccidentally damage the company’s data. Reviewsof accounts and privileges against HR employmentregisters will be essential to ensure permissionsremain appropriate and that unused accounts are terminated. If, as part of a move tothe cloud, you open up network access to third parties, such as suppliers and clients,then any network access control (NAC) system configurations should be reviewed too.Be sure the current NAC product can handle a dramatic increase in users. Manyorganizations are actually looking at SaaS-based NAC solutions to ensure scalabilityand interoperability.
Because a cloud computing implementation somewhat blurs the distinctionbetween data at rest, in motion and in use, data encryption becomes one of the mostimportant defenses. Encrypted data is intrinsically protected so all data and commu-nications will need to be encrypted, even if other services protect them. Furthermore,encryption renders data unreadable, alleviating some of the concerns over destroyingdata stored in the cloud. It also allows the separation of roles and data as encryptionkeys control access to the data. I would run routine checks on the network using ananalysis program such as Wireshark to ensure communication channels are beingencrypted.
Finally, don’t be afraid to test network security by first developing and experimentingwith internal or hybrid clouds. This can include offering an application service in thesame way a cloud computing provider would, but doing so entirely within the networkperimeter, or experimenting by testing a cloud provider’s capabilities with a limited,
S E A R C H C L O U D S E C U R I T Y. C O M Technical Guide on Data Security and the Cloud
| DATA S EC U R ITY AN D TH E C LO U D
Because a cloud computingimplementation somewhatblurs the distinctionbetween data at rest, inmotion and in use, dataencryption becomes one of the most importantdefenses.
20
TABLE OF CONTENTS
COMPLIANCE
MANAGEMENT
RISK ASSESSMENT
NETWORK SECURITY
OPERATIONS
SPONSOR RESOURCES
non-mission-critical function. I would also recommend reading the Cloud SecurityAlliance’s guide, which will help you understand the main areas of concern for organi-zations adopting cloud computing.
However, preparing your network for cloud computing is only a first step. To makeyour move to cloud computing truly successful, you will need to ensure that yourbaseline security is sustained once you turn on your cloud services. You will also needto adapt and evolve your defenses and security controls to handle new threats. We willlook at some of these challenges in our next tip.w
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancythat offers IT training and support in data security and analysis. He co-authored the book IIS Security andhas written numerous technical articles for leading IT publications.
S E A R C H C L O U D S E C U R I T Y. C O M Technical Guide on Data Security and the Cloud
| DATA S EC U R ITY AN D TH E C LO U D
®
The Web’s best information resource for security pros in the financial sector.
Now there’s an online resource tailored specifically tothe distinct challenges faced by security pros inthe financial sector. Information Security magazine’ssister site is the Web’s most targeted informationresource to feature FREE access to unbiased productreviews, webcasts, white papers, breaking industrynews updated daily, targeted search engine poweredby Google, and so much more.
Activate your FREE membership today and benefitfrom security-specific financial expertise focused on:• Regulations and compliance• Management strategies• Business process security• Security-financial technologies• And more
www.SearchFinancialSecurity.com
Maintaining Security After a Cloud ComputingImplementationThe real security job begins after you’ve migrated your dataand applications to the cloud. BY MICHAEL COBB
22
TABLE OF CONTENTS
COMPLIANCE
MANAGEMENT
RISK ASSESSMENT
NETWORK SECURITY
OPERATIONS
SPONSOR RESOURCES
yYOU’VE SUCCESSFULLY migrated your organization’s selected applications and datainto the cloud, and everyone has said what a great job you’ve done. But you and I bothknow the task of maintaining the security of these apps and data has only just begun.In this tip, I’ll review which technologies and processes must be initiated, monitoredand secured after a cloud computing implementation or initiative is up and running.
IAMCloud computing turns us all into remote work-ers, which makes identity and access management(IAM) one of the key challenges after a cloudcomputing move. It is important to have robustlifecycle management regarding users and useraccess so that user accounts, credentials and accessrights are always relevant and up to date, includ-ing disabling an account when an employeeleaves. Also look to initiate an IAM strategy thatcan make full use of federated identity management, which enables users to securelyaccess data or systems across autonomous security domains.
More specifically, consider introducing single sign-on (SSO) for enterprise applica-tions and leveraging this architecture to simplify cloud provider implementations. Amove to the cloud will appear far more seamless to your users if they are already usedto SSO, and it’ll make managing trust across different types of cloud services less oner-ous. You will also have logged baseline data to help you monitor and gauge changesdue to cloud activity.
A SSO product should use one of the common standards for implementing federa-tion, such as Security Assertion Markup Language (SAML) and Liberty Alliance ID-FF.These standards extend existing access and identity policies from the internal networkbeyond the firewall and out to the cloud, while still enforcing the appropriate authenti-
Cloud computing turns usall into remote workers,which makes identity andaccess management (IAM)one of the key challengesafter a cloud computingmove.
O PE RATI O N S
S E A R C H C L O U D S E C U R I T Y. C O M Technical Guide on Data Security and the Cloud
| DATA S EC U R ITY AN D TH E C LO U D
23
TABLE OF CONTENTS
COMPLIANCE
MANAGEMENT
RISK ASSESSMENT
NETWORK SECURITY
OPERATIONS
SPONSOR RESOURCES
cation strength mandated by your information protection and data classification policies.
BandwidthThe increased Internet usage that cloud computing brings also increases the increasedrisk of network congestion bottlenecks. Web-based applications are extremely latency-sensitive, many barely functioning if the network is too busy. Downtime or slow pro-cessing frustrates employees and can lead to breaches in policy. Slow file or data trans-fers, for example, can lead workers to use alternative methods that may be far less secureand break security policy rules.
One answer to this problem is to deploy a WAN optimization product, which isdesigned to ease enterprise application traffic on the network by improving applicationtraffic management and eliminating redundant transmissions. Products such as theCitrix NetScaler from Citrix Systems Inc. offer a Web application firewall and combinetraffic management through Layer 4-7 load balancing. Other WAN optimization vendorsinclude Riverbed Technology Inc. and Blue Coat Systems Inc.
FirewallsConnections between the internal network and thecloud should certainly be encrypted; sending anysensitive or mission-critical data back and forth inthe clear over the Internet is like offering attackersan invitation to steal the data. As a network engi-neer, ensure network devices can handle theprocessor-intensive, public-key encryption algorithms involved in SSL-encrypted communi-cations. SSL accelerator cards or proxies that handle all SSL operations may need to be added to the infrastructure. However, encryption alonewon’t stop malware and other network attacks. It’simportant, therefore, to upgrade the firewalls pro-tecting your internal network so that they can inspect SSL traffic. Encryption shouldideally work in union with data loss prevention (DLP) products, which will classify andmonitor data while enforcing policies.
AuditAnother important task after a cloud computing implementation will be to conductan audit of all security policies to ensure they remain relevant. Also review, update andtest disaster recovery and business continuity plans and procedures. Processes, andmore importantly, people’s roles, will have changed now that cloud computing infra-structure is a part of day-to-day systems management. The internal IT team will certainly need to work closely with the cloud provider so each understands the other’sresponsibilities within the context of the continuity plan, including which aspects of
Connections between theinternal network and thecloud should certainly beencrypted; sending anysensitive or mission-criti-cal data back and forth inthe clear over the Internetis like offering attackersan invitation to steal thedata.
S E A R C H C L O U D S E C U R I T Y. C O M Technical Guide on Data Security and the Cloud
| DATA S EC U R ITY AN D TH E C LO U D
24
TABLE OF CONTENTS
COMPLIANCE
MANAGEMENT
RISK ASSESSMENT
NETWORK SECURITY
OPERATIONS
SPONSOR RESOURCES
any recovery will be handled by whom. Being prepared for service disruptions willreduce the severity of any event.
Finally, don’t take statements in your provider’s SLA for granted. Check that it doesperform backups and patch systems within the agreed timeframes. You should certainlyrequest a copy of the findings of its own audits and ensure that any recommendationshave been implemented. Engaging in constructive dialogue will make addressing bothparties’ security issues a lot easier, so make sure you are in regular contact, particularlyduring any application or system upgrades. This communication will help preventchanges from adversely affecting your compliance with relevant industry or govern-ment regulations.w
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancythat offers IT training and support in data security and analysis. He co-authored the book IIS Security andhas written numerous technical articles for leading IT publications.
S E A R C H C L O U D S E C U R I T Y. C O M Technical Guide on Data Security and the Cloud
| DATA S EC U R ITY AN D TH E C LO U D
25
TABLE OF CONTENTS
COMPLIANCE
MANAGEMENT
RISK ASSESSMENT
NETWORK SECURITY
OPERATIONS
SPONSOR RESOURCES
S E A R C H C L O U D S E C U R I T Y. C O M Technical Guide on Data Security and the Cloud
| DATA S EC U R ITY AN D TH E C LO U D
TECHTARGET SECUR ITY MED IA GROUP
VICE PRESIDENT/GROUP PUBLISHERDoug Olender
PUBLISHER Josh Garland
DIRECTOR OF PRODUCT MANAGEMENTSusan Shaver
DIRECTOR OF MARKETING Nick Dowd
SALES DIRECTOR Tom Click
CIRCULATION MANAGER Kate Sullivan
PROJECT MANAGER Elizabeth Lareau
PRODUCT MANAGEMENT & MARKETINGCorey Strader, Andrew McHugh,
Karina Rousseau
SALES REPRESENTATIVESEric Belcher [email protected]
Patrick [email protected]
Leah Paikin [email protected]
Jeff Tonello [email protected]
Nikki Wise [email protected]
TECHTARGET INC.CHIEF EXECUTIVE OFFICER Greg Strakosch
PRESIDENT Don Hawk
EXECUTIVE VICE PRESIDENT Kevin Beam
CHIEF FINANCIAL OFFICER Jeff Wakely
EUROPEAN DISTRIBUTIONParkway Gordon Phone 44-1491-875-386
www.parkway.co.uk
LIST RENTAL SERVICESJulie Brown
Phone 781-657-1336 Fax 781-657-1100
“Technical Guide on Data Security and the Cloud” is published by TechTarget, 275 GroveStreet, Newton, MA 02466 U.S.A.; Toll-Free 888-274-4111; Phone 617-431-9200; Fax 617-431-9201.
All rights reserved. Entire contents, Copyright © 2011 TechTarget. No part of this publication may betransmitted or reproduced in any form, or by any means without permission in writing from the publisher,TechTarget or SearchCloudSecurity.com.
EDITORIAL DIRECTOR Michael S. Mimoso
SEARCHCLOUDSECURITY.COMSENIOR SITE EDITOR Eric Parizo
NEWS DIRECTOR Robert Westervelt
SITE EDITOR Jane Wright
ASSISTANT EDITOR Maggie Sullivan
ASSOCIATE EDITOR Carolyn Gibney
ASSISTANT EDITOR Greg Smith
ART & DESIGNCREATIVE DIRECTOR Maureen Joyce
SPONSOR RESOURCES
See ad page 2
• First Annual Cost of Cyber Crime Study - Benchmark Study of U.S. Companies
• Combating Modern Threats with the ArcSight Enterprise Threat and Risk ManagementPlatform
• Integrate Enterprise and Cloud Security for a 360-degree View of User Activity
See ad page 4
• Digital Locksmiths - Corporate Overview
• Penetration Testing - Solution Brief
• Terry Cutler - The Ethical Hacker Guy
• GeoTrust SSL Solutions
• GeoTrust SSL Products
• Free 30-Day SSL Trial
SPONSOR RESOURCES
See ad page 18
• IBM Point of View: Security and Cloud Computing
• Successfully implementing a private storage cloud to help reduce total cost of ownership
• Dispelling the vapor around cloud computing: Drivers, barriers and considerations forpublic and private cloud adoption
See ad page 7
• NSS Labs
• I amWorry-Free because…
• Enterprise Security for Endpoints