Securing Data in the Cloud
The reality is that cloud computing presents a spectrum of choices. At one extreme is limited outsourcing, in which the company retains responsibility for most computer security, including configuring server operating systems and the data center firewall—but not the physical security of the cloud data center itself. In this scenario, your IT department must secure all applications and databases, oversee security patch management, and be prepared for all forms of cyberattack and incident responses.
At the other extreme, the cloud provider supplies virtually all of the servers, applications and security.
In any corporate network, IT will likely be working with a mix of environments, some behind the firewall and not in the cloud at all, and others at various points along the spectrum. Since rules for managing computer security risks vary for each situation, it’s critical for managers to have an up-to-date matrix showing which environments are in the cloud and which are not—and, for the latter, to delineate which security functions must be handled by the provider, and which by the company.
Provider contracts must clearly state provider security obligations and responsibilities. That said, be forewarned that many recent hacking exploits relate to systems and processes normally retained by the company. See the following examples:
· Phishing attacks—whereby an attacker sends an infected email to employees—bypass most forms of perimeter security. The best way to thwart such attacks is via user education and good incident-response escalation policies.
· SQL injection attacks—whereby an attacker attempts to gain rights to a server by injecting code into an application running on that server—can be prevented by writing good application code and testing its security, which is not normally part of a cloud provider contract.
As a result, granularly defining responsibility for each risk, environment by environment, is the cornerstone for safeguarding the whole, as is defining the security measures that need to be taken for each risk.
Here’s a further complication: Cloud providers often can reduce cost in part by transferring data to the most efficient location in the stack: an array of their own and subcontractors’ global data centers. Therefore, pay close attention to contract clauses that allow the use of subcontractors and far-flung locations.
Unless your company knows which specific entities will be storing your data and where it will be stored, it will be difficult to understand and assess provider security staff, skills and functions. Giving providers free rein to transfer data can also lead to violations of European Union guidelines and other data privacy issues.
Technically, cloud providers may slice and dice a company’s data pertaining to a single application, sending different data to different locations. Clearly, such practices can greatly complicate business-continuity measures. Closely scrutinize cloud provider service-level agreements to understand how the provider intends to ensure computing and data availability if data are distributed across the stack.
Quality and Response
Quality and speed of response are key components of any security system. Incident response components include the ability to:
· image affected servers;
· interview IT staff ;
· dump server memory;
· copy off and analyze security logs;
· increase the robustness of logging during an attack;
· restore backup tapes;
· monitor traffic during an attack through placement of sniffers; and
· insert “honey pot” servers into the network to ensnare the attacker, as well as other intrusive techniques.
During a denial of service attack—in which attackers flood the network with irrelevant data or requests—great coordination is needed among the cloud provider, upstream Internet service provider and the affected company to try to divert or filter out irrelevant traffic. Whether the cloud provider will or can do some or all of these things quickly—and even whether its staff is qualified to assist—must be explored in advance.
Data distribution across the global stack can complicate incident response, especially if the provider has contractual rights to change the locations of data storage based purely on its own efficiency.
In summary, cloud computing is not a security silver bullet. Instead, it introduces many complexities and fluidity into the mix. Managing the risks demands careful thought, clearly defined lines of responsibility and much parsing of legal fine print.
Eric Friedberg is co-president of Stroz Friedberg, a global digital risk-management and investigations firmed headquartered in New York. An expert in cybercrime response, computer forensic investigations and electronic discovery, Friedberg is a former assistant U.S attorney in the U.S. Attorney’s Office for the Eastern District of New York. He can be reached at firstname.lastname@example.org.