Who has Responsibility for Cloud Security?

As more organizations leverage the cloud for critical business applications, they are discovering one of the greatest challenges is combining existing internal controls with cloud protection efforts. Highly regulated business and government organizations in particular must maintain comprehensive security and compliance postures across these hybrid systems.

1 2 Page 2
Page 2 of 2

ROTHMAN: You'll walk around the RSA Conference and everybody will say their tools don't need to change, everything works great and life is wonderful. And then after you're done smoking the RSA hookah you get back to reality and see a lot of fundamental differences of how you manage when you don't have visibility. How do you enforce network policies when you're restricted to security groups and you only have the ability to open up certain protocols? And you have access through APIs that may be gamed to terminate or reconfigure instances on the fly, without requiring administrative access to the cloud instance. You've also got different cryptographical hierarchies that are required to provide access to those instances. If the management tools are not built specifically to provide consistent access to cloud resources, wherever they are, things can go downhill pretty quickly.

So again, the idea of consistency is critical. But it's a management problem before it's a security problem. So now you have the ability to, within minutes, provision all sorts of servers. OK. But that creates an issue in terms of configuration management, in terms of patch management, etc. So on one hand the tools really have to be mature to overcome and instrument your lack of visibility in a cloud type of environment, but there's still a lot of blocking and tackling needed in terms of just the basic operational disciplines.

KINGSBERRY: From our perspective, federal agencies are always going to have something on-prem and then they're going to want to offload workloads. So if you turn it into a network problem, an information assurance problem, and everything is based on NetFlow, you're going to get full visibility. You can control things in a different way. And when it's infrastructure as a service, it's really no different than having a physical server on-prem. In essence, I have full control of all services running on that box, which means I can connect in enterprise management tool sets to ensure I can manage it.

AMMON: Many of the new security options will actually improve your agility and reduce your costs. An example of that would be a typical machine shutdown and forensics if you had an exploit. With the cloud you can copy a suspected server image to your forensic tool kit, fire up a brand-new replacement image and do all this through the click of a mouse as opposed to deploying employees to data centers. With cloud, experience really matters. Customer can greatly benefit by contracting with proven cloud architects who can help them figure out how to take advantage of the power of the cloud while avoiding cloud supplier lock-in or overly complex management of desperate security tool sets. Customers should implement centrally managed security if they want to maximize reduction in expense and complexity. A piecemeal cloud strategy may leave you with a collection of cloud islands operated and controlled through disconnected security tool sets.

That's actually a problem we are just starting to see in the privileged identity management arena, something we call islands of identity, where organizations are using a different tool on each platform -- cloud, virtual, etc. -- to manage privileged identities. We address this with a privileged identity management solution that reduces the risks that privileged users and unprotected credentials pose to systems and data. With Xsuite, customers can implement secure privileged identity management across their entire hybrid cloud. It vaults privileged account credentials, implements role-based access control, and monitors and records privileged user sessions. And our unified policy management enables Xsuite to deliver the seamless administration of security controls across systems, whether they reside in a traditional data center, a private cloud, on public cloud infrastructure, or any combination thereof.

KINGSBERRY: You mentioned using cloud for forensic work ... we had a similar business requirement. If something like that happens, we leverage Amazon to roll those VMs into a enclave that already has all the forensics tools. So we have snapshots of the compromised VM and all the tools ready and it's locked down so no network traffic can take place. So I'm using the cloud for what its best for.

SUTHERLAND: I think the tools are making progress. We've deployed for customers decentralized protection architectures that allow for the virtual resource instances to protect themselves rather than relying solely on centralized protection architectures. So, for example, utilizing IDPS or intrusion detection/prevention at the instance level, the instance is able to protect himself in-depth against attacks that may originate from inside the perimeter. And then this combined with integrity monitoring at the instance level and in the application layer provides real time reporting on malicious or unexpected changes to configuration system files or data access.

NW: Ammon, you once said identity is becoming the new perimeter. Can you expand on that?

AMMON: All security exploits involve two steps, gaining access and elevating rights/privileges. The combination of both mobility and cloud has resulted in the erosion of the traditional security boundary. Managing risk calls for a more granular approach to the process of granting, controlling and containing access. With identity as the new perimeter, system owners should demand a separation between identification/authentication and authorization. Granting unfettered access to an entire network segment or all features within a cloud management console incurs unnecessary risk. System owners should also take advantage of federating privileged identity to reduce management complexity and improve accountability.

SUTHERLAND: Just to add to that, when you're using shared privileged accounts, being able to separate that authentication authorization in our experience is very important and it is critical to be able monitor and control and perform forensics. So a privileged [accessible] system can allow this policy to be enforced for each user, even when using shared privilege accounts and provide the full attribution of the user activities on the user level or the privileged user level.

ROTHMAN: Right. This is another thing that I don't think the compliance hierarchies and auditors and assessors have clued in on, in terms of common console access. PCI for the last seven or eight years has had this concept of unique ID and kind of being able to control things down to a specific individual to be able to wrap changes back to. But again, cloud breaks that model for a lot of different reasons. So this gets back to the idea that we just don't know what we don't know quite yet.

If identity is a new perimeter and the perimeter has disappeared, then we'll all be kind of zombies in the future, because again, it's very hard to track privileged access back to a unique user, as required by the compliance mandates. This gets back to why consistency is critical. Whether it's happening within your own data center or it's happening out in the cloud data center, whether you've got resources that go back and forth or burst or a lot of what [Kingsberry] was talking about having a set of policies and a control set that can be leveraged consistently, regardless of where your data happens to be. That's really where stuff has to go and we are in early days, like diaper time. We're not even toddlers yet.

NW: Rothman mentioned visibility as being a problem. How big a problem is it?

ROTHMAN: Oh, it's a terrible problem. There is the option [Kingsberry] described which, from my perspective, is unique, of running all of your traffic through a choke point, but that starts pushing on the balance between the performance you get with cloud computing and the reality of what you need to do in order to control these environments. It creates difficulty. And what that means is you can't do things like capture network traffic with tools like NetWitness in traditional cloud architectures.

But if you're going to route everything to a choke point that kind of breaks the architectural constructs that make cloud computing interesting in the first place. So what you see are folks climbing the stack from the perspective of instrumenting their applications, instrumenting their databases, instrumenting their instances to a much greater degree because they don't have the ability to do that at the network layer.

KINGSBERRY: That's why I say business drives technology. For federal agencies to feel comfortable with the cloud, we had to take that approach. If we were a larger agency it would be architected slightly differently to address performance issues. Right now, however, for our agency, there is no performance hit. We're a small agency and our network pipes are larger than what's really required

NW: Any closing thoughts?

KINGSBERRY: When you look at where we are today and where we're going, the opportunities are through the roof. There are lots of opportunities today to do all types of things. I can tell you when we migrated to Microsoft 365 we ended up paying roughly 30% less than if we had to do it on-prem. And It enabled us to stand up something that we hadn't stood up ... Microsoft AD FS 2.0, which gave us an added level of security. So cloud gave us some interesting opportunities to do some really cool stuff.

This story, "Who has Responsibility for Cloud Security?" was originally published by Network World.

Copyright © 2013 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 secrets of successful remote IT teams