Securing the Cloud

Securing cloud computing

For secure cloud computing, companies must adopt next-generation technologies that are both effective and cost-efficient to prevent unauthorized access to critical data and applications, writes Nivedan Prakash

The prevailing consensus in the industry is that cloud computing is emerging as a disruptive technology that can potentially turn enterprise computing on its head. In fact, it will change the way that enterprises compute since it will enable businesses to leave their aging, inflexible, and costly IT infrastructure behind and move to a new ‘pay as you go’ world characterized by choice and agility.

However, with data privacy and other concerns, it could open up a potential Pandora’s Box of security threats. Hence, one of the biggest business requirements that enterprises need to evaluate while looking at cloud-based solutions is security.

Security has always been seen as the biggest barrier to putting applications in the cloud. Trusting a supplier with business-critical data has been a step too far for many large companies. Businesses have been rightly afraid that their data might fall into the wrong hands in such a scenario.

Data security issues like encryption, authentication etc. are real threats when it comes to adopting cloud computing. When we are talking about data security, issues like data breach liability and data privacy are bound to arise.

“Encryption is a concern while opting for the cloud. For starters, many providers may not offer encryption, or even if they do, the challenge remains as to who holds the key to the encryption. Further, decryption may be required if the data is processed in the cloud. Simultaneously, issues like malware and Trojans bring to light the challenges involved in having strong authentication options in place,” said Vishal Dhupar, MD - Symantec India.

Richard Jacobs, CTO at Sophos believed that with the growing interest in cloud-based applications, there had been a rapid increase in the quantum of both security threats and regulations that mandated data protection. Moving to cloud-based applications does not absolve companies of their responsibilities in these areas, but the lack of transparency in many cloud-based systems has made security assessment a difficult task.

Security ramifications

In cloud computing, the data and applications are hosted across various servers that together constitute the cloud. For the user to access these programs or data, they need to be transmitted from server to server and finally to the user. While this transmission happens, it is possible for an intruder to gain unauthorized access. Also, in cloud computing, unlike in a secure network where access from outside the network can be completely prohibited, anybody with an access to the credentials can login from anywhere over the Web.

“Enterprises moving to the cloud need to evaluate the provider’s data protection, access and identity management, application security management and vulnerability management practices to ensure that they meet the security, compliance and regulatory needs of the enterprise. A multi-tenant environment where the data can co-exist with other tenants’ data on the same physical hardware increases the risk of data theft and segregation becomes an important issue,” highlighted Ratnesh Sharma, Director - Global Product Management and Marketing, Citrix Systems.

Surjit Lahiri, VP and Head of Product Engineering Practice at Mindteck India, said that moving data and applications in the cloud can lead to multi-tenancy. In a public cloud environment, multi-tenancy means that data/applications from multiple corporations can co-exist on the same physical server. This necessitates the requirement for security controls such as strict governance processes, administration access control and authentication frameworks and vigilant patching of virtual infrastructure for example, to prevent cross-guest virtual machine breaches.

There are certain security ramifications of moving data and applications in the cloud. Due to the lack of clear ownership of security in the cloud, enterprises need to weigh the business risks and then decide which applications they want to move to the cloud. An attack on one application on the SaaS platform could easily bring down other applications. Enterprises running design simulation or crunching code on an IaaS platform face the possibility of their intellectual property and propriety information being stolen.

According to Michael Barnes, VP - Software and Asia Pacific Research, Springboard Research, security, privacy and compliance issues are all top-of-mind concerns, especially as organizations consider public cloud-based services to support strategic business functions. As always, security concerns over unauthorized access remain an issue for anyone considering public cloud-based services.

“Security is one of the major concerns with respect to moving data and applications in the cloud. When data is stored in the cloud, it is not on a physical server or computer that stays locked in the data centre. Data in the cloud shares compute resources and if not secured properly, it can be accessed by cyber criminals who are experts at accessing and taking control of information stored remotely,” asserted Yogi Mistry, Senior VP at Narus.

Cyber criminals can also unleash Denial of Service (DDoS) attacks, threatening to cut off the incomes of the cloud computing providers by making their services unavailable, extorting payments to prevent the launch of a DDoS attack. Hence, with new technologies in the IT market we need new and advanced software with which we can see the network traffic clearly and have the ability to mitigate cyber threats early on before the damage is done.

Abhinav Karnwal, Product Marketing Manager, APEC, Trend Micro, pointed out that some possible security ramifications included abuse and the nefarious use of cloud computing, insecure application programming interfaces, malicious insiders, shared technology vulnerabilities, data loss/leakage, account, service and traffic hijacking and unknown risk profile. It is extremely critical for cloud users to be aware of vulnerabilities in shared technologies, such as virtual machines, communications systems or key management technologies. It is also important for organizations to be aware of their service providers' risk profile.

Adoption of robust security technologies

In today’s scenario, it is imperative for enterprises and consumers to adopt robust security technologies to combat potential cloud computing threats. Since the applications are being hosted away from the consumer’s premises and the customer data stored with the service provider, it is absolutely necessary for the service provider to ensure that they are not tampered with.

If enterprises have outsourced to a cloud vendor, it does not mean that they do not need to worry about security issues. In fact, data breach fears including fear about data being transmitted and stored by a cloud services provider, keeping data safe, and preventing it from being lost or stolen are on the rise. Users often wonder about unproven cloud vendor security practices and the virtual separation between infrastructure and clients.

Vikas Arora, Group Director - Cloud Services, Microsoft India, explained that customers have to necessarily adopt robust security technologies to avoid financial loss and other consequences of opportunistic and targeted online attacks to survive and flourish in today’s cut-throat competitive scenario. Enterprises need to ensure that their privacy and security needs are met, including secure access when connecting to cloud services—such as authentication or authorization, endpoint security validation, and security in the data center—for their own well-being and data safety to obviate any kind of financial/productivity losses that might arise from organized online attack on their databases.

“While the advent of cloud infrastructures built on a measured chain of trust is not a cure-all for cloud security and compliance, it does mark an important milestone. The hardware and virtualization layers, formerly a ‘black box’ within the cloud, can now be inspected, analyzed and reported on for compliance just as easily as the cloud’s top-most application services layer. With this previously unimagined level of visibility, cloud providers can develop the infrastructure-level policy controls and end-to-end security attestations to handle the most demanding security requirements,” said Vikas Desai, Lead Technology Consultant - India and SAARC, RSA.

Jatin Sachdeva, Information Security Specialist at Cisco was also of the view that since the cloud service was exposed to the outside world, the cloud infrastructure should support security functions such as intrusion detection and prevention, firewalling to prevent disallowed traffic, and DoS prevention. “The cloud service is vulnerable to DDoS attacks and in order to address this problem holistically, we need security tools that will allow our customers to embrace these changes. And in order to do that, we have to be able to leverage the power of the network,” he added.

Coming of new security mechanisms

For cloud computing to work, there is a need to understand how security in the cloud works and to clearly define where the responsibility lies. Customers may need to assess the ratio of business risks to returns before moving high risk data into the cloud. They may decide not to move all the applications into the cloud.

Sanjay Singh, MD of Akamai India and VP for Global Services and Support, stated, “At present, a cloud based Web Application Firewall (WAF) offers an innovative approach to helping organizations address some the cloud security concerns by adding a globally distributed layer of defense. It provides a distributed layer of defense against global attacks and is available 24x7 to protect applications. This cloud based WAF offers unmatched scalability (DDOS protection), flexibility and adaptability, cost efficiency and superior redundancy.”

“Cloud services need to be offered over a secure layer ensuring that the transactions are secure. The SSL certificates issued by leading certifying authorities such as VeriSign provide trust to end users or applications that services are secure. The access to cloud services needs to be protected by a strong authentication mechanism which ensures that only authorized users and applications are accessing these services. The cloud mechanism needs to support role based access controls for administrators. Access to the administration console needs to be protected using a strong authentication mechanism using either digital certificates or by one time password technologies. The cloud services also require adequate audit mechanisms for the enterprise administrators to verify the services,” said Rajiv Chaddha, VP of VeriSign India.

To address concerns regarding security and privacy, companies are also looking at next generation technologies that can facilitate the move to the cloud. One example is access technology which helps provide seamless access to ‘enterprise assets’ such as the directory that cannot move out of the enterprise data center. Another example is that technologies available in traditional firewalls are now being made available on the cloud such as URL filtering, Web proxies, bi-directional deep packet inspection to mitigate zero-day threats, anti-virus gateways, etc.

Another way to get better security in the cloud is to use private clouds where the data is more secure and is not shared with other users on the same physical hardware. The application deployment is also done in a closely hosted environment, which makes it difficult for other users to access any application or data in a private cloud.

According to Surendra Singh, Regional Director, SAARC and India, Websense, SaaS Web security and e-mail security customers automatically and continuously receive real-time threat updates from the Websense ThreatSeeker Network. Additionally, the scale and elasticity of cloud computing resources delivers multilayered threat protection without any performance impact. “As a result, our customers achieve protection against dynamic, zero-day threats without the overhead associated with on-premise security updates or capacity monitoring,” he said.

“Mostly data privacy technologies such as encrypted volumes, point-to-point secure communication and secure database transactions are the new security mechanisms that would secure cloud data platforms. Other security mechanisms like network security and safety against virus/malware attack are already available to most cloud providers,” added Ram Krishna G., Technical Head at Sanvei Overseas.

In the coming days, technologies like tokenization and fraud detection could easily change the way that we define cloud security. Customers could model user behavior and everything could be managed and measured in real time in the cloud. Vulnerability assessment tools could continuously look for new vulnerabilities which can be fixed before zero day attacks. Heuristics can be used to model behaviors and build new rule sets in real time to stop new attacks. All this can theoretically be performed by a security service in the cloud.

As per views of Jeremy Cooper, VP - Marketing, APJ of Salesforce.com, enterprise cloud computing reduces the major IT security risks of misconfiguration, informal or uncoordinated tools and procedures, and errors or abuse by in-house staff. Cloud-based IT actually offers, in most cases, superior visibility and management of users’ privileges, combined with higher standards of system audit and operator training/certification.

Scrutinizing vendor credentials

It is crucial for customers to know the credentials of the vendors and the extent to which their security offerings are safe. Customers should insist on ISO27001 certification and read the SLAs carefully. Global infrastructure and references are also important.

It is critical for organizations to fully assess vendors' security systems, as the most critical element of their businesses i.e. information is in the hands of the service providers. It is also important for them to avoid cloud lock-in. This will help them to switch providers. This approach will help them to retain control over the company's IT processes.

Seema Ambastha, Director - Technology, VMware India and SAARC, said, “Organizations need to learn as much as possible about their cloud providers’ security policies, procedures, systems and controls, some of which may be different from or incompatible with their own. The general idea behind these detailed assessments is that although an organization may have little visibility into the cloud provider’s operations and to the actual status within the cloud, it can take assurance from verifying the cloud provider’s business practices.”

“Information, data, and application availabilities are lifelines for any enterprise and hence evaluation of various cloud service providers along with their SLAs is a must. Enterprises need to thoroughly evaluate the credentials of the cloud service provider. It’s also advisable to visit the cloud provider’s infrastructure to check the physical security controls, infrastructure, SLAs, redundancy levels, BCP plans, etc. before signing the dotted line. It would be wise to migrate in phases rather than do a 100% shift from on premise to cloud starting with relatively less critical applications,” concluded Sriram S, CEO of iValue InfoSolutions.

nivedan.prakash@expressindia.com