Security think tank: Value added cloud security services

What can be done better in the cloud and can it really be safer than hosting on-site?

Properly configured clouds are as safe as houses

Peter Wood, member of the ISACA conference committee and CEO at First Base Technologies

With organisations of every size, from small and medium-sized enterprises (SMEs) to global companies, moving to cloud-based services, there has been understandable concern about security. The potential in the cloud for exposure of sensitive and valuable information is at odds with legislation requiring organisations to know where information is stored and to demonstrate how it is protected.

However there is possibly a silver lining. Cloud service providers that respond to these concerns intelligently can deliver additional security controls rather than undermining the status quo. This is particularly true for SME cloud users. Where smaller organisations may have inadequate or insecure back-ups for example, a cloud-based back-up service which incorporates strong encryption can ensure regular back-ups and provide assurance of confidentiality. Firms which outsource their e-mail service can also benefit from a cloud provider's anti-spam and anti-virus facilities with little effort.

In addition, my experience (and that of many security experts) is that the majority of security breaches and data losses occur because of weaknesses in internal networks. Properly configured cloud services can reduce the risk of accidental exposure on corporate networks, but the emphasis must be on "properly configured". It remains essential to conduct a thorough review of the provider's security to ensure good governance. This means inspecting their information security policy and procedures against proven standards such as ISO 27001, and ensuring that the relevant controls are embedded in your contract and service level agreement.

Security providers are also moving to enhance the security of cloud offerings or use the cloud to offer enterprise-quality controls. For example, Sourcefire has a cloud-based intrusion prevention service using the Amazon Web Services cloud platform, which allows users to monitor network activity for malicious behaviour. WatchGuard's Reputation Enabled Defense provides SMEs with protection against malware, botnets and other web-based threats via a cloud-based reputation look-up that scores URLs as either good, bad or unknown.

There is no doubt that cloud computing is still in its infancy and many offerings remain insecure or poorly documented. However, the extensive press coverage of security concerns about the cloud model is resulting in a response from providers who see a way to differentiate their offerings and add value to customers of all shapes and sizes.

Security providers are also seeing a market opportunity to add cloud-based services to their traditional on-premises products, both to enhance the security of cloud services and to reach a new audience via their own cloud-based security solutions.

Benefits of scale with cloud

Lee Newcombe, member (ISC)2

Firstly, I'll have to say that the question would benefit from more precise definition: do you mean public, private, hybrid or community clouds?

That minor gripe aside, I believe that there are a number of security services that can be provided better from the cloud, in particular those services requiring significant storage or compute resource. For example, the UK government has been using a cloud-based solution for e-mail filtering for years - it's just that the service wasn't called "cloud" back when it was implemented.

These cloud-based solutions are better than on-site equivalents because they strip out the malicious content before it can enter your trusted environment and, in addition, due to the scale of the provider's user-base, clients also benefit from a greater accuracy of malware detection (due to increased sample size) and the ability of the provider to recognise an attack (such as a spam run) across multiple client organisations.

Similarly, network security monitoring solutions can also be much more effective if run from a managed security services provider as these providers have greater insight into events across a larger proportion of the internet and are also likely to have more skilled resource with respect to interpretation of network intrusion events than most end user organisations.

Other examples of services that could be provided more efficiently from the cloud include identity and reputation management (especially where interacting or federating with external organisations), vulnerability assessment, audit log storage and analysis and, potentially, e-mail archive and e-discovery services, depending on your regulatory environment.

Cloud security services tend to offer the benefits commonly associated with more generic cloud services, for example flexibility, elasticity and the ability to shift existing employees from mundane tasks on to higher value tasks likely to offer more demonstrable value to both the business and the employees themselves.

Challenge is how to protect against losses

Raj Samani, ISSA, UK

Cloud services is a term that means many things to many people. Judging by the plethora of case studies offered by suppliers, one could argue that they are all correct. Transferring business processes into a commercial cloud environment provides the customer with the opportunity to select a flexible commercial offering in which you only pay for what you use.

From using cloud services to run genetic testing models and simulations to running a vulnerability management platform, it would appear that almost anything is possible.

Challenges to wide scale adoption usually take the form of one key issue; the ability to protect against losses. The lack of transparency over the transfer of company information to a third party often represents the biggest barrier and by building strong relationships it is possible to find comfort in software as a service solutions. Because there is less visibility with the transfer of information to a third party, does not mean that the data is less secure/safe. A major cloud provider whose sole focus is to securely host data for their clients can maintain that security is their core focus, with appropriate investment to match.

The challenge is to translate the investment made by cloud providers into a meaningful articulated summary that clearly provides the customer with the sense of safety they require. For example, booking a five-star hotel provides its customers with the level of assurance that their stay will be in an environment that is clean, and with a degree of luxury greater than a four star. This simple mechanism articulates the standard to customers without the need to consult someone with a degree in hotel management.

Steps are underway to achieve this for cloud providers, the Common Assurance Maturity Model (CAMM) is one such activity that aims to provide the level of granularity and transparency required by customers to feel the service is 'safe'. Ultimately, however, the decision to transfer information to the cloud will be the result of a risk assessment. After all you can transfer the burden of managing systems, but not always the liability if something goes wrong.

Put your trust in security suppliers

Nick Coleman, BCS Fellow

Cloud offers the possibility of new models for consumption and service delivery. There are many models of cloud computing including private, public and hybrid clouds. Security services can be provided to assess cloud infrastructures to ensure risks are managed during adoption.

Security itself can also be delivered from the cloud. Threat management, e-mail scanning and firewall services, for example, can now be delivered in cloud models. Many organisations have seen real benefits from using third parties in terms of economies of scale in both monitoring and threat research.

Managed firewall services are already offered by third parties. The cloud, however, takes this one step further in security. Cloud firewall services are enabling virtualised firewall services where a shared firewall service can be provided to multiple clients.

Delivering security through the cloud offers the opportunity to deliver savings on licence fees and security operations maintenance costs. This effectively takes the traditional security hardware and software and delivers it through the cloud on demand model.

The key question is perhaps who can you trust to run your security services? Are you gaining better protection by doing it yourself or by getting these services from a cloud security services provider?

Experienced security service providers have robust procedures sometimes more robust than an end-user organisation can or want to manage themselves. Like all security in the cloud the fundamentals of security still need to be applied, for example, that administrator access is being controlled. Therefore, in looking at security it is an overall approach which needs to be considered.

Security services can offer the ability to assess cloud infrastructures and applications. In addition security services in the cloud can provide a more cost-effective model for delivering security for organisations large and small. Cloud security services are important to consider in your cloud roadmap. Looking at who you can trust to deliver cloud security services will be essential.

Safety in numbers: check with your peers

Dani Briscoe, services manager The Corporate IT Forum

Security delivered via the cloud does offer value-added potential for corporates - but will depend entirely on the nature of the business, the structure of the organisation, the IT strategy and architecture, and ultimately the appetite for risk. Not a step change in concept - we're familiar and confident as individual consumers - but something that requires careful treading as a business.

Discussions at the Forum's Cloud Conference (March 2010, London, with more than 75 organisations attending) highlighted security as a top-level barrier to the uptake of cloud services. Which gives us a dichotomy of cloud-facilitated security services potentially a problem as much as a solution. Organisations vary widely in their adoption maturity - whether you are assessing, implementing or are already using a service in some shape or form - the answers to questions over security (data security and protection, location of the data, reliability of disaster recovery solutions and a lack of standard security for hosted services) are being sought by members from service providers.

As corporate cloud implementations increase, these challenges need addressing to ensure safe, business-ready adoption. There is increasing recognition that the potential cost benefits cloud services offer, through scalability, agility and reduced capital investment (access to expertise, latest products and versions at optimised cost etc), must be balanced with the investment in both time and money that is required to adequately mitigate the associated risks.

One view taken by a few members at a recent Forum discussion (Security in the cloud) was that contracting with a cloud service provider was parallel to that with a 'common or garden' outsource provider. For instance, if an organisation is happy to outsource their development or business process to an external supplier in say, India or China, they are predisposed to have a risk appetite that would welcome investment in the cloud. Once that formula has been accepted by the business then cloud services can be viewed as an outsource agreement with a virtual supplier.

But if you want to travel this road, you do it more safely in the company of your peers. Sharing expertise and knowledge about these challenges is what makes our members stand out from the crowd. They can be confident that the choices they are making are the right choices at the right time for their business strategy and not the supplier. Advantages are leveraged when decisions are made at the right time, and with the wealth of knowledge and experience at their fingertips that the Forum provides members can avoid costly risks and mistakes.

Accountability cannot be passed on

Jay Heiser, Gartner research vice president

First things first: you can't outsource your accountability. An organisation remains accountable to regulators, business partners, customers and employees for anything that happens within a service that it buys. A supplier might well promise that its offering is secure - and it usually will be - but this does not change an organisation's obligations to evaluate the associated risks.

All forms of externally provisioned service raise security questions about privileged user access, segregation between customers and physical security. Cloud computing provides economies of scale through virtualisation mechanisms that distribute processing across multiple hosts, sometimes located in different datacentres.

This model arguably can provide a high level of continuity. But maintaining the appropriate level of data security, while reliably distributing authorisation across the network, represents a challenging set of security problems.

Of further security concern, the concentration of valuable data from thousands of customers represents a highly appealing target for attack from unethical system administrators as well as motivated internet-based attackers. Lack of transparency about technology, organisation and processes can make it difficult to determine the degree to which corporate data is protected when it is stored or processed within an externally provisioned service.

Cloud computing security will be refined over time as early adopters are willing to undergo higher levels of risk experiment with the balance between flexibility and control. Cloud providers must develop relationships with clients, standards organisations and regulators to enable a flow of information concerning security assurance. Ultimately, this will encourage the continuing evolution of security practices in a cloud environment.

Part of the challenge for cloud providers will be the near-inevitability of a high-profile failure, something that could lead to an erosion of confidence in customers. By 2015, be it the result of an inadvertent failure or deliberate attack, a public cloud service will experience a cascading failure that results in millions of euros of unrecoverable data loss, affecting thousands of customers. I'll be talking about this prediction further at the Gartner Security & Risk Management Summit in London on 22-23 September.

Simple assurances of "trust us - we know what we're doing" will not reassure cloud computing customers and it is counterproductive toward the improvement of security within cloud environments. As improved forms of security certification are introduced, suppliers will establish a track record with regard to security, and it will become increasingly possible to take greater advantage of new cloud-based products with a much lower customer burden of due diligence and operational tracking.

Cloud providers will need to provide evidence that they have tested their code for application vulnerabilities and, when appropriate, ask for a commitment to meet regulatory standards such as Payment Card Industry Security Standards, the Health Insurance Portability and Accountability Act (in the US) and, in Europe, the EU Data Protection Directive. The SAS70 auditing standard, by the way, is occasionally mistaken as a security certification; it isn't. SAS70 is a review of process, and does not necessarily address technical issues.

Anti-malware is more effective in the cloud

Tim Mather, senior advisor, KPMG's I-4 Team

What can be done better in the cloud? One obvious service is anti-malware protection. There are several reasons for this.

First, let's recognise that the traditional method of providing anti-malware protection has been to do it on the endpoint itself. However, this approach has been growing increasingly ineffective. An August 2010 study from Cyveillance (a QinetiQ North America Company) found that even the most popular anti-virus signature-based solutions detect on average less than 19% of malware threats. That detection rate increases only to 61.7% after 30 days, the study found.

Those are terrible detection rates and are due largely to two factors. First, endpoint devices can only run a single anti-malware engine at a time because of the need to control the TCP/IP protocol stack. Second is the problem of quickly updating anti-malware signatures on the endpoint device itself. Both of these problems are explicitly addressed by moving protection from the endpoint to the cloud.

With cloud-based anti-malware, multiple engines can and are run in parallel, to provide far more effective protection. With multiple engines, a 2008 University of Michigan study found that detection rates could be boosted to 98%. Additionally, it is far easier and faster to update anti-malware signatures to a unified group of servers in the cloud, rather than trying to update numerous endpoint devices. Besides, with anti-malware signatures on cloud servers, the size of that signature set effectively becomes a moot issue.

Such is not the case when signatures must be stored and utilised on endpoint devices that are mobile phones with limited storage and processing capabilities. For example, in 2009, Symantec created 2,895,802 new malicious code signatures, which was a 71% increase on 2008, according to the company's annually global internet security treat report. And with a total signature set of some 6,000,000 signatures, that simply is not feasible for today's mobile phones to handle effectively. A third reason why operating anti-malware in the cloud is better is the fact that there is far greater visibility of threats and infections. This provides better situational awareness about anti-malware and therefore better protection unto itself.

For these reasons, cloud-based anti-malware protection is superior to traditional endpoint-based anti-malware capabilities. However, can such capabilities be provided more securely than traditional enterprise, premise-based solutions? Absolutely, it is far easier to update a group of cloud-based servers and to secure them, than it is to try and effectively secure those same capabilities on numerous endpoint devices.

Read more on IT strategy