Using encryption, obfuscation, virtual LANs and virtual data centers, cloud providers can deliver trusted security even from physically shared, multitenant environments, regardless of whether services are delivered in private, public or hybrid form.
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
Understanding Cloud Security Challenges
1. • Cognizant 20-20 Insights
Understanding Cloud Security Challenges
Using encryption, obfuscation, virtual LANs and virtual data centers,
cloud providers can deliver trusted security even from physically
shared, multitenant environments, regardless of whether services are
delivered in private, public or hybrid form.
Executive Summary This means building security and trust architec-
tures that ensure each company’s applications
The need to reduce costs and enable IT respon-
and data are isolated and secure from those of
siveness to business change is driving more
other customers in a multitenant environment.
and more applications, including critical ones,
By adhering to emerging security standards and
to various types of cloud platforms. While cloud
leveraging encryption, obfuscation, virtual LANs
providers can implement many of the same
and virtual data center technologies, service
security measures required of an internal IT
providers can not only provide security services
group, many companies are still wary. This is
that meet or exceed internal SLAs, but also
especially true for less expensive, multitenant
provide trusted security, even from physically
public cloud environments that are inherently less
shared, multitenant environments. Companies
secure than in-house IT environments, assuming
should understand that public cloud providers
that the onsite, internal IT environments follow
must also adhere to the stringent security regula-
proper security procedures and have the right
tions of the countries in which they operate.
technology and standards in place. If not, then
public cloud service providers often provide a Whether adopted in public, private or hybrid form,
more secure IT environment than local IT groups. or delivered as IaaS, PaaS or SaaS, the cloud
imposes unique and stringent security demands.
Providing security for cloud environments that
But with appropriate levels of security, trust and
matches the levels found in internal data centers
governance, service providers can provide a
is essential for helping modern organizations
secure environment for company data and appli-
compete and for allowing service providers to
cations.
meet their customers’ needs. However, to match
the levels of security that customers experience
Cloud Security Concerns
internally, service providers must make the
proper investments in providing, proving and The cloud — especially the public, multiten-
ensuring appropriate levels of security over time. ant cloud — raises new and significant security
cognizant 20-20 insights | november 2012
2. concerns for companies that are accustomed to • Legal and regulatory compliance.
hosting their data and applications within their
own four walls.
• Trusting data to the people and processes
employed by the provider.
Within a traditional internal IT infrastructure, it • The threat of confidential data mingling with
is comparatively easy to ensure proper security that of other customers.
mechanisms, such as authorization, authenti-
cation, privacy, confidentiality and nonrepudia-
• Achieving legal redress in the case of a cloud
security violation.
tion. These mechanisms must be accompanied
by proper security policies and processes that • The viability of the cloud vendor.
are followed by employees. Although some users All of this makes it more challenging to create
(such as customers and partners) are outside the trustworthy controls for the monitoring,
organization’s control, the IT staff has physical governance and auditing of the cloud provider
control over and direct visibility into the IT infra- environment.
structure. It can make changes relatively easily
to the authorization policies determining which Cloud Security Requirements
users can take which actions, deciding on the Before moving mission-critical data to the cloud,
physical locations of servers organizations require not just security but robust
Before moving and databases, and validating security that they can trust and monitor. Security
mission-critical the trustworthiness of their
individuals managing
the is not always a feature offered by cloud providers;
sometimes providers require customers to bring
data to the cloud, systems. their own. Here is a closer look at all three
organizations require Data stored and processed
requirements:
not just security outside the enterprise firewall
• Robust security: Meeting the first require-
but robust security involves an inherent level of ment — providing robust security — means
risk, due to a number of factors.
that they can trust For one, third-party services
moving beyond a traditional perimeter-based
approach to a layered model that ensures the
and monitor. often bypass the physical, proper isolation of data, even in a shared, mul-
logical and personnel controls titenant cloud. This includes content protec-
that IT shops have over their in-house resources. tion at different layers in the cloud infrastruc-
However, according to local and federal laws, the ture, such as at the storage, hypervisor, virtual
end user organization can specify the zone of the machine and database layers. It also requires
data center in which its data will reside. Making mechanisms to provide confidentiality and ac-
changes to the service provider’s authorization or cess control. These may include encryption,
access control policies may require going through obfuscation and key management, as well as
the provider’s systems and processes. In public, isolation and containment, robust log manage-
multitenant environments, companies must trust ment and an audit infrastructure.
the provider to safeguard their data even though
it shares physical hardware with other customers. • Trust and assurance: To meet the second
requirement — providing trust or assurance
And lastly, providers may impose limitations on
— the company needs to have confidence in
the liability they will accept for security lapses,
the integrity of the complete cloud environ-
and there may be a need to work out proper
ment. This includes the physical data centers,
notifications of security- and compliance-related
hardware, software, people and processes em-
events.
ployed by the provider. The service provider
The loss of control in moving applications and needs to establish an evidence-based trust
data out of the enterprise to a cloud provider, architecture and control of the cloud environ-
and the resulting challenges in monitoring and ment, through adequate monitoring and re-
governing those resources, create wider security porting capabilities to ensure the customer of
concerns that service providers must address. transparency around security vulnerabilities
These include: and events. This should include audit trails
that help the customer meet internal and ex-
• The protection and confidentiality of data ternal demands for provable security, as well
as it moves over the Internet to and from the as automated notification and alerts that sup-
cloud. port the customer’s existing problem or inci-
cognizant 20-20 insights 2
3. dent management protocols so it can manage • Isolation: To ensure isolation within a mult-
its total security profile. itenant environment, service providers often
employ multiple virtual data centers, each
Collectively, these capabilities can assure
on its own virtual LAN, to maintain customer
the customer of the operational quality and
data separation. For further security, each
security of the cloud provider. Companies also
virtual data center can be configured into
need to take an active role in governing their
one or more trust clusters (each including, for
cloud implementations and taking action on
example, separate Web servers, application
the information delivered by the provider.
servers and database
• Monitoring and governance: This is where the zones), separated by de- While obfuscation
third requirement — cloud governance — comes militarized zones (DMZs)
in: utilities that allow customers to monitor and virtual firewalls
has traditionally been
the environment for security, as well as en- to ensure multitenancy used as a one-way
sure compliance with other KPIs, such as per-
formance and reliability. Using these utilities,
security. masking technology,
• Confidentiality: Confi- using obfuscation in
customers should be able to perform these
dentiality is provided by
activities almost as well as they could in their
encryption and/or obfus-
the cloud to protect
own data centers. Just as importantly, these
cation based on business data requires the use
utilities allow customers to take appropriate
requirements. Encryp- of new architectures
action based on the security information re-
tion might seem like
ceived from the provider. These actions might
the most complete and
and approaches that
include shutting down an application that ap-
foolproof protection, but enables access to the
pears to be under attack or forcing the provid-
by completely obscuring original non-obfuscated
er to tighten its procedures if critical updates
the characteristics of
or patches are not being applied on time.
the data, it can defeat in-
data as needed under
Governance also includes risk management, dexing and search capa- tight security control.
allowing companies to tailor their security bilities and increase the
spending to both the likelihood and possible expense of filtering, querying or consolidation.
impact of various threats. Doing so requires Obfuscation retains enough properties of the
knowledge of how the service provider monitors data to allow these operations, as well as any
for breaches, how security events are detected that rely on the semantics of the data, while
and reported, and the protection the provider obscuring the data sufficiently to destroy its
offers from a legal and financial perspective. value if compromised.
Well-drafted contracts and a legal framework that While obfuscation has traditionally been
defines liability — including whether the provider used as a one-way (nonreversible) masking
will reimburse the customer for business losses or technology, using obfuscation in the cloud to
just for service interruptions — are all issues the protect data requires the use of new architec-
provider must address. tures and approaches (such as tokenization)
that enables access to the original non-obfus-
Cloud Security Controls cated data as needed under tight security
Cloud security controls can be classified in a control.
tiered model. Front-end security handles authen-
tication and authorization. The middle layer deals • Access control: Identity management and
provisioning platforms ensure that only au-
with VM (virtual machine) security, OS security,
thorized users can see the appropriate appli-
etc. Back-end security handles storage security,
cations and data. This needs to be backed by
data and database security, network security, etc.
compliance and audit and log management, so
Delivering assured and verifiable security in the
that customers have a record of which users
cloud requires separate architectures for security
accessed (or tried to access) which resources,
and trust, as well as a framework for governance.
when. In a cloud environment, access and iden-
Security Architecture tity management (which proves users are who
they claim to be) is often provided through
The security architecture provides the isolation,
federated identity management that allows
confidentiality and access control required to
customers to use their existing IT manage-
protect company data and applications. Here is a
ment systems in the cloud. Authentication, au-
look at these three requirements:
cognizant 20-20 insights 3
4. thorization and validation processes also help concern in cloud security.
ensure access and identity control.
Governance Framework
Providers may also need to ensure the integrity
This record of information will be used in the
of data and messages (whether in transit or
governance and risk control framework, where
resident in the cloud) through strong authen-
customers make use of data from the provider to
tication or other means to make sure data has
ensure ongoing security. This framework should
not been compromised in transit.
provide:
Trust Architecture
The trust architecture demonstrates the cloud
• The monitoring and control of the provider’s
performance against the SLAs (service level
provider’s level of security through a variety of agreements) that govern security perfor-
monitoring, reporting and alert functions. These mance.
include:
• Shared responsibility and accountability
• Continuous monitoring and automated between the company and service provider.
compliance and reporting protocols, such as (The customer, for example, must update the
Security Content Automation Protocol (SCAP). provider about the existence of new data or
applications that require certain levels of
• The Cloud Trust Protocol (CTP), the Security, protection.)
Trust and Assurance Registry (STAR) and
Cloud Trust Authority (CTA), which show • Identification, assessment and agreement
the provider’s commitment to industry best on how to manage ongoing security-related
practices and pave the way for trust to develop functions. These include assessing, monitoring
over time. and reporting of liability and legal risks;
managing disaster recovery and business
• A proven track record of integrity of the
continuity, risks to compliance, IP and business
provider’s cloud environments and processes.
reputation; and providing compliance audits
These range from strong patch management
and centralized, policy-driven log management.
and the use of only digitally signed code, to
automated notification and alerts of security
Raising Cloud Confidence
breaches, attacks and vulnerabilities.
The cost and agility benefits of the cloud will
• A real-time feed of information to an executive continue to drive organizations to migrate
dashboard about the number of breaches more critical applications and services to these
detected, the amount of unauthorized activity platforms. As they do so, they will choose cloud
in the customer’s environment and the actions providers that deliver not only the required
taken to thwart it. Over time, future metrics security but also the assurance of robust security
can be developed based on the initial reports and the governance capabilities to manage
and the historic record used to provide a ongoing security needs in a cost-effective way.
foundation of trust.
Companies that choose to work with service
To further elevate their trust architecture, providers offering robust security, assurance and
companies can turn to organizations such as governance architectures will have powerful first-
the Cloud Security Alliance (CSA) that work to mover advantage as competitors of all sizes move
establish and standardize protocols such as CTP more of their business to the cloud.
and CTA. In addition, Gartner and other industry
analysts have identified and classified areas of
cognizant 20-20 insights 4