Aside from being a hot topic (at least as a buzzword), cloud computing doesn't really have anything new. This is simply a natural evolution of the IT operation that is being enabled by technologies that have matured sufficiently, such as virtualization.
It is not simply about doing things at a lower cost, cloud computing allows you to do things more efficiently and in several cases also more securely (true, it is not easy to believe).
Why the resistance to adopting cloud computing?
Because although it is not something new, its adoption forces us to reflect on situations that we considered resolved in traditional schemes of local IT services, such as the issues of ownership, privacy and integrity of information. Many of these issues are based on real concerns:
But there are also other not so well-founded concerns, based on prejudice and a congenital and deficient perception of risks by human beings (see this article by B. Schneier for example, or this graph on probabilities of death... you will see that what we fear most is not what kills us most often.) Based on the facts, it turns out that situations like the following have an equal or greater impact on the local environment than on a remote/cloud environment:
Perception that within the company itself there are better levels of security. It is simply impossible for most companies to keep the best specialists and a proper architecture at homeBy economies of scale, often a supplier. Dedicated to offering these services can do a better job. Perception that by delivering confidential data to a third party for safekeeping, outside the company, there is a greater risk. In reality, the penalties in most of these privacy laws are just as severe, whether the information is leaked by a poorly supervised third party or leaked by an intern. Do we really have the ability to properly control all of our internal staff? Who has the greatest capacity to do harm, to take better advantage of confidential information, to collude with those who protect this information and to know how to evade the security measures implemented? What do the statistics say about information leaks by internal vs. external? Here's a tip: the Ponemon Institute and Accenture study titled "How Global Organizations Approach the Challenge of Protecting Personal Data, February 2010." Fear that cloud security measures are not effective enough. Traditional security measures are just as effective in a local environment as in a remote environment not controlled by us. If we are concerned that a stack of firewalls, intrusion prevention systems, anti-malware, etc. will inadequately protect your information with cloud providers, we should be concerned today about the level of protection they offer in local environments. Cloud computing therefore does not generate new risks, it simply makes them more evident according to our way of perceiving them. There are reasons to be worried, but cloud computing shouldn't be the main one.
Effective controls
We can list the following risks as the most relevant from the point of view of information protection:
Principle 1: "A control is more effective the closer it is to the object it protects." This can be easily corroborated by analyzing the decisions you have to make based on your environment. All control consists of 3 fundamental elements (whether explicit or implicit in its way of operating):
Let's look for example at the difference between a network firewall and a host-based firewall. The first has visibility over the network but not into what happens inside the machines it protects on the network. You can filter certain connections that are clearly not allowed, but you cannot make decisions about illicit activity through permitted network services (e.g. you cannot tell if a web session comes from a browser and was set by the computer user or comes from a malicious program installed on the computer, which emulates the activity of a legitimate user).
The host firewall is closer to the source of the session, and has more elements to determine whether the connection is legitimate (whether it was initiated by a valid user or not). Lately there is no better control in this case than to ask the user directly, authenticating it to see if the session was initiated by him/her; for example, asking you for a password, although this scheme has its shortcomings, and your credentials can be intercepted. But how about controlled access with a dynamic key token that the user owns and uses along with a password that only he/she knows?
Principle 2: "a control is most effective when it covers all the exposure points of the object to be protected". It is obvious that if we have 10 doors through which they can enter the house, we have a better chance of protecting that house from someone undesirable entering the more doors are protected. Here I am always asked what happens to unidentified vulnerabilities; it is simply a statistical matter and does not change the above at all. The probability that there are n undiscovered vulnerabilities is the same in both cases, if it is the same house and the same doors.
Let's look at some examples with traditional controls. How about a peer-to-peer encrypted channel? Protection starts until the information enters the channel and ends as soon as it leaves at the other end. Assuming the sender is one person and the receiver is someone else, a traditional encrypted channel (say an SSH tunnel, SSL, or some virtual private network) leaves unprotected areas on computers (and perhaps networks) on both ends.
These gaps are huge, as they allow countless attacks at both ends (man-in-the-middle, interception/modification by malware, etc.). How about a slightly simpler control?: That the first person encrypts the document by hand with a one-time-pad and sends the ciphertext to the other person; the pad used to encrypt would be handed over to the other person. If the scheme is well applied, there will be no malware or "man in the middle" attack that is effective. Basically you would have to force/induce one of the people to reveal the content of the message, physically spy on them or some other scheme that directly involves the participants.
Principle 3: "A control is most effective when its operation involves independent entities, and all actions are recorded in systems that are beyond the scope of the person responsible for control." This is better known as the principle of segregation of duties. The idea is that a single person cannot abuse his power to perform improper acts.
Example: the activation of a payment function can be done by a user once he has authenticated (password, token, biometric, whatever they like...). We depend in this case that the person does not abuse this faculty.
Even better would be that this functionality required the authentication of two people with different functions to be carried out in an automated way, in addition to recording in a system not controlled by them all the activity carried out by each participant and the same system.
Principle 4: "A control is most effective when its operation considers several instances to ensure its continuous operation and the access/operation of the object it protects." A firewall like any software or hardware control can have some operational problem; electronic backup media are also likely to have some failure. Including two or more instances of these control elements reduces that probability.
Having a synchronization scheme also reduces recovery time, and using a high availability scheme increases even the volume available to perform operations with the protected object (e.g. firewall clusters in high availability, groups of cryptographic cards to accelerate encryption to websites, multiple backups stored in different places, etc.).
Principle 5: "A control is most effective when its implementation, configuration and operation considers information specific to the environment where it will operate." This involves acting on the specific risks of each environment. Obviously, those who know best the risks and specific security needs of each environment are the personnel of each company; not providers of security products and services who consider general situations to approximate something that works as well as possible "for most cases."
A traditional antivirus is based on blacklists of malicious code or general patterns that have a sufficiently high incidence globally (or locally depending on the provider); it will never be as effective as a whitelist of software certified to operate in a given company. The latter control also effectively protects against unknown threats in the same field, while the former has to assume things for lack of contextual information. These assumptions may or may not be suitable for the specific environment (generating higher false positives and negatives).
What about security measures for cloud computing?
Same risks do not necessarily mean same controls. There are some variables that have changed.
Changes in regulations have been reflected in changes in the impact of an incident. How much has the impact changed? well, just remember that less than 10 years ago a malware author could get fame and a good contract for his actions; today he can earn several years in jail without any glory.
Also, a company less than 10 years ago that lost personal information could go virtually unnoticed, with minimal or no consequences. Nowadays a similar incident could cause the disappearance of the company or a strong impact on its reputation, depending on the sector to which it belongs.
What is clear is that traditional controls (or a traditional implementation of such controls) never achieved an adequate degree of effectiveness in local environments (this was always known). Companies and security professionals simply tolerated it, or in other words, accepted these risks (because of a false sense of security to a large extent).
The methods and technologies needed to implement such controls are not new. Many were in fact conceived before most of the traditional controls we know today were created and mass-marketed. However, its correct application does require a deep knowledge of security architectures and IT risk management (as they say out there, the devil is in the details).
Having presented 5 principles of effective security and without entering into an endless discussion about the characteristics of each possible control, below I include a simple recipe to choose controls that can be applied in the cloud, in an architecture that in my opinion can be more effective even than what can be found locally in many companies today:
1. Consider primarily purpose-oriented security controls that we want to protect: data (or information if possible).
Access and role controlResyptography to ensure confidentialitySpaling of sensitive and/or necessary information for operationHigh availability schemesOperation logs 3. Leverage the nature of cloud operations to apply segregation of duties, keeping records of operations on both sides (customer and provider).
This limits the possibility of corrupting all trade records at both locations and facilitates compliance reviews.4. Leverage the strengths of cloud services, such as increased availability of infrastructure and specialized personnel
Implementing high availability architectures for IT services and various access channels considering various locations in the world was once a luxury that only the largest companies could afford. Today these schemes are accessible in the cloud at a very affordable cost (sometimes less than what is paid for on-premises infrastructure).5. Maintain control of the data from the source, whenever possible (encryption, tokenization, data slicing, shuffling, etc.). While you can leverage cloud infrastructure to take advantage of availability, encrypting source data saves us from even having to think that an outsider might see it.
There's no need to move everything to the cloud. Even in cases where you must operate with the data (beware, not all data is required for all operations), it is convenient to objectively analyze where there are greater risks: Operate with internals with current trust control schemes vs. operate with externals in company facilities covered by current contracts vs. operate with externals in external locations covered by a contract that is typically limited liability (You will find that in many there is no difference in the level of actual protection you get, except for the extra advantages of segregation.) Always involve attorneys when there are privacy law issues involved. Conclusions, a good one and a bad one
The bad news is that today most companies have a much lower level of real security than they would get if they migrate to the cloud and force themselves to implement more effective security measures.
Let's think about it, just because today everyone has firewall and antivirus as a base security level, is this really what gives us the level of security we require (in the cloud or locally)? Not that we should get rid of these kinds of controls, but perhaps we are ignoring more basic and effective controls.
The good news is that we don't have to worry too much about adopting cloud IT operations. Nor should we stop worrying to a fair extent, since this is precisely what has generated that in many companies we maintain a false sense of security today.
After several discussions with lawyers, technologists and security specialists in the Cloud Security Alliance (CSA) and living experiences of cloud services, I can say with confidence that many risks are overestimated and that many others that are relevant, are ignored.
In one of these discussions I ended up asking the European governing body directly about the feasibility of implementing measures to transform personal data (encryption, tokenization, "slicing", etc.). Being one of the first and strictest privacy regulations I expected some negative, but his answer was clear and consistent with those established in the European Directive: "The data can be exported as long as it is in a form that does not allow the identification of the individual to whom it belongs".
Thus, the debate continues in the technical forums, but the main concern derives from the interpretation of the laws by those of us who are not experts in that activity (for a change, we all consider ourselves experts in everything).
Let the law people interpret the laws, and let's do our thing: implement security architectures that are actually effective. If along the way we can help the business to be more efficient then what better.
Finally, I would like to mention a couple of reflections: several analysts (Gartner, Forrester, IDC) predicted the death of IT departments with the emergence of Cloud services. While that perception seems exaggerated to me, the experience in this last year tells me that there is some truth in the background.
Most of the time the IT areas, due to various circumstances (not all linked to an attitude) focus on explaining to the business "why not" it can do X or Y, and the business ends up doing what it can with what IT offers them. What I've seen in cloud services is radically opposite: people focus on explaining to the business "how it can" do what it requires. In that sense, some companies have managed to get the resources they need to achieve the objectives they set, using these Cloud IT services as a true enabler of the business.
My expectation in matters of information security is the same: we will have to professionalize and fulfill our promises or be displaced. After the euphoria of the Cloud passes and we realize what it really is, when companies see its true value beyond the "buzzword", then there will also be a radical change in our sector.
Those security professionals and companies that understand risk management well, that listen to the business first and act accordingly, that are based on solid principles rather than "checklists" and that are not afraid to adopt more effective security measures, however unorthodox they may seem, will have an important boom. The rest,... well we'll see what happens in a couple of years :-).
Source: Digital Padlock
