Understanding Cloud Security, Certificates and Compliance
November 1st, 2013 By: Bill Kleyman
Now that we have a better understanding of the cloud and the capabilities it can provide, it’s time to examine the never-ending questions around security that always seem to drive the conversation. Next-generation security models aim to revolutionize the data center and how it facilitates the cloud. We have better scanning engines, improved cloud monitoring options, and even more granular user control features.
But what’s happening inside of the cloud? How have security concerns around core areas been addressed? Remember, there are still organizations out there which are heavily driven by compliance requirements such as SOX, HIPAA, PCI/DSS and even FISMA.
Cloud security, compliance, and the certificates that help support cloud communication have all come a long way. When it comes to compliance and regulatory-driven organizations, it’s important to understand how technologies like cloud and virtualization are now able to create a more robust environment. Furthermore, mobility solutions – when incorporated with your cloud platform – can even further enhance the data center cloud security model.
- Cloud security advancements. Cloud is certainly here and not going anywhere. In fact, organizations are finding ways to deploy even more of their IT environment into a cloud model. Between all of this sits the very real challenge around security. Standard UTM firewalls were simply not enough to stop some of the latest threats and attacks against the modern cloud and data center. This is where next-generation security came in to help. Although it’s a bit of a buzz-term, the idea behind next-gen security is very real. Instead of standard firewall services, we are now seeing direct integration into the application, data and even user layer. Entire applications can be placed behind intelligent, heuristic, learning engines which monitor for anomalous activity. Not only do they protect internal resources, they continuously monitor these applications against signatures based on public vulnerability databases (e.g. Snort, CVE, Bugtraq, etc.). Couple this with systems which are able to operate inside and outside of the network, and you’ve got a pretty robust security platform. Internal security services now include solutions like IPS/IDS as well as data loss prevention.
- Who owns the “keys” to your kingdom? Modern organizations have very new security demands around their data and applications. Data sharing and collaboration – primarily revolving around mobility – has been a very hot topic for IT managers. Many security administrators were asking for a better way to share, control and deliver data on a cloud-ready platform. Solutions which house data directly in the cloud aren’t a great fit for everyone. This is where solutions like ShareFile step in. Organizations bound by compliance regulations (HIPAA for example) must take special precautions around their data sharing environment. With the ShareFile platform, administrators are able to house their data both on-site and in the cloud. Furthermore, they are able to own the encryption keys throughout the entire process. With cloud-based solutions, this is simply not possible since the data resides on a vendor system. This new approach around file sharing and collaboration has allowed organizations which were stuck with compliance challenges to take that cloud leap while retaining complete control of their information.
- The importance of certificate monitoring and control. Security certificates play a big role in the cloud world. There are some key aspects that are necessary to create a solid certificate management platform:
- Monitoring your SSL and security certificates is a must. Why? A single expired SSL certificate can not only affect the system that it’s loaded on – but also other services which have dependencies. Recently, a single SSL certificate caused a major outage taking down or disabling 52 different services. For the Azure cloud, this was a tough lesson to learn.
- Proactively set up alerts. As part of the monitoring process, it’s important to know when certificates are expiring, if there are issues and how they are interacting with other services. Remember application-based dependencies include certificates deployed on various servers. This means that if a single certificate goes down, it can potentially create a cascading scenario which can negatively impact a number of services.
- Know your certificate origins. Just because a certificate costs less, doesn’t mean it’s as good as other well-known certificate issuing authorities. There are cases where certain certificates simply will not work or will not be accepted by some cloud services. This means understanding who is issuing your certificates and how these certs are compatible with your cloud platform.
- SSL certs can take down your cloud, as happened with Azure. Create monitors and alerts. Ensure compatibility.
- Compliance and regulation in the cloud. Going to the cloud may not be as challenging as it once was, but staying compliant is still a challenge. Even now, there are only a handful of data center providers which can host PCI/DSS systems. Furthermore, creating a cloud platform for a compliance-driven organization creates numerous other security challenges. Where will the data be housed? Are virtual images certified? How are users accessing their workloads? How are you staying proactive to stay compliant? Take a look at PCI/DSS – only a few certified data centers. Aside from PCI/DSS, FISMA has created a new way for government entities to look at their cloud and IT model. Think they didn’t take this seriously? In 2008, federal agencies spend $6.2 billion to secure their infrastructure. The idea was to create a system around cybersecurity which emphasized a risk-based policy for cost-effective security. From a FISMA perspective, there are 7 key elements that an organization must meet:
- Inventory of all systems
- Categorization of those systems based on risk level
- Implementing security controls
- Conducting risk assessment audits,
- Security certification and system accreditation
- Continuous infrastructure monitoring.
Written in 2002, this act was in dire need of an update and a refresh. With that, came the Cybersecurity Act of 2012. After having key conversations with government, public and private security experts – the concepts of FISMA were further defined in this act. This clarification describes how organizations should:
- Determine the Greatest Cyber Vulnerabilities:
- Create a Public‐Private Partnership to Combat Cyber Threats
- Incentivize the Adoption of Voluntary Cybersecurity Practices.
- Improve Information Sharing While Protecting Privacy and Civil Liberties.
- Improve the Security of the Federal Government’s Networks.
- Strengthen the Cybersecurity Workforce
- Coordinate Cybersecurity Research and Development.
The act further defines roles, responses and some of the new technological platforms currently available in the IT world. Still, some security experts argue that – although this act is set with good intentions – still is really just a checklist for organizations to examine. Ultimately, it will all come down to how well your organization is able to deploy a secure infrastructure around overall security best practices.
As cloud continues to integrate more closely with the modern business organization, security tactics will need to evolve. Typical UTM appliances are simply not enough to protect new types of threats against cloud and data center environments. Plus, compliance regulations aren’t going anywhere either. This means that if you want to go to the cloud – and are bound by governing policies – remember that there are options out there.
Because cloud has continued to progress, the security models that support cloud computing are allowing for more granular controls over key security components. This means more control over secure traffic transmission, file/data controls, and the ability to continue to deliver digital content to the end-user. There are a lot of great ways to deliver powerful cloud services – the key will be do so in an efficient and secure manner.
Thanks for the read.
I would also suggest making sure that issues like insecure credentials do not threaten your system’s privacy and monitor and mitigate the known vulnerabilities.
Bill KleymanPosted November 4th, 2013
@Frank – Solid point. Things like credentials and just good internal security policies should not be overlooked.
meganPosted November 26th, 2013
I think that with the development of clouds in the future security matter will become hotter and more important as well as the methods to protect the data in teh clouds. Right now when you choose the cloud company to work with pay attention to the recommendations and reviews and than select. I chose my monitoring tool Anturis in such a way.