Enterprise conversations on cloud adoption have reached a stage where a number of questions are raised about the ‘what’ and ‘how’ of cloud computing rather than the ‘why’. Make no mistake, security still remains the main topic of the cloud, but the tone of the discussion is more focused on ‘how can the cloud work for us?’ Security services in the cloud have matured over the past few years and there are now enough of proof points almost in all industry segments where cloud has been successfully adopted with measurable success. Enterprises are increasingly loathed to dismissing the compelling business case offered by cloud adoption, provided security aspects of the cloud are adequately assessed and addressed.
A review of enterprise security architecture in the context of cloud is an absolute necessity in defining, monitoring and managing enterprise cloud deployments. This includes understanding the current security posture of IT assets, audit and compliance. This should form the basis of drawing up security and compliance requirements for mainstream cloud adoption. The following are the key business and technology considerations to be factored while embarking on a cloud adoption journey:
1. Business considerations
- Data residency requirements. Clearly classify transactional and operational data residency requirements. Evaluate and evolve a cloud strategy which meets these requirements. Part of a thorough consideration has to be around cloud provider(s) capability to ensure compliance to data residency needs.
- Compliance requirements to government / industry regulations. Industry standards such as HIPAA, EU Data Protection 2.0 regulations for cloud computing, PCI compliance and others require companies to adhere to strict standards when it comes to handling of ‘sensitive’ data such as patient health records, user data to reside with-in a country of residence etc. Strict governance with respect to sharing of personal information apart from other requirements such as maintaining a detailed transactional audit log has to be followed. Depending on the profile of the applications being considered to move to cloud, a detailed checklist of compliance needs will need to be maintained to comply with law of the land and industry governing regulations.
- Review security posture of IT landscape. A thorough vulnerability assessment of cloud deployed applications has to be undertaken periodically followed by a remediation effort to fix the vulnerabilities. Tool based evaluation of security posture of IT assets spanning across business processes, applications and infrastructure has to be undertaken periodically to assess the risk profile an enterprise is exposed at any given point of time. Tools that monitor the web app for vulnerability such as ‘Sql Injections’ and remediation from such threats through tools like Web Application Firewalls (WAF) can be leveraged to auto scan and assess the current security profile of an IT landscape.
- Cloud service provider SLAs and accountability. Clearly defined roles, responsibility and accountability matrix of all parties involved is a basic requirement for managing cloud deployment. Most public cloud providers offer best effort guarantee but no guaranteed SLAs. There is clearly a need for a Cloud Services Broker (CSB), typically a Systems Integrator (SI) who would stitch together specialized services into an integrated service providing a single point of accountability. Without this arrangement, cloud deployments with multiple niche technology vendors could end up becoming complex maze of services to manage. For example consider a dealer management cloud application that an automobile OEM rolls out to its dealers in an emerging market like India. Typical roll out of such as solution would involve multiple technology partners including the cloud platform provider, application development partner, security component providers, mobile device management provider and many others. The automobile OEM will need to develop a mechanism of tight coordination and clear definition of roles and responsibilities between all participating vendors to streamline the entire process with clear ownership and accountability. With the cloud deployments, complexity of managing the ecosystem becomes very high and therefore a need for tight governance and accountability is paramount.
2. Technology considerations
- Understanding implications of multi-tenant deployments. In a typical multi-tenant public cloud environment, VMs (Virtual Machines) of an application of a tenant can co-exist side-by-side with a VM hosting another application of same or a different client. There could be a potential threat of unintended intra VM exposure. Security solutions should be designed to ensure data protection by encryption at rest and at transit to ensure no breach.
- Understanding network configurations and potential vulnerability threats. Since cloud services are consumed out of the internet (private / public networks) it is important to understand the network configuration and security configuration profiles of VMs including the network traffic ports. Network configurations should be periodically reviewed for exposure and vulnerability to attacks. Many organizations are and will move to IPv6 implementations shortly. Software driven security configurations to manage network security is recommended to keep a close watch on network traffic for malware and threats.
- Consistent user management and access controls. Compliance to Cloud Data Center Security Standards ISO 27001 will ensure consistency of processes followed in the cloud DC by vendors / partners / employees. User management still remains a top concern in managing cloud deployments. Human interactions with systems happen at multiple levels despite increased automation. In both private clouds and public, administrators have privileges which can potentially provide them access to systems and user data. User management systems should typically include establishing identity and access controls. Biometric based user identification and authorization will ensure proper tracking of user activity. User and system activity audit logs are a key requirement to ensure traceability. Over the past few years, emergence of cloud monitoring and automation technology like Chef and Puppet should be increasingly used for automated management of VM profiles for consistency, compliance to corporate standards and management.
- Cloud systems integration and API management. Cloud solutions are typically integrated with other applications / processes to form a composite solution. Most enterprises are actively considering cloud along with mobility and data analytics as a part of their digital solutions strategy. Integration with systems, devices and data sources is managed increasingly through Application Programming Interface (API). This means API governance and management becomes an important touch point for managing security of cloud based systems because malware and security threats can be posed through uncontrolled access to APIs. Systems integration through API based integrations will involve tightly managing API access and maintaining an audit log of API access from different applications. There are tools and technologies available today which specialize in API management and delivery which should be leveraged for effective management of APIs and systems integration touch points.
This article was originally published on IT Business Edge on September 11, 2014, and is re-posted here by permission.