Even before “cloud” became a buzzword on the lips of every IT manager, developer and CIO between Karachi and Kansas City, experts had concerns about how the emerging technology would impact organizational and individual security.
“Once you move your core applications into a cloud-type scenario, all you really have as an interface is a Web browser, which makes access control and password management and identity management incredibly important,” Phil Hochmuth, an analyst with Yankee Group, wrote in an IBM-sponsored report on cloud computing all the way back in 2009.
It’s advice that could still hold true a few years later—but securing a cloud, public or private, is more than securing the end user and access to the network. It involves an organization’s ranking IT person asking the right questions about everything from tenancy to security monitoring. The following are some tips for making private clouds (defined as clouds with restricted access, with a client possessing some amount of implementation control) a little bit more ironclad:
1. Single-Tenant Cloud
“Make sure the service provider is actually providing you with a single-tenant private cloud, where the resources aren’t being shared by anyone else,” Marcus Carey, Enterprise Security Community Manager for security-solutions vendor Rapid7, said in an interview.
For most organizations, a private cloud deployment is roughly analogous to a traditional network deployment, with all the traditional-network concerns that come with that: for example, making sure the private cloud is secure. That will require the IT administrator to engage in practices like vulnerability management.
2. Configuration Management
“Make sure you have configuration management in place,” Carey also advised. “If you’re hosting in a third-party private cloud, make sure they have firewalls and so on; and you want to [penetrate test] your solutions.” That means setting granular policies for those with access to the cloud, including whether they can use certain tools.
Penetration testing is something recommended by many security specialists. “If you want to pen test your cloud network meticulously, you should perform internal and external pen tests,” Aaron Bryson, a senior information security engineer and risk management specialist for Cisco, wrote in an August 2011 corporate blog posting. “This will provide you with two dissimilar points of view, and likely a different set of vulnerability results.”
Internal pen tests require full access to servers and hosts in the cloud, along with control credentials and network infrastructure. Multi-tenancy (see Number One, above) could affect a pen test by denying your organization the ability to perform authenticated tests. “You will have to work with your CSP to determine what is allowed, and what is not,” Bryson wrote, “which should be documented in your contractual agreement and SLA.”
An external pen test, he added, should take into account the “more realistic viewpoint of the average hacker,” and “be performed as any typical black box remote penetration test.”
3. Security Login and Monitoring
“Even if you’re doing it in a private environment, you still need to get all the logs just in case something happens,” Carey added. “Providers sometimes don’t have logs and monitoring. They don’t capture, and they don’t monitor.”
“You want to make sure your virtual solution is scalable,” Carey said. “You can then move private clouds to a different provider in the event of a disaster or getting breached—take what you have and move it to a different place.”
Switching vendors can spark a whole new round of concerns, including the possibility of lock-in due to costs and complexities. Before embarking on a private-cloud adventure, consider the worst-case scenarios and how to solve for them, no matter how outlandish.
5. Incident Response, Forensics and E-Discovery
An organization needs the ability to recover from disasters and respond to penetration. The January 2012 revision of the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide offers a variety of tips related to incident response, forensics and e-discovery procedures. The document is absurdly detailed and really should be read by any IT pro participating in some fashion in their company’s cyber-security, but here are the top-level points for establishing an incident response capability:
- Create an incident response policy and plan (which should go without saying, but sometimes these things fall through the cracks).
- Develop procedures for performing incident handling and reporting.
- Establish guidelines for communicating with outside parties about a breach.
- Select what NIST calls a “team structure and staffing model.”
- Establish relationships between the incident response team and a variety of other groups, including law enforcement and legal entities.
- Determine the services provided by the incident response team.
- Staff and train the incident response team.
Building a private cloud is necessarily a complex process, more than capable of swallowing enormous amounts of time and resources. Enforcing stringent security processes can help ensure all that hard work doesn’t end in total disaster.
Image: Slavoljub Pantelic/Shutterstock.com