Security and Privacy in the Cloud
Hortonworks announced their plan to acquire XA Secure and open source it. XA Secure claims it is a comprehensive approach to Hadoop security. This made me think of the the various aspects of security in the cloud.
Security in the cloud spans across multiple layers that involve people, compute, network and storage. Security in the cloud requires an integrated strategy of process and tools, to allow end users be able to complete their work in an environment that enforces compliance without getting in their way.
Here is how I think of the top 5 areas of focus for security in the cloud.
Focus Area 1: APPLICATION SECURITY
Application security mainly deals with protecting the application resources. This includes a multi-pronged approach to cover the following:
- Enforcing strong authentication and authorization
- Date encryption on the wire: End-to-end encryption using SSL for all connections, both browser and APIs
- Data encryption for data at rest
- Data encryption for data in memory
- Application white listing
- Role based access to application resources
- Session tracking
- Controls for privileged or elevated access
- Enforce context awareness and notifications
Focus Area 2: DATA SECURITY
According to Forrester’s TechRadar report () on Data security, security is the second largest portion of the IT budget. In 2014, the investment is expected to rise by 45%. Data security is no more an IT issue. It is an important business driver since data is now closely tied to the the financial cost of companies and the business damage that it can cause as a result of data breaches.
Data masking and Data Loss Prevention(DLP) offerings are best suited for addressing data security. To enforce security on the data you would want to know:
- Where the data exists (both structured and unstructured) to secure it
- Continuously monitoring access to the data
- Protecting both production and non-production data
- Regular audits for maintaining compliance
Focus Area 3: NETWORK AND STORAGE
Explosive growth in data and digital assets in the cloud , drives the need for high performance reliable network and storage. This calls for sensitive information flowing through the network and storage to be encrypted both in-motion and at rest.
With customers requiring the need to continue to productively use their prior investments on software, the hybrid cloud is pushing needs for cloud security to operate in a hybrid model. In such hybrid environments there is need to support secure links and encryption across on-premise networks and storage units.
Some of the important features to pay attention around Network and Storage Security are
- Confidentiality and Data level protection
- Certifications for compliance with legislative and regulatory mandates
- Privileged user access and separation of duties
- Centralized key management
- Realtime monitoring of traffic across network
Focus Area 4: DATA PRIVACY
In this digital age especially in the cloud where we end up capturing personal identifiable information or other sensitive information is collected and stored, privacy concerns are highly prominent. The challenge of data privacy is to share data while protecting personally identifiable information. Data privacy has become of a very high priority in certain markets like Healthcare, Criminal Justice, Financial, Life Sciences and more. These days the laws for the protection of privacy have been adopted worldwide , but their definitions and objectives vary from one country to another.
It is important that the cloud vendors make sure that their cloud offerings gets certified under EU, US and other Safe Harbor Programs.
Focus Area 5: DATA CENTERS
Primarily due to cost effectiveness, customers are adopting cloud and hybrid services as their business model in various stages of their business cycle. This is driving data centers to adopt virtualization technologies to rapidly expanding their data center infrastructures reliably and effectively into the cloud.
Some of the common challenges around security in the data center are:
The resources belonging to multiple customers reside on the same physical platforms. Proper security measures must be adopted such that customer data cannot be breached or spilled over, even if the multiple customers are leveraging the same resources and platform in the virtual environment.
2. Compliance and Privacy Restrictions
Even though the infrastructure and resources of the data centers are managed by the cloud vendor, they should be prevented from monitoring and auditing any components or data. This includes preventing them from inspecting the network through which customer data will be passing because of compliance and privacy restrictions. The cloud vendors should think through these privacy and compliance challenges so you can clearly isolate these tasks and provide ownership to the customers to manage, monitor and audit on their own. Providers may need to comply with the ISO17799 based policies and procedures and be regularly reviewed as part of the SAS70 Type II audit process.
In summary, security enforcement in data centers involves
- Data Protection at the application, network and storage through access control and encryption
- Protecting systems through hardening, intrusion detection and prevention
- Monitoring and Auditing through certifications to meet compliance regulations, change control around upgrades and patches, proper role and privileged access management.