Building Security Into the Cloud
By Samuel Greengard
Over the past few years, businesses have steadily marched into the cloud in pursuit of greater productivity and IT efficiency. Many have discovered that cloud computing unlocks gains that wouldn't have been imaginable only a few years ago.
Yet, for all the progress—nearly 97 percent of organizations use some form of clouds, according to the Open Data Center Alliance (ODCA)—huge questions and concerns about securing this data remain.
"Cloud computing and software as a service are rapidly emerging as mission-critical functions," states Jack Sepple, global managing director of cloud computing for consulting firm Accenture. "The technology and tools provide new opportunities for businesses, but also create new concerns and risks related to security."
Although clouds require many of the same protections that IT departments have used over the years—patching, encryption, malware protection, endpoint security and data loss prevention, to name a few—they also need a more "comprehensive and overarching approach," he notes.
Navigating this new cloudscape isn't an option. ODCA predicts that half of all its member firms (mostly larger companies such as BMW, China Unicom, Deutsche Bank and Lockheed Martin) will have 40 percent or more of their IT operations in private clouds by 2015, and a quarter will run more than 40 percent of their operations in public clouds.
Gary Loveland, principal at PwC, says that companies must move beyond a fear of clouds. "We have moved into a new era of computing and the cloud is an important part of the picture," he points out.
Into the Clouds
One thing that makes cloud security so challenging is how rapidly the technology and overall cloud environment is evolving. An infrastructure that's state of the art today may be obsolete several months down the line.
What's more, cloud technology may force an organization to re-examine long-existing policies and strategies. Although much of the fear of clouds is rooted in the fact that the data often resides outside the four walls of the enterprise, there are real-world risks associated with cloud computing.
In reality, cloud security, like all enterprise security, involves more than technology and technical acumen. It encompasses legal issues, regulatory and compliance requirements, and internal training, as well as addressing the persistent threat of outside attack.
As businesses move into clouds, including software as a service and infrastructure as a service, it's crucial to build a broad security framework that unleashes the potential of clouds, while protecting against intrusions, data leakage and other risks.
It's a concept that Clayton Holdings has made a core part of its business and IT practices. The company, which has about 650 employees located in five U.S. offices, provides consulting, loan review and credit risk management services for banks, mortgage lenders, investors and insurers.
"The cloud was a very scary concept to a lot of people working at Clayton Holdings," notes John Cowles, vice president of intelligent business operations. Nevertheless, in September 2008, the company migrated to an Appian business process management (BPM) system running in the cloud. This approach helped the firm gain key functionality quickly, while decreasing its capital investment.
The project was the company's first major foray into cloud computing and, with highly sensitive data such as names, street addresses, loan balances, social security numbers and other details residing in its IT systems, "we had to make sure we didn't wind up in the news," Cowles acknowledges.
In addition to using conventional security tools such as authentication, malware protection and data loss prevention (DLP), Clayton decided not to store any personal identifiable information (PII) in the cloud. Instead, he built a system that could connect any or all data on an on-demand basis once a user is authenticated through the internal network. A system separates PII about customers from their records using an internal ID. Clayton also relies on a VPN to ensure that all communication remains encrypted.
Employees use a special form that retrieves the cloud-based data and generates a full record from the BPM system. "We conducted a detailed analysis up front, and included input from our security and legal teams, so we knew that we had a high comfort level with the cloud," Cowles says.
"It's critical to put the right controls, as well as checks and balances, in place. Yet, it's also important to get past the notion that you don't have control if the data doesn't reside within the systems in your enterprise."
PwC's Loveland says that clouds are just another tool or avenue of IT that must be addressed. "Organizations must dive in with their eyes wide open, take a proactive approach, and understand where data is stored, how it's stored and how it all relates to security and privacy issues," he advises. "It's about knowing what protections the cloud provider offers and what you need to do internally, and then building an infrastructure that minimizes risks."
A basic but often overlooked reality is that all data is not created or valued equally. Consequently, as organizations migrate to the cloud, they must address data classification issues.
According to Accenture, it's crucial to invest time and effort classifying data up front and distinguishing between security and data privacy. Only then can a business fully understand the value of data and how to handle each class. For example, non-regulated and low-sensitivity data can be safely stored in a public cloud without modification, while highly sensitive data may be better stored in private clouds or may require much tighter controls.
A Mix of Public and Private Clouds
Sorting through the dizzying array of issues related to cloud computing is something that Avatar New York has placed on a front burner. The marketing and e-business provider -- which claims clients such as Bergdorf Goodman, Sapporo and Yamaha -- has moved into a mix of public and private clouds to manage complex client projects.
Avatar uses Rackspace to ramp up the number of servers and computing resources as needed and relies on Puppet Labs to handle IT administration in the cloud. "Since we are managing valuable customer information, we have rigorous security requirements," explains Patrick Tully, chief technology officer.
The company also turned to CloudPassage and its Halo cloud protection software to secure its public cloud servers.
"Public clouds are extremely dynamic in nature, with IP addresses and other configuration settings subject to change if the server instance is rebooted," Tully says. "This causes all sorts of problems relating to host-security controls that rely on a static environment to operate."
To be sure, the software makes it easier to add servers and computing bandwidth within minutes, while also ensuring that all are airtight and adhere to compliance requirements before they are exposed to the Internet. The entire process is automated using Puppet scripts. Altogether, Avatar now operates more than 50 servers in the cloud.
Accenture's Sepple says that a cloud environment can actually be safer than servers residing in an enterprise data center. In the end, it's largely about taking a step back and examining best practices involving the cloud.
Once an organization understands its privacy and security risks, classifies data and establishes clearly defined roles surrounding security, other pieces fall into place. At that point, it's essential to find a cloud provider that offers a high level of transparency—including who it might subcontract with and what chain of controls exist—and then put the proper identify and access management pieces in place.
PwC's Loveland says that it's vital to determine the optimal mix of public, private and hybrid clouds, and examine how all types of technology (including mobile technology and social media) affect the cloud,. Mobile device management solutions and other technology management tools become more important in this new order of technology. It's also crucial to educate and train employees.
"Cloud computing is rapidly moving into the mainstream of the enterprise, Loveland points out, "so building the right protections is critical."