With today’s challenges, technical, economic, political, or otherwise, our brave IT Mangers stand at the precipice of a new computing architecture that will change how he manages his data, security, and troubleshooting, the Cloud. This doesn’t seem to be another flash in the pan, so we find our IT professional forced to “Man-up” and take on what almost seems to be and impossible mission.
“…Good morning, Mr. Phelps. Your mission, Jim, should you choose to accept it. Is to selectively choose an appropriate provider for Cloud Computing that addresses the needs of the company as well as the security required to make it safe…”
So despite all the noise, you’ve decided to sign up with the “cloud”. If you did your homework you already know that the large service providers all have a clause in their contracts that sounds a little like this:
“… We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet…. You acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications…”
So the position of the Cloud providers is that of Sargent Shultz, “I know nothing, I hear nothing”. In short, when a breach occurs, “tag!” you’re IT.
So, with that looming over your head, where does one start? In a previous blog, I laid out the 30000 ft. level of concerns about the concept, here, let’s get more specific. Let’s look at the current data concerns.
Data, is typically stored in plain text
Your data is not only MIA, but can be moved without your knowledge. Know that in a virtual machine environment, as the provider grows and adds more customers, they are going to make several changes to the location of your data.
What can’t be tracked can’t be controlled. Monitoring your data’s access and whereabouts is limited. This is more a regulator challenge than anything. “It’s 10 o’clock, Do you know where your data is?” may eventually rear its head in an audit.
You share storage with complete strangers. These virtual environments are like tenements one day your neighbor is quite, the next, the cops are pounding his door.
Storage devices contain residual data. The secure deletion of data from storage devices has been an issue of discussion for more than ten years. There have been a number of studies examining disk disposal practices; assessing the volume and type of residual data remaining on disks available on the second hand market.
So what can you do to move forward and yet feel secure in your decisions? Here are some “low hanging fruit” suggestions that may help your sleepless nights.
Encrypt yourself before you Crypt yourself.
Use encryption in all shared volumes
Network traffic to and from the cloud.
Use encrypted files systems, i.e., this technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.
Make Sure Your Provider is Security Conscience
Verify your vendor’s application security measures. You can see if they are SSAE 16 or SAS 70 audited, and if they have clients that are HIPAA or PCI certified. Managed services can also add a great deal of benefit and expertise to making your applications, data, and business more resilient. Services like managed firewalls, antivirus, and intrusion detection are offered by reputable providers (commercial alert – Affant would be a good choice).
Always ask your cloud provider for client references that require stringent security measures. Financial, healthcare, insurance, or government organizations are a good start. And when given them – actually call them. You would be surprised at the candor some of these references provide…
Remember, if it can be stored, it can be stolen. Vulnerability scanning and assessments are just as important inside the cloud as they are outside the cloud. Chances are that if you can find a way to get unauthorized access to your data, someone else can as well.
Lock It Down
Use digital certificates (asymmetric keys to credentials) to authenticate and decrypt your information.
Do not use password-based authentication for SU or shell access (security 101)
Firewalls –‘explicitly deny all traffic that is not explicitly allowed (Firewall for dummies)
Segregate sensitive information and community information in separate VMs if possible.
Use a Host Intrusion Detection System. A Host IDS monitors host and server event/sys logs from multiple sources for suspicious activity. Host IDS are best placed to detect computer misuse from trusted insiders and those who have already infiltrated your network.
Use system hardening tools, i.e. Anti-malware, Worm door cleaners, and Trojan prevention applications.
Always backup your data.
Often overlooked, and one of the easiest way to increase the control of your data is to make sure that whatever happens, you have a secure backup of that data. Make frequent backups to off world destinations, i.e. back up off the cloud.
Now will this solve everything? No, but it’s a good start.
“…Jim, as always should any member of your Cloud data be breached or destroyed, the CFO will disavow all knowledge of your actions and your job will self-destruct in five seconds. Good luck Jim…”