Hybrid cloud or private cloud within a public cloud is an attractive proposition for any business looking to harness the benefits of cloud computing, while acknowledging the need for adequate security layering on differing types of information.
Different information and sub-sets of information has differing security needs. This will vary by organisation and should be subject to a comprehensive information triage process.
The challenges arise when factoring in the security, for many reasons. As we know, there are some very cheap solutions on offer from brokers, so if the priority is cheap then we may as well stop talking about security and move on to the businesses that want to use cloud, have properly identified their organisational risk appetite and want to build a strategy to do it securely.
Coming back to that triage for information, when it comes to information management, confidentiality, integrity and availability all need to be factored in when going through this process.
HR information, for instance, will need to be housed in a secure area of the cloud and be available only to certain individuals, whereas marketing collateral may need to be available to everyone and, as it contains no personal or sensitive information, may be appropriately housed in the public part. This shows how important it is to engage with information asset owners at the outset.
Once this key process has been completed, you can go on to consider the areas of service level and acceptable risk in terms of where you go with your cloud solution.
Public cloud services offered by providers have a serious underlying complication – subscribing organisations typically share components and resources with other subscribers that are unknown to them.
Threats to network and computing infrastructures continue to increase each year and have become more sophisticated. Having to share an infrastructure with unknown outside parties can be a major drawback for some applications and requires a high level of assurance for the strength of the security mechanisms used for logical separation.
While not unique to cloud computing, logical separation is a non-trivial problem that is exacerbated by the scale of cloud computing. An attacker could also pose as a subscriber to exploit vulnerabilities from within the cloud environment to gain unauthorised access.
Applications and data that were previously accessed from the confines of an organisation’s network, but moved to the cloud, must now face increased risk from network threats that were previously defended against at the perimeter of the organisation’s network and from new threats that target the exposed end points.
When information crosses borders, the governing legal, privacy and regulatory regimes can be ambiguous and raise a variety of concerns. Consequently, constraints on the trans-border flow of sensitive data, as well as the requirements on the protection afforded the data, have become the subject of national and regional privacy and security laws and regulations.
Among the concerns to be addressed are whether the laws in the jurisdiction where the data was collected permit the flow, whether those laws continue to apply to the data post transfer, and whether the laws at the destination present additional risks or benefits.
Loss of control
Remote administrative access as the single means of managing the assets of the organisation held in the cloud also increases risk, compared with a traditional datacentre, where administrative access to platforms can be restricted to direct or internal connections.
With cloud computing, a task that would take five days to run on a single computer takes only 20 minutes to accomplish on a cluster of 400 virtual machines. Because cryptography is used widely in authentication, data confidentiality and integrity, and other security mechanisms, these mechanisms become, in effect, less effective with the availability of cryptographic key cracking cloud services.
This is not just a cloud-based threat – traditional types of system are also possible targets.
Data processed or stored outside the confines of an organisation, its firewall, and other security controls bring with it an inherent level of risk. The insider security threat is a well-known issue for most organisations and, despite the name, applies as well to outsourced cloud services.
With the cloud, insider threats go beyond those posed by current or former employees to include contractors, organisational affiliates, and other parties that have received access to an organisation’s networks, systems and data to carry out or facilitate operations.
Incidents may involve various types of fraud, sabotage of information resources, and theft of confidential information. Incidents may also be caused unintentionally – for instance, a bank employee sending out sensitive customer information to the wrong Google mail account.
The organisation’s ownership rights over the data must be firmly established in the service contract to enable a basis for trust. The continuing controversy over privacy and data ownership rights for social networking users illustrates the impact that ambiguous terms can have on the parties involved.
Ideally, the contract should state clearly that the organisation retains ownership over all its data; that the cloud provider acquires no rights or licences through the agreement to use the data for its own purposes, including intellectual property rights or licences, and that the cloud provider does not acquire and may not claim any ownership interest in the data.
The data sanitisation practices that a cloud provider implements have obvious implications for security. Sanitisation is the removal of sensitive data from a storage device, including servers, in various situations, such as when a storage device is removed from service or moved elsewhere to be stored. Data sanitisation also applies to backup copies made for recovery and restoration of service, and also residual data remaining upon termination of service.
In a cloud computing environment, data from one subscriber is physically combined with the data of other subscribers, which can complicate matters. For instance, many examples exist of researchers obtaining used drives from online auctions and other sources and recovering large amounts of sensitive information from them.
Mike Gillespie is director of cyber research and security at the Security Institute.
This was first published in February 2014