Cloud Security: It's No Myth

By Blake Lindsay, CISSP, Bell Canada

There has been a lot of talk about cloud services, but inevitably one major point of concern that's raised during almost any discussion about the cloud is security, which is natural given the fact that the cloud often relies on the public Internet, and resources are hosted off-site. Whether you are discussing Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS), they all have security risks, but there are things that can be done by network administrators and architects to reduce the risks in the cloud.

Carriers will most likely deploy IaaS type services, which give the customer some freedom to configure the systems for their use. IaaS would most likely be deployed as a shared infrastructure to achieve costs savings and get the most out of the hardware. This is where the security issues start. Proper planning and proven security practices are still critical to helping secure cloud infrastructure.

The services that are being provided are much like the ASP type services that were deployed in the past. One of the key differentiators is that customers can configure and set up the hardware to their specifications. There are things that carriers can and should do to ensure the security of the cloud, such as performing penetration tests before the service is implemented, using two-factor authentication for login and administration and proactively monitoring systems for misuse will ensure that the level of risk is reduced.

Proactively ensuring that maintenance patches are applied in a timely manner as well as strong access control are also important for cloud security as is only using secure protocols (HTTPS, TLS, SSH) and VPN tunnels for the customer administration of IaaS.

The customer may ask how they can ensure that their data is secure even with all of these measures in place. While the carrier provides the infrastructure for these services, the customer will have some responsibility for the security of the platform, including implementing a token-based system or encrypting sensitive data on the system. Cloud infrastructure is not yet at the point where putting mission-critical applications that have personally identifiable information (PII), Sarbanes-Oxley or key components of the business makes sense yet. Of course, this kind of data is always under the scrutiny of auditors and third-party external audits, so carriers will need to work with customers to provide this information.

Audits and security tests will have to be a regular occurrence and will have to be done in such a way that they meet the standards of the carrier, yet still have the ability to share that information with the customer. The customer may have to share that information with a third or fourth party. The carriers and customers, in effect, become partners for the IaaS service that is being provided, with both parties having a responsibility to ensure the security of the overall platform.

Policies and procedures are a key component to the security of the cloud. Carriers must ensure that processes for data breaches are in place; backup and restore policies should be well thought out as there could be issues where you may need to restore a previous configuration. There should be policies for data destruction, particularly when it comes to the backup media. The application configuration information should be secured for both the carrier and the customer, and data loss prevention should be on everybody's mind. All of this ties together to raise questions in the customers' mind. The security risks do not change; they only shift somewhat in responsibility.

The cloud and security are not mutually exclusive. Rather, through a combination of proven security practices, planning and a new paradigm of cooperation between the carriers and customers, security and integrity of the cloud can become a reality.