Integrated Security in Cloud

a2d611a2f782fbf3_orgGuest written by Raj Samani, CTO, EMEA, Intel Security Group

According to Cisco’s 6th Global Cloud Index (CGI) Forecast, cloud data center traffic in the Middle East & Africa will grow at a CAGR of 34% between 2015-2020 and represent 67% of total data center traffic by 2020.

Whatever the specific configuration of your cloud, be it public, private, or a mix of both, there are security risks that aren’t immediately apparent, ranging from the technical to organizational to issues of governance.

 

Here are five things the Enterprises need to know about integrating security across multiple cloud deployments for optimal security.

Know where your data is
Keeping your eye on where your data is located can be more difficult than you think, especially because of shadow IT. The cloud makes it easy for individual departments to have their own cloud-based applications and data storage. But you can’t protect what you don’t know exists—and even if you do know it exists, there are still unique issues to solve for. If you think there is no shadow IT in your organization, think again: In a Frost and Sullivan study, more than 80% of respondents admit to using non-approved SaaS applications in their enterprises.

Here’s the issue: shadow IT makes it possible for data to be stored and processed in the cloud without adhering to corporate security policies. And when users and departments store and share sensitive data in the cloud or run applications in the cloud without IT’s knowledge, the enterprise can be exposed in many ways.

The answer: make sure you track and implement controls to manage the risk to such assets. Likewise, undertaking security and compliance reviews for any SaaS contracts and services is imperative. There should also be regular campaigns to educate department managers about the governance and security issues that go along with SaaS applications and the cloud.

Secure your east-west traffic
Enterprises are moving to virtualized data centers, including private and public clouds, and beyond that to software-defined data centers. This has created a new pattern of east-west traffic from server to server or workload to workload. North-south traffic (between client and server) has also changed, because servers no longer sit on a dedicated appliance in a data center but are virtualized, generally in some kind of cloud configuration. In addition, the number and variety of clients has grown to encompass tablets, mobile devices, wearables, and IoT sensors.

This creates a new set of security challenges, particularly for east-west traffic. Firewalls placed at the edge of a data center or its virtual clone can compromise the security of east-west traffic, because east-west traffic depends on static routes and known entities—or else requires that IT manually configure and direct the east-west traffic to the security appliance.

One way to solve this is with software-defined security, which virtualizes an enterprise’s security infrastructure. In this approach, a controller automatically provisions security wherever and whenever it’s needed. The system can connect to multiple data centers of different types, and works with many security solutions—meaning it works with multiple types of cloud configurations. Intrusion protection systems for virtual environments are key tools as well, and work in concert with software-defined security.

Protection from malware
Many enterprises move to the cloud after having virtualized servers and applications in their data center, and may not be used to the unique security issues posed by a cloud configuration. Here’s an example. As some enterprises move to a private cloud, they run traditional anti-virus products in virtualized machines to fight malware. But in doing so they bring those virtualized machines to their knees, dramatically slowing performance.

To avoid those kinds of problems, look for security and data solutions specifically designed for the hybrid cloud. For anti-malware protection, that means special techniques such as avoiding scanning in virtual machines, and instead using a scan appliance. Or using scan-avoidance, which tracks which files have already been scanned, and prevents re-scanning if they haven’t changed.

The difficulties with compliance
Compliance within the cloud can be particularly thorny: The issue is significant enough that 38% of companies in a survey by the Cloud Security Alliance said that a major barrier to cloud adoption is their concern about regulatory compliance.

As a starting point, centralize all governance related to cloud deployments where consistent compliance policies and monitoring across all assets are undertaken.

While the work can be outsourced, the risk remains with the end user organization, therefore any compliance requirements should be addressed with providers before any contracts are signed. Any prospective cloud providers should detail exactly how they handle those and other compliance issues—and that they match an enterprise’s rules and approach.

Finally, delve into the ways your public and private clouds communicate, and ensure they meet privacy, security, and other governance regulations.

Take care with your SLA
Crafting SLAs for the cloud can be extremely complex. You’ll need to make sure that your public-cloud SLAs spells out specific data protection and security features and guarantees. But that’s just a first step. You’ll also need to ensure that your SLAs are in line with your business needs.

Closely review all the terms and conditions—don’t breeze by the legalese and fine print. This is particularly important because there are few standards and benchmarks for SLAs in the cloud, according to a study from Nova Southeastern University. In addition, consideration should be placed on the penalties should the SLAs not be met, with the consideration of cyber insurance as a potential option to cover the delta between compensation and cost of impact.

Pay attention to security clauses, such as who has access to your data, whether the provider outsources data storage, how data is deleted, and whether certifications and third-party audits will be performed. Also important: how is privacy handled, such as what data will be collected about your organization, and what steps will be taken to keep it private. Find out how the data will be used, and how long it will be retained. And look for operational details such as backup frequency, recovery time from failure, and the provider’s database and storage architecture redundancy model.

Cloud service providers are building trust and gaining customers. Increasing amounts of sensitive data and business-critical processes are shifting to public and hybrid clouds. Attackers will adapt to this shift, continuing to look for the easiest ways to monetize their efforts or achieve their objectives. If you follow all these five steps, you’ll be well on your way to making sure that your cloud is as secure as your organization and budget allows.