30 Jun Security Must Lead The Cloud Migration Conversation
Recent attacks within US Government personnel systems have brought to light how securing electronic devices, networks, proprietary data and information from incursions by hackers and spies is of paramount concern to organizations public or private. Attacks on these systems should have been prevented by limiting contractor direct access to data systems by foreign nationals and securing systems behind government firewalls as a logical practice. While many are slow to the game, firms like Google Cloud Platform, Amazon Web Services, and Microsoft Azure are earning the trust of several government agencies to host aspects of their organizational information. Although these companies are not hosting / managing critical data outside of public non-secure information, they are engaging with government agencies and will eventually become a strident partner for national security.
(Source: Christopher R. Wilder)
Even as government agencies slowly move to the cloud, most end users’ organizations are enjoying many benefits of moving to the cloud. To be successful, each must understand the security controls deployed at each cloud provider. They also need to understand what dedicated security devices are defending, data and applications, and each unique architecture (and potential loopholes). Below are just a few factors cloud and applications vendors should consider when helping end users or government agencies when moving to the cloud:
- Not all applications need to go to the cloud. When architecting a customer’s cloud solution, it is important to understand where value resides based on each unique situation. Many companies have on premise client server applications that simply will not work in a cloud environment. Large organizations are much more hesitant to move mission critical, ERP or CRM solutions to the cloud because they believe it is too risky to let other organizations handle their business critical and personally identifiable information (PII). Based on major intrusions within enterprise IT organizations at large enterprises has become an even bigger issue. Smaller and mid-sized firms, however, appear to be more willing to turn to service providers, because they cannot find (and in some cases can’t afford) top security talent to run their own IT organizations.
- Bring Your Own Device (BYOD) and the Internet of Things (IoT) brings additional complexities. BYOD and IoT have been forced onto network administrators, and they have struggled to stay on top. New architecture, provisioning and especially security considerations have forced companies to invest heavily in network automation and provisioning tools. Considerable complexity and security vulnerabilities are causing companies to design their networks to accommodate “corporate” and “personal” modes each having separate data access requirements. Cloud providers can help their clients adapt to these new forces by using virtual machines, hypervisors or containers to manage access and relevant data apart from the corporate network.
- The cloud does not offer many of the same security features as on premise servers. Because many cloud apps leverage virtualization, they do have the same advantages as on premise servers and systems. Specifically, with hardware performance, location, encryption and entropy. Because of this, many organizations are hesitant to move mission critical applications and move to a hybrid model of cloud workloads combined with on premise bare-metal servers to protect data and applications. Cloud service providers should help their customer’s roadmap multiple scenarios for successful cloud migration.
- Virtualization vs. Entropy. Virtualization makes it difficult to achieve entropy from an encryption perspective. Further, accidental key sharing amongst Virtual Machines (VM) templates makes it difficult to ensure encryption. Side channel attacks have targeted virtual machines and could pose a threat to cloud environments. Side channel is an attack that creates data leaks that expose memory and data caches within virtual machines. Beyond VMs, container operators are finding themselves victims of these attacks by carelessly putting encryption keys into their containers making them easy targets for unscrupulous hackers. These leakages enable hackers to steal data and cryptographic keys. Cloud providers need to ensure they are transparent with their security specs at all levels of the stack—from software, firewalls, user rights and even physical security.
- Transparency with Service Level Agreements (SLAs). Network, Application and Security guarantees are impossible to prove. BYOD and IoT are making it even harder to assure performance and security. While SLAs have traditionally been a contract between a service provider and its customers, the expanding use of third parties to augment functionality and the emergence of cloud brokers have made relationships between providers more complex. While it is impossible to provide guarantees, cloud providers need to establish performance metrics to ensure the highest availability and performance. Finally, cloud providers need to manage service failure, remedies and liability limitations. Each of these pieces need to be integrated into the threat management plan to determine how to react to unexpected incidents. Further, when choosing a cloud provider, it is important to understand the limitations of third-party auditability and which certifications they hold. In addition to data integrity, it is important to know the various laws and regulations around data placement or sovereignty such as the EU General Data Protection Regulation (GDPR).
There is no doubt that cloud is driving business strategy and business value. However, there are still many security concerns with cloud migration. I still contend security is an afterthought with many cloud providers. Big Data, IoT, and BYOD create opportunities for those looking to exploit security weaknesses, so vendors wishing to exploit this opportunity need to consider multiple fascists of security practices. There is no doubt that criminals will find and exploit weakness in the future, but as cloud becomes more pervasive and attackers become more resourceful, we need to find smarter ways to defend against attacks. It is important for organizations to understand the risks, choose a deployment model that suits their needs, be consistent in security policies and practices, and above all, choose the right cloud provider.