Cloud Security Track at Cloud Expo

For companies considering a transition to cloud computing (CC), one of the major concerns is (or should be) security. If addressed properly while selecting a cloud computing provider or cloud provider (CP), security can actually improve for many companies. For many firms, a cloud computing provider can provide better security than their in-house facilities. This is because the CPs are devoting huge resources to making security a non-issue for customers and, in fact, a selling point versus other CPs. With billions of dollars of potential business at stake, CPs are going to do their best to secure their environment. However, there are many new risks with CPs that should concern potential users.

Before trusting a particular provider, potential customers must perform adequate due diligence to make sure that the CP has the proper controls in place to protect their data and applications so they can obtain the required security and reliability. Fortunately, the competitive environment in which CPs operate provides selection options and, in many cases, more control than customers had with their own IT organization. Savvy cloud shoppers can play one provider against another to their advantage - if they know what to look for.

Customers must start by determining their overall system requirements including security. Then they can go to CPs and query them to make sure the customer's requirements are met. Asking the right questions and knowing what to look for in answers is the key to getting the expected level of security.

Who's On Your Side?
One organization specifically championing cloud security is the Cloud Security Alliance (CSA) (see Sidebar). CSA has compiled and recently updated a 76-page security guide that lays out hundreds of issues and recommendations that must be considered when examining security needs in the cloud. Since the CSA guidelines are quite long, we have distilled the most critical CSA recommendations into a series of questions that you should ask CPs along with answers that you should be looking for. Reading the CSA guidance document is still a good idea but this article will give you an overview of many key points.

Another organization working on cloud security is the Trusted Computing Group (TCG) (see Sidebar). TCG has developed several standards that address cloud security and are in widespread use today, including Trusted Storage, Trusted Network Connect (TNC) and the Trusted Platform Module (TPM). See the TCG web site for more detailed information on these standards.

Cloud Computing Q&As
The questions below are key ones to ask as you consider cloud security. These questions are divided into six specific areas, as shown in Figure 1. The numbers in the figure correspond to the headings below.

Figure 1: Security areas to investigate in cloud computing

One issue that must be considered for all of the questions is: "Should you use standards-based or home-brewed security solutions?" Home-brewed security solutions are not as secure as standards-based systems. This has been widely recognized in government and industry. That's why standard encryption algorithms like Advanced Encryption Standard (AES) and protocols like Transport Layer Security (TLS) are used. These standards have received years of thorough analysis and review. Furthermore, by using a standards-based security system, customers gain the flexibility and advantage of being able to move to a different provider if they choose to as they are not locked into one provider. This article identifies relevant standards as appropriate.

Another issue with cloud security is "How can I ensure that the CP fulfills their promises?" Make sure that the CP documents their promises in a Service Level Agreement, contract, or other written document.

1. Securing data at rest. How does the CP secure data at rest (on storage devices)?
The best practice for securing data at rest is cryptographic encryption. The CP should always encrypt data on storage devices (e.g., hard drives and back-ups) to avoid data breaches. The CP should also ensure that data is destroyed when no longer needed. That's easy to do with encrypted data: just delete the encryption key.

2. Securing data in transit. How does the CP secure data in transit (within the cloud and on its way to and from the cloud)?
Data in transit should always be encrypted, authenticated, and integrity protected. This ensures that nobody can read or modify the data as it passes through the potentially dangerous byways of the network. Thousands of person-years of experience have gone into creating reliable standard protocols (e.g., TLS and IPsec) and algorithms (e.g., AES) for this purpose. CPs should use these protocols, not invent their own. This ensures security and interoperability.

3. Authentication. How does the CP authenticate users?
Passwords are the most common form of authentication but CPs that are committed to security should support stronger forms of authentication such as certificates and tokens. As important as strong authentication, the CP should be able to use standards such as LDAP and SAML to consult the customer's identity management system when authenticating users and determining their permissions. This ensures that the CP always has up-to-date information on authorized users. A much-worse alternative is for the customer to give the CP a list of authorized users. This inevitably leads to disconnects where someone has been fired or reassigned but not removed from the list of authorized users at the CP. Can you say disgruntled former employee? That's bad news!

4. Separation between the customers. How are one customer's data and applications separated from other customers (who may be hackers or competitors)?
The best answer is that each customer uses a separate virtual machine (VM) and virtual network. A hypervisor enforces separation between VMs and therefore between customers. Virtual networks are implemented using standard techniques such as VLANs (Virtual Local Area Networks), VPLS (Virtual Private LAN Service), or VPNs (Virtual Private Networks).

Some CPs place all of their customers' programs and data in one big application instance and use custom-built code to prevent customers from seeing each other's data. This approach is fragile and ill-advised. First, a malicious party may find a bug in the custom code that lets them view data they should not be able to access. Second, a bug in the code can accidentally allow one customer to see data from another customer. Both these problems have occurred at CPs in the recent past. Therefore, VMs and virtual networks are the preferred form of customer separation.

5. Cloud legal and regulatory issues. How does the CP address legal and regulatory issues related to CC?
Laws and regulations vary from one jurisdiction to another. They may restrict data export, require particular security measures, or enforce compliance and auditing requirements. They may even provide for a government or litigant's right to inspect data. Careless CP actions can expose customers to costly legal consequences.

The CP must provide strong policies and practices that address legal and regulatory issues such as data security and export, compliance, auditing, data retention and destruction, and legal discovery (especially considering that one physical server may contain several customers' data). Each customer must have its legal and regulatory experts inspect CP policies and practices to make sure that they are adequate for the customer's needs.

6. Incident response. How does the CP respond to incidents and how are customers involved?
Things can and do go wrong. CPs must have a well-documented incident response process that includes customers. At the very least, CPs should detect incidents, minimize their effects, and inform customers of status. Ideally, CPs should provide confidential, real-time information to each customer about that customer's resources and users. Customers should consider and plan for the possibility of CP security breaches. How will you respond to incidents in the cloud? Can you conduct forensic investigations to determine what caused an incident?

The Future of Cloud Security
With all of the techniques and tools in place to provide better security than ever before, there is still more work to be done. In some cases, problems have been identified and the technology has been developed but not yet brought to market. Some of the cutting-edge technologies for cloud security are self-protecting data, trusted monitors, and searchable encryption.

With self-protecting data, intelligence is embedded within encrypted data. Data encrypted using this approach consults a policy when it is accessed and reveals its content only if the environment is verified as trustworthy. A trusted monitor is software installed at the CP's server that monitors CP operations and provides proof of compliance to the customer to verify adherence with established policies. Finally, searchable encryption allows computations on encrypted data so that data can be searched and indexed while staying encrypted for maximum security.

When the research and development to make these approaches practical for cloud computing are completed, the next step will be cloud provider implementation. With the integration of these technologies into their solutions, customers will have even more trust in their cloud provider.

Resources:

1. Cloud Security Alliance (CSA)
2. Trusted Computing Group (TCG)
3. Controlling Data in the Cloud:  Outsourcing Computation without Outsourcing Control
4. A Security Analysis of Cloud Computing

Organizations Addressing Cloud Security
Cloud Security Alliance
The Cloud Security Alliance (CSA) is a non-profit organization specifically established to promote best practices for security assurance within cloud computing. Formed in November 20, 2008, the group consists of industry experts from several companies with partnerships from other not-for-profit associations and industry groups. As part of its efforts to promote improved cloud security and educate cloud computing users, CSA has developed Security Guidance for Critical Areas of focus in Cloud Computing. The most recent version v2.1 was completed in December 2009.

Trusted Computing Group
Increased enterprise security, risk assessment, and solutions through open specifications have been the focus of the not-for-profit open standards consortium known as the Trusted Computing Group (TCG) for over a decade. To guide its work, TCG's committee members identified specific enterprise aspects that need to have improved security. Developed by experts from leading and innovative technology companies, TCG's open standards allow scalability for successful implementation both now and in the future and provide open-market dynamics to reduce cost.

Comprised of more than 100 major companies that cover the enterprise with connectivity and computing technology, TCG has addressed the security issues that confront cloud computing even though its specifications were not originally developed for this purpose.  TCG specifications for Trusted Platform Module (TPM), Trusted Network Connect (TNC) and Trusted Storage provide a starting point for enterprise-wide security that directly applies to cloud computing.

Note: information on Trusted Computing Group and various specifications, free to download, is at www.trustedcomputinggroup.org