Is your castle wall thick enough to protect your inhabitants? When it comes to Cloud, a thick “castle” wall is not enough. Much ado is made about security in cloud computing. Advocates highlight that enterprise class providers deliver the services that many organisations need. Either they don’t have the resources or investment to provide them or they simply don’t provide these services.
Detractors of using service providers point out the additional risks of these systems. They caution the dangers of sharing with other organisations, and operating in a datacentre you no longer control. Then they reference public failures.
As with many polarising subjects, the truth lies somewhere in the middle. Or more accurately, the truth is contextual, based on your business, your IT investments and the specific IT workload delivered. Just remember, to evaluate every situation individually.
How has security changed over time?
In one sense, there is nothing new under the sun. IT security has been around since we first connected two computers together on a network. Security should be a part of every IT strategy. Whether you’re considering cloud computing or traditional delivery architectures, you have to integrate security measures into every aspect.
However, there are a number of areas where shifting from a client/server architecture or internally managed SOA to a cloud computing model do change the nature of IT security. I want to highlight these five areas that do change with Cloud:
- Perimeter security
- Privacy and Compliance
- Data Sovereignty
- Opportunities for Improved IT Security
- Labour Sovereignty
Today let’s tackle the topic of perimeter security.
The Castle is Empty
One of the chief (purported) benefits of cloud computing is the ability to deliver IT services to people anywhere. As long as they’re connected to the Internet, they can access the IT systems needed to execute their work. For example, I save files on Dropbox at work and can access them on my computer at home, or even my iPad when travelling.
This extends to collaboration with colleagues, partners and customers as well. Because these systems are in the cloud, and all of these individuals have Internet connectivity, you can collaborate seamlessly.. I save an advertising campaign wire diagram on Skydrive at work, and the advertising agency can access it from their office. Or I save my latest sale activity on Salesforce.com in the field, and my manager can run a report on that information from the airport lounge.
All this is possible without needing to:
- Physically travel to a corporate office to use a computer that has access to the information
- Use corporate controlled authentication credentials via a Virtual Private Network (VPN) to the corporate network
- Save the data to physical media and transport it to the recipient
In the past this was not the case. Corporate networks are protected at the network layer by firewalls. These devices essentially separated all of the corporate information (confidential or otherwise) and systems from the Internet.
The metaphor I am using is that the corporation is like a castle. To access the information (initially) you needed to be inside the castle. As people started using laptops in the field, we first had dial-up connections, and later VPN’s. The concept is that you are (virtually) allowed inside the castle as long as you have the credentials. Everyone and everything inside is trusted, everyone outside challenged and or blocked. Period.
The other metaphor is that of an egg:Hhard shell outside protecting a soft gooey inside. Don’t you dare crack that egg.
Cloud doesn’t fit into a shell or behind a stone wall
Once you shift the IT system to the cloud, you no longer have—or at least control—the perimeter. By definition, information now lives outside the corporate firewall. Much like a fleet of submarines, it is out there in the deep ocean.
Enterprise Class Cloud Datacentres
First I must correct a common misperception. Cloud datacentres, even the large public ones, do implement perimeter security. I can tell you first hand that we here at HP have a significant focus on information security, and that we implement at multiple layers.
Recently, Werner Vogels, CTO of AWS delivered an impressive presentation on the steps Amazon takes to ensure security.
So there is still a perimeter. It is like submarines swimming in a cage.
My point, however, is that this perimeter secures all of the clients within the cloud datacentre. This isn’t your personal perimeter. To get the benefits of cloud, at least the anywhere/any device, and collaboration benefits of cloud, your IT systems now reside outside the castle.
If we consider each IT system that we move into a cloud (whether private, virtual private or public) as a submarine, we can consider a different security approach.
In other words, think of securing the information rather than the system. Assume the information resides in an insecure environment, and secure for that.
An example to consider is your entire customer list. This also includes all of your sales opportunities that reside in your CRM system. How would you protect the data as it traverses and resides in the Internet? Behind a firewall you may have authentication systems, but they would most likely still store, and transmit the information in clear text. Cloud requires us to think differently about every aspect of security.
Just as Secure
The cloud can be as secure or as insecure, as any other form of IT delivery mechanism. However, when considering a strategy to move a workload into the cloud, you should consider perimeter loss.
When moving to Cloud, architect and design to protect your information in a hostile, or at least, insecure environment. Consider authentication, and encryption, both at rest and in transit. Also consider the availability of the information. Unlike behind your firewall, the systems supporting your applications are most likely shared, at some layer, with other organisations. There is a greater risk of failure caused by an organisation whose policies you can’t control.
Questions to ask your vendor
While it’s important for your vendor to be independently audited, and comply with the industry security standards (e.g. ISO 2000 & 2001, BS7799, PCI, APRA etc) there are key considerations you should ask them:
- How do you secure data at rest?
- How do you secure data in transit? Between the corporate network and the cloud? How about between users in the field and the cloud?
- At which layer do you multi-tenant? Physical, Virtual, at the Application Layer?
- How do you enforce data separation from other clients? On virtual hosts? On networks?
- Can we implement our own information security on your infrastructure?
- How do you patch systems, and protect for zero day vulnerabilities?
- Is there a way to provide Disaster Recovery, which what RPO & RTO’s? What about High Availability.
These are just some questions to consider with your cloud provider, even if internal, when you lose the perimeter.
Truth be told, we should always think about IT security. Reframing the conversation as a risk mitigation strategy, and protecting the information rather than specific systems is a dangerous strategy. If that is your security strategy it doesn’t matter whether or not you deliver these from the cloud, you are in danger.
Going back to the submarine example: make sure the contents inside the submarine are secure and make sure you are only swimming in secure waters.