One of the biggest benefits of the cloud is offloading a customer’s maintenance and other IT responsibilities to you, the solution provider. In the case of security, however, it is a shared responsibility; and both the solution provider and customer have duties and obligations when it comes to the security of the data.
Checking into the Cloud Security Alliance is a good place to start your education. It is the world’s leading organization on security best practices for cloud computing. Their subject matter experts come from a wide variety of industries with expertise in a most cloud disciplines. They have a presence on every continent, except Antarctica, and offer two cloud security certifications: One for providers and one for users.
Part of the solution provider’s responsibility is to ensure the customer understands what is offered in the way of security and what the customer needs to provide, so everyone is comfortable that the best cloud security for the customer’s needs is being offered. This will vary and depends on if you are providing SaaS, IaaS, or PaaS, since IaaS puts more weight for security in the hands of the customer. This conversation provides a great opportunity for you to ensure that you stand apart from, and above, your competition.
- Physical Data Center – As you would expect, this includes building security, personnel management, and background checks.
- Hypervisor – Though you may not be responsible for the virtual machine, you should ensure the hypervisor is as secure as possible. You should also ensure you are running the most current version of the hypervisor and that the most current security patches have been applied. A breach can cascade down through all the virtual machines associated with that hypervisor.
- Host Machine Operating System – This is the security in place for the host machine operating system and associated virtual machines. Once the host machine operating system is compromised, that opens the door for impacts to the virtual machines hosted on that physical machine. Host machines should have security that includes:
- Intrusion detection
- Minimum number of user accounts
- Administrative access limits for named accounts
- Strong passwords
- No publicly accessible network accessible services
- Running only the necessary programs, services and drivers. The less functionality, the less vulnerable the system is.
- Network – This should be a conversation with your provider and cloud architect. They will set up the policies and procedures that control access to, and modification of, the network. As with most other security, there are levels to this security. They include perimeter controls, network access limitations, and access lists.
The CSA has an assessments document that provides more in-depth information on security responsibilities, but, as mentioned earlier, both solution providers and customers have a part to play in securing data in the cloud.
Customer Security Responsibilities
As mentioned earlier, responsibility for the security of data within the cloud does not rest solely on the shoulders of the reseller. The customer should be aware of, and implementing best practices for, a few very important security measures, as well.
- Firewalls – Most know that firewalls are important. They are the protective barrier between the local computer or network and the internet. The purpose is to keep unauthorized users from accessing the local computer, so a strong firewall is necessary. Customers will need to understand both perimeter and host-based firewalls.
- Perimeter Firewalls – These are usually stand-alone appliances or sometimes firewalls that are built into the broadband router. There are both physical firewalls and virtual firewalls designed to protect different parts or pieces of your environment. For example, you may have a “main” firewall that protects all the traffic in and out, and then you could have a virtual firewall that separates servers from workstations or testing from production. Modern firewalls need careful design and planning for effective deployment. The provider and the customer will need to be familiar with the specifications of their particular firewall to ensure optimum protection.
- Host-Based Firewalls – These are usually installed on the individual machine and designed to protect only the machine upon which they are installed. The goal is to keep an unauthorized user from taking over the machine, to isolate critical machines, or to prevent a compromised machine from sending data to unauthorized recipients. Typically, these are best suited for protecting virtual machines.
- Patches & Backups – Software suppliers release patches on a frequent basis in response to new security threats. Sometimes the supplier handles this; and sometimes it is the sole responsibility of the customer. A customer’s compliance needs, security posture, and reporting requirements will drive your level of involvement and management of this process. Additionally, many customers will use a third-party to back-up data, which provides additional comfort and security in the event the supplier’s security is breached. So be sure that backups are also properly protected and secured, whether on-site or off.
- Passwords – We all know about passwords. Often, they are the weak link in the chain. The customer needs to define the configuration of passwords to ensure they are strong and secure. Characteristics that need to be defined include complexity, expiration, differentiation, minimum requirements and history. In other words, passwords should:
- Contain upper- and lower-case characters, numbers, and special characters
- Not be repeated across applications or through time
- Have a minimum character number requirement
- Use multi-factor authentication where possible – strongly encouraged!
- Virtual Machines – Virtual machines should be treated similarly to physical servers, and the same best practices should apply. In addition to the ones mentioned earlier, file integrity, data encryption, communication encryption and audit logging are paramount.
- Access Control – Controlling access to the actual physical device is paramount and the customer should be taking measures to ensure only authorized internal personnel have access. This can include locking down the device, password protecting it, employing role-based access, and managing mobile devices.
- Staff Security – Naturally, any customer employee who has access to devices, networks, systems, data, etc., should be thoroughly vetted by the customer, and occasionally monitored.
Cloud security is a partnership between the solution provider and the customer. Ensuring that each knows their responsibilities and available security options will ensure a longer and more prosperous relationship. Additionally, your ability to address and knowledgeably discuss this area will either set you up as your customer’s trusted adviser or enhance the already existing relationship.
If you have additional questions or would like more information on Infrastructure as a Service through Arrow, contact ECSCloudServices@arrow.com or call 1.877.558.6677.
Abstracted from Rackspace’s “The Elephant in the Room.”
Did You Miss Any of Our Other Articles in the A-Z Series?
- Cloud A-Z Part 1: The era of cloud is upon us
- Cloud A-Z Part 2: Cloud computing’s economic value
- Cloud A-Z Part 3: The cloud stack puzzle
- Cloud A-Z Part 4: The complexities of IaaS exposed
- Cloud A-Z Part 5: Are you doing cloud security right?
- Cloud A-Z Part 6: The perils and perks of cloud migration
- Cloud A-Z Part 7: 3 challenges of doing business in the cloud
- Cloud A-Z Part 8: Mixing the right cloud recipe
- Cloud A-Z Part 9: Remarkable benefits of open source cloud
- Cloud A-Z Part 10: Is their workload right for the cloud?