BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage Articles Seven Steps for Improving Cloud Security with Business Integration

Seven Steps for Improving Cloud Security with Business Integration

Bookmarks

Key Takeaways

  • Why Cloud computing, why now? Adhering IaaS security and compliance means that cloud providers must meet certain legal and industry standards when it comes to security and uptime.
  • The case for the cloud. Even the most reliable data centers - in terms of uptime and redundancy - don’t hold a candle to the major cloud platforms. It’s time to make the move.
  • Planning your architecture. Start by auditing your cloud computing stack, and consider where and how to integrate different business systems.
  • Configuring an Integrated System. Check the contracts with your cloud providers to see what failsafes are in place should an attack occur. Configure IAM - assign level access to all users.
  • Test your workflow integration. The best laid plans still fall apart. Users make mistakes (eg, upload private keys, fail to use a VPN, etc.). Regularly testing your integration is key to ensuring that your infrastructure is secure.

For business owners and information technology professionals, cloud computing has represented a significant advancement in terms of efficiency and supportability.

But like with any major shift in the IT industry, the cloud brings a host of new security risks. Let’s take a look at the most common risks associated with integrating cloud-based business systems and how to manage them appropriately.

Why Cloud Computing

In the early days of the internet, companies either hosted their hardware in a local office or they bought space in a nearby data center. The last decade has completely flipped that architecture, as cloud computing has led to a rise in Infrastructure as a Service (IaaS) through providers like Amazon Web Services or Microsoft Azure. Now your business must trust all of their systems and data in a third-party environment without having any local (re: physical) access.

Cloud providers must meet certain legal and industry standards when it comes to security and uptime, but that doesn't mean a company can completely outsource all security responsibilities. Instead, IT security has actually become more nuanced and complex in the age of cloud computing.

Today, tight integration is the key to maintaining secure digital systems. If systems are not correctly talking between one another, then there is a higher risk of a security gap that could lead to a data breach or cyberattack.

Move to the Cloud

When the U.S. federal government included a cloud strategy as a main pillar in its IT modernization plan, it was a sign that cloud computing and storage is now the new norm. Unsurprisingly, private organizations beat them to the punch, many of whom have been migrating existing applications (or developing new cloud-ready ones) to the cloud for years.

Keep in mind, a cloud move is not as simple as downloading new software. It’s an entirely new and different ecosystem, one that involves a list of risks: legal, financial, commercial, and compliance, to name a few. To make such a move without stopping long enough to become informed of the dangers is not a good idea.

It’s also not as simple as learning which vulnerabilities and threats are sitting out there at any particular moment in time. Threats evolve over time. Old ones become less effective or fall out of favor with hackers and new ones emerge.

The following steps should help you successful integrate business software and processes in the cloud in a way that improves the security of your organization, rather than compromises it.

1. Protect Yourself Against Common Cloud Security Risks

In one sense, cloud environments face similar threats as traditional data centers because it runs on software. Software always runs the risk of code vulnerabilities, and there will always be people who spend an inordinate amount of time trying to locate and exploit those vulnerabilities.

The major difference between a traditional data center and a cloud computing platform lies in which party, cloud service provider (CSP) or consumer, is responsible for mitigating which risk and which responsibility falls to the consumer. It’s obviously a big deal that consumers know and rely on the CSP to hold up its end of the bargain.

When creating a security plan for your infrastructure, pay attention to these three cloud-centric vulnerabilities:

#1 Decreased Visibility and Control.

When shifting assets and operations to the cloud, your organization will lose some measure of visibility and control as compared to in-house operations. With external cloud services, the responsibility for securing the infrastructure shifts to the CSP. Further division of responsibilities varies among providers.

Before you get too deep into a cloud migration, it’s critical to know which cloud service model you’re signing on for. The options are:

  • Infrastructure as a service (IaaS)
  • Platform as a service (PaaS)
  • Software as a service (SaaS)
  • Container as a Service (CaaS)

With each, you’ll give up varying levels of control over your data and ability to see specifically how it is handled once it reaches the cloud. Amazon Web Services (AWS) describes the symbiotic relationship as one in which the CSP handles security “of the cloud” while the customer is charged with security “in the cloud.”

The former refers to securing the physical infrastructure that runs the services - hardware, software, networking, and facilities - while the latter’s scope depends upon the specific services purchased.

Understanding the division of responsibility in the fine print is a big deal. Customers of cloud provider Nirvanix, which went bankrupt in 2013 after five CEOs in the same number of years apparently squandered $70 million in venture capital. Customers were given two weeks to retrieve their data from the servers before the system would be shut down and everything lost.

Many of Nirvanix’s SME customers had so much stored that it was a near impossibility to retrieve it all before the deadline. Though Nirvanix established an arrangement to shift data to IBM servers via high-speed connection, that was the only option. If a customer wanted to go to with Google, Microsoft, Amazon, or another alternative, they were on their own to complete the transfer. This is loss of control at its most frustrating.

#2 How “Deleted” is Deleted Data?

When you delete data from a local system, you can make sure that it is actually gone - FBI demands and cybersleuthing notwithstanding - but the same can’t be said of data stored in the cloud.

The problem is that you don’t have direct access to see where your data is stored and verify that deleted data has actually been deleted. To a large extent, you have to take it on faith that your CSP does what it says.

Consider the structure of the cloud. There’s a good chance your data is spread over several different devices and in different physical locations for redundancy. Further, the actual deletion process is not the same among providers.

The bottom line is that you won’t be able to definitively verify your data is gone as requested, and thus you cannot be certain of its security. The more CSP services you use, the greater the threat risk. You can mitigate that risk by utilizing a Single Sign-On Solution, implementing end-to-end encryption, and updating your in-house software often.

Many public figures have learned the hard way that deleting photos from the cloud doesn’t mean they’re actually gone. In recent years, hundreds of photos have been retrieved and released publicly by hackers to the embarrassment of those who trusted that deleting photos would do just that.

#3 Failure of Due Diligence Before a Cloud Migration

If ever there was a good time to slow down and do a proper amount of vendor research, it’s before you toss all your critical data up into the cloud. While cloud storage is the obvious present and foreseeable future of the internet, a ‘send it up now and we’ll figure it out later’ approach is a bad idea times two.

As mentioned, the CSP is only responsible for a certain amount of data security and the consumer the rest. Don’t make a decision about your data repository without understanding exactly how the service works. Just because everyone’s doing it is not a good reason to follow suit immediately.

One example of a migration gone bad was the fiasco involving UK bank TSB in early 2018. In retrospect, IT experts said they pushed the process too fast and ended up, when the switch was thrown to go live, with customer data showing in the wrong accounts, login issues, and technical error messages no one could decipher. A massive failure of due diligence.

Key Points

  1. There will be security risks, no matter what the platform (i.e. localized networks, cloud networks)
  2. Understand the level of security that you'll be required to manage in comparison to the level of security that will be managed for you.
  3. If the data you host is confidential, consider using encryption services in conjunction with your cloud provider.
  4. Take the time to research service providers before making a commitment.

2. Create Your Migration Plan

Before your migration, it’s important to understand how identity management (IdM) will be handled in your cloud setup. Most servers allow more than one connection to a single file stream from any client IP address that requests the file. The difference is the IdM can first check whether multiple connections to the file is a possibility. Then, it can download the file in parts instead of doing it linearly where the download cannot get paused.

  1. Before the migration, you should also examine the difference between encryption at rest and encryption in transit.
  2. The encryption of data at rest should implement strong encryption methods like AES or RSA. This allows for added security when usernames and passwords are breached. During this phase, cryptography can also be implemented on the database as well as the physical hardware where the database is stored.
  3. For encryption in transit for businesses, opt for HTTPS, SSL, TLS, or FTPS.
  4. Your enterprise should also set up multi-tenancy. There are different methods to set up the application that enables sign in and consent by users, including tenants other than the one where the client is registered. You may prefer native client applications because they are multi-tenant by default, whereas web client and web resource (API) are single and multi-tenant.

There are also different ways to audit access and data usage before making the migration. Working closely with an IT team can help you examine the best methods to move forward.

3. Plan Your Architecture

In a best-case scenario, you would take the time to plan a distributed architecture before ever deploying any servers, applications, or services to the cloud. That's not always the case, however, especially for businesses that must manage legacy hardware and software.

Before beginning with any security integrations, conduct a thorough audit to understand the full scope of your organization's cloud-hosted infrastructure at every level of the cloud computing stack. You must know, with complete accuracy, all hardware elements used in the infrastructure. Without this information, you won’t be able to make informed decisions or keep security as a top priority.

Once you’ve fully mapped out your cloud environment, the next task is to decide whether to invest in an all-in-one security solution or to manage separate services that can be manually integrated together. There is no single right answer, as it depends on the company's needs and outlook.

When evaluating different cloud security solutions - cost, of course, cannot be ignored. If a company can procure a number of distributed systems for considerably less upfront money than an all-in-one solution, then the decision is easy.

On the other hand, centralized systems are often easier to support and maintain, which could bring about cost savings in the long run.

The architecture of your systems needs a specific security approach. After you settle on a type of security solution than you also need to build a team. Are you looking to create one internally, or source it out to a third-party?

There are advantages to both, but when dealing with cloud security you want to approach the subject delicately and with great care. The cloud is fantastic in a number of ways but it does have some added security elements, so finding the right team is essential to the architecture of your systems.

Key Points:

  1. Conduct a full audit of your company (i.e. software, hardware, storage, accessibility).
  2. Determine your company needs based on the organization audit (i.e. all-in-one security, managed separate services).
  3. Compare solution costs between service providers (i.e. will you handle the solutions/security in-house or source it out).

4. Take Advantage of Security Improvements in the Cloud

IT teams considering a move to the cloud often ask, “how is the cloud more secure?” To answer that question, compare your current data center against the uptime and redundancy of your would-be cloud provider by doing the following:

1. Streamline Identity and Access Credentials Management (IAM)

There are a number of different cloud-based software companies depending on individual needs and goals you would like to achieve. Salesforce is known for being an all-around, high-quality provider. The CRM is effective with a number of strategies. Box provides cloud content management while AWS is a cloud service from the massive corporation Amazon.

Before anything, you should control the risk of unauthorized logins.

This means that, despite the linked, global coverage that exists, one set of login credentials still only allows one person access to all the cloud applications they are authorized to use. As with a traditional data center, each person uses only their own login information (no sharing) and there should be a full audit trail that allows the IT staff to figure out (computer forensics) what went wrong in the event of a malicious or accidental data breach.

The ability to quickly give or take away access to programs and data should be as easy as an administrator clicking a few buttons. When an employee leaves or is fired, their access to the cloud resources should be shut down fast. If an outside IT team needs access to critical systems for maintenance, the access should be time-limited and expire automatically.

2. Take Advantage of Better Uptime & Redundancy

Data centers are often ranked in tiers, with each tier corresponding to specific physical, cooling and power infrastructure, levels of redundancy, and a hosting provider’s promised uptime.

Rankings start at Tier 1 with little redundancy and non-exemplary uptime and go up to Tier 4, which represents a data center that has the infrastructure, capacity, and processes in place to provide a truly maximum level of uptime. In 2018, data center uptime for the best-shared hosts reached a maximum of 99.991%, which qualifies as a Tier 3 data center.

In contrast, AWS, Google Cloud Platform, and Microsoft Azure do not follow the same tiered ranking standards. If you consider the full suite of services offered by each provider, the wide selection of availability zones, and globally distributed data centers, exceeding that of Tier 4 uptime and having better redundancy.[1][2]

3. Use Cloud Automation

As your company grows, so does the need for more automation, which just so happens to be one of the things the cloud does well. For a large company, cloud computing allows for the efficient setup of satellite offices through automatic processes.

The bottom line is that the more automation you can implement the better. The more you can take the human element out of the network infrastructure mix (Skynet in Terminator 2 notwithstanding), the fewer mistakes and incidents of malicious harm should occur. If you haven’t pondered the idea before, people pose the biggest risk factor in cybersecurity. Limit human interference and error and you automatically make your network more secure.  

According to Forbes, using automation helps to reduce network and communication breakdowns (i.e. downtime), lost data, and hacking attempts. Automation, once perfected, never deviates from the rules that have been defined; therefore, they never miss a step or leave a door open.

Moving your business operations to the cloud is probably the single biggest security enhancement you can make, even now, in the early days of its evolution. If cybersecurity and cloud computing seems impressive now, wait a few years. We’ve only scraped the surface of the mind-boggling possibilities that surely lurk just over the horizon.

Not to let verbal hyperbole overshadow the basic here-and-now benefits. Operating in the cloud already offers network resilience, the ability to increase or decrease resources on demand, lower hardware and software costs, improved uptime, and the portability of work to name a few.

In short, in regard to security, cloud computing is safe and is constantly being improved upon.

Key Points

  1. Remove the fear of moving your data into the cloud.
  2. Recognize that major companies (i.e. Salesforce, Amazon, and Box) have a lot invested in cloud-hosted solutions and maintain a high-level security team.
  3. Remember that security is only as strong as the weakest link (i.e. your administrator, your users).
  4. Able to assign/delete access to certain programs in moments, without having to directly touch a user’s physical machine through cloud permissions/security.
  5. Reduce the risk of losing data from hardware failures, power outages, and dangerous weather.
  6. Reduce setup time for new users, new departments, and even new offices through automated services.

5. Configure an Integrated System

Contracts with your cloud provider should dictate certain security protocols and failsafes. In most cases, the provider will take responsibility for the facilities and data centers where the infrastructure is located. This includes the security of physical hardware and network equipment, as well as the virtualization tools used to distribute computing power.

This does not mean that security breaches will never occur within the facility or at the physical layer, but as a cloud customer, your liability will be limited.

As a cloud customer, you can expect to be responsible for all software and services that run on the data center infrastructure as well as the integration of those various systems. Security must be monitored and maintained at the operating system level, as well as between all applications and databases.

The configuration of any enterprise security system must begin with identity and access management (IAM), which controls user permission to cloud resources. As a basic rule, access should be limited to only individuals or departments that have a need for backend access. Certain IT administrators who are responsible for cloud integration will need to have high-level access across all networks involved in the integrations.

Key Points

  1. Most cloud providers will manage the bulk of your security and hardware.
  2. You will be required to manage the software installs, user assignments, and storage locations for your systems.
  3. Whatever you manage, you need to remember to secure it (see # 1). The cloud provider is required to keep your network and hardware safe, not your software.

6. Test Your Workflow for Integration

Intrusion detection is one of the most critical security functions that your enterprise must invest in and work to maintain. Hackers are inventing new forms of cyberattacks on a regular basis and searching for vulnerabilities within cloud platforms that could lead to a data breach.

In a worst-case scenario, a hacker would infiltrate your corporate systems without your knowledge and wreak havoc before you can detect the attack. Such was the case when a DXC programmer inadvertently uploaded the company’s private AWS keys to Github, costing the company more than $64,000 before the breach was fixed.

Intrusion detection systems (IDS) need to be closely integrated with all backend servers that are connected to the open internet. One piece must be a firewall, which monitors all incoming traffic and blocks unknown or suspicious requests. If a potential intrusion is detected, the system should alert IT management and take automated steps to protect databases.

If you are just learning how to integrate your business into cloud security without compromising it, you can probably learn a thing or two from others that have successfully handled it in the past. Don’t be afraid to reach out in-person, instant messenger, chat, and take crucial lessons from others.

Chances are they will have instructions on the good, the bad, and ugly and hopefully enable you to avoid some of the critical mistakes they made by trial and error. You can never get enough knowledge from word of mouth. There are a number of highly regarded workflow testing for integration providers including BP Logix Process Director, Wrike, TrackVia, HighGear, and Integrity.

7. Pen Test Your Setup

In order to verify the security of your integrated cloud infrastructure, regular testing should be scheduled and executed. Your organization should partner with third parties firms who are qualified to run penetration tests, which simulate different types of cyber attacks and help you uncover vulnerabilities within your digital systems.

The popularity of the cloud has forced security developers to get creative. Though cloud apps need pen testing as much as on-premise systems, the nature of the design adds technical and legal complexities that must be addressed through the idea of cloud governance.

Cloud governance refers to the reality that the cloud becomes so hysterically complicated after the second or third deployment that a team usually runs smack into a wall related to the number of services and amount of resources they can manually control. What then?

That’s when you will wish you had already implemented a governance scheme that uses a cloud management program to apply policies and principles on an abstraction layer between the actual services and those who manage them. It’s the only way to manage a growing cloud operation.

For companies of all sizes, cloud infrastructure can be used to deliver services to employees and customers distributed across the globe. This includes virtual private network (VPN) support, which allows users to connect to the cloud through an encrypted tunnel.

To increase security, a web filter or proxy service should be integrated with all desktop deployments with the purpose of blocking dangerous websites that could compromise the security of software or hardware in a user’s on-premises network. When using major public cloud providers such as AWS, admins should regularly update their client Certificate Revocation Lists (CRLs) to blacklist specific bad actors.

Key Points

  1. Recognize that no system is impenetrable, including Amazon.
  2. Find an external, third-party IDS provider and use them frequently.
  3. Make sure that you are protecting sensitive information using good encryption practices.
  4. Keep all your communications safe by using a paid VPN solution.
  5. Incorporate safety features at a local level with firewalls, proxies, VPN’s, and/or web and email filters.

Looking Ahead

Regardless of your company’s size, it should have a dedicated security team in place. DevOps teams should now be considered DevSecOps, according to the latest annual Deloitte Tech Trends report:

“Organizations [should] embed security, privacy, policy, and controls into their DevOps processes and culture, enabling the entire IT organization to share responsibility for security.”

This is especially true in a distributed environment where hardware and software is integrated and constantly changing.

One of the key advantages of cloud computing is that it allows for convenient scaling with IaaS products. For example, if your company's web traffic doubles in size over the course of a single month, your cloud provider will boost memory and computing power to keep performance steady.

But that comes with added security implications, which must be monitored to ensure the health of all integrated systems.

About the Author

Sam Bocetta is a former security analyst, having spent the bulk of his career testing network security for the Navy. He is now semi-retired and educates the public about security and privacy technology. Much of Sam’s work involved penetration testing ballistic systems. He analyzed our networks looking for entry points, then created security-vulnerability assessments based on my findings. Further, he helped plan, manage, and execute sophisticated "ethical" hacking exercises to identify vulnerabilities and reduce the risk posture of enterprise systems used by the Navy (both on land and at sea). The bulk of his work focused on identifying and preventing application and network threats, lowering attack vector areas, removing vulnerabilities and general reporting. He was able to identify weak points and create new strategies which bolstered our networks against a range of cyber threats.

Rate this Article

Adoption
Style

BT