At a recent conference, we asked some IT thought leaders what they thought about security in the cloud. The responses from these heavy cloud users and vendors indicate a high level of confidence around cloud security.
We also found in a recent survey that the more enterprises used the cloud, the more comfortable they became with security “in, of, and by” the cloud. In our survey, we broke down cloud users into profiles ranging from cloud beginners to the more experienced cloud focused. Respondents reported that challenges such as security, governance, and compliance declined as cloud maturity increased. For example, security is reported as a significant challenge by 38 percent of cloud beginners, but only 18 percent of the experienced, cloud focused, respondents.
Anybody who works with central IT staff at larger enterprises recognize the common questions around security and compliance from professional InfoSec teams.
We developed our own security program at RightScale to ensure our cloud-based software meets the stringent demands of our enterprise customers. Some of the general guidelines, noted below, are also factors that all InfoSec departments should consider when thinking about cloud deployments.
- Clear organizational policies: Have a clear policy about the security responsibilities of internal executives, including CFO, CISO, CTO, VPs, and other staff.
- Access controls: Know the details around access controls in the cloud. For example, consider utilizing a role-based access control (RBAC) mechanism, with a default "deny" policy. You can apply the policy in each of your business logic controllers. This uniformly enforces each request by a small number of subroutines in the base application controller.
- Protect data in transit: Ask detailed questions about data in transit. For example, you can use private network connections provided by the cloud providers for all intra-cloud communications between the server instances in that cloud. All daemons will listen on, and communicate over, the private interfaces. In addition, security groups can be configured to restrict public traffic to use only allowed ports.
- Data protection in a database: How does your cloud vendor handle data protection? You can use encryption to ensure the confidentiality and integrity of secrets stored on behalf of your customers. Sensitive data can be encrypted at the application layer with AES, using the PKCS#5 passphrase-based KDF for key derivation. You can derive a unique key for every encrypted value; where keys are never reused.
- System monitoring: Leverage a system that implements full logging, monitoring, archiving, and retention of operational and service data through multiple channels for both system event logs and custom monitoring parameters.
As our survey shows, and as we see in the enterprise InfoSec community, businesses can manage security in the cloud effectively. It takes some time and effort, but the results enable companies to take full advantage of public, private, and hybrid clouds.
About the Author: Phil Cox is Director of Security and Compliance at RightScale.