Locking Down Your Cloud: One Step at a Time
April 3, 2013 No CommentsA highly secure cloud is not a myth. It’s not even out of reach. In fact, you can lock down your virtual infrastructure as tightly as any Fortune 50 enterprise does, by getting four components right: security, management, performance, and compliance. To master these four ingredients, you must break down each to it’s individual details and then piece it all together again – but smarter. For example, it’s not enough to deploy basic perimeter and hypervisor security components such as network firewalls alone. It’s a technology formula that has to mesh, and the stakes are high. One false step could lead to insecurity in your cloud and put your company’s data at risk.
In this article, FireHost director of information security Kurt Hagerman delves into the first essential step – security – and discusses how to implement it well for your business.
Get everyone on the same page
Most organizations have at least dipped their toes into the cloud by shifting non-sensitive workloads like training apps and dev testing out of their own datacenters. Increasingly, we’re seeing organizations migrate more sensitive applications and data to the cloud – with huge ramifications on security. Unfortunately, many cloud providers are scaling up fast but leaving security as an afterthought. Instead, their foundational premise may have been scalability, fast adoption by end-users, or cost. As a result, security for the organizations they serve is short of ideal, which can be especially problematic for those in industries with regulations such as PCI 2.0 or HIPAA.
Ultimately, the security of your business’ data is your responsibility, and that includes making sure the cloud providers you use are secure as well. A truly secure cloud environment requires a variety of security tools and tactics all working together. The old cliché is true. Your defenses are only as strong as the weakest link. Make sure your infrastructure vendor selection process addressers:
– Strong multitenant segmentation and isolation
– Comprehensive perimeter security
– Distributed Denial-of-Service (DDoS) mitigation
– Web application firewalls
– IP reputation filtering and IDS
– Secure remote access with multifactor authentication
– A robust set of supporting security services including anti-malware, log management and vulnerability management
Additionally, video surveillance, badged access, and biometric authentication are all baseline precautions for your datacenters, wherever they reside. As you source data center providers, make sure they have all of these on their checklists.
Protecting the cloud from the human element
Unauthorized users are the obvious culprits, but what about authorized users? Let’s face it: sometimes our people do the wrong thing. Maybe they’re disgruntled and want to harm the organization. Or maybe they’re naïve and susceptible to a social engineering scheme. Here are four ways to mitigate the risk of malice brought by authorized users:
– Security Awareness Training. Many companies require employees to undergo diversity training on an annual basis. Security awareness should be treated no differently. Employees should be trained on the latest trends and best practices on a regular, recurring basis. As always, complacency is your enemy here.
– Social Media Policy. For cybercriminals, social media is an easy gateway to personal information and tidbits about the company that can lead to social engineering. Enforceable social media guidelines and regular education around the risks of social media can help protect your people from social engineering schemes.
– Least-Access/Need to Know Methodology. Every use case for access is unique. Distribute access to sensitive data and critical applications on a role-based basis. Also, be sure to consider the minimum access requirements for a user’s (role) daily work routine. Less exposure means less risk.
– Secure Administrative Access. And, finally, insist that your vendors lock down access to your virtual servers and your management portal or dashboard. Your vendor should offer multiple methods for gaining administrative access including SSL VPN, L2L VPN, private circuit and MPLS termination. They should also offer multi-factor authentication to aid your compliance with relevant regulatory requirements.
Round-the-clock monitoring
The last piece of the security puzzle is round-the-clock monitoring. You need a clear picture of who’s on your network, what they’re seeing, and what they’re doing. Of course, that’s a massive pile of data – far too much for human eyes to digest in real time.
A good security information and event management (SIEM) system can help by analyzing user interactions with your systems, identifying potential threats, and prioritizing by risk level. Make sure your system accounts for all your security and regulatory compliance needs including: automated log collection and archiving, fraud detection, real-time threat detection, and forensic analysis for cyber security.
And don’t forget the human element. Dashboards, reports and notifications are nice, but data outputs are only as good as the people monitoring them. It’s no small investment to hire a security team and build out processes. Outsourcing this function may be a cost-effective alternative.
Security in the cloud
In surveys of IT decision-makers who’ve yet to integrate the cloud into their environments, security is often the No. 1 reason given for staying on the sideline. However, security doesn’t have to be a barrier. The right cloud solution process and well-vetted providers will provide technical, physical, and process-based security controls to keep your data safe and your applications running smoothly. A highly-secure cloud is in reach for every organization. It’s simply a matter of knowing what the pieces are and how to piece them pieces together.
Kurt Hagerman, Director of Information Security
As the director of information security at FireHost, Kurt Hagerman oversees all compliance-related and security initiatives. Hagerman is responsible for helping FireHost with the attainment of ISO, PCI, HIPAA and other certifications, which allows FireHost customers to more easily achieve the necessary compliances for their own businesses. His position further includes merging information security and compliance into one organization, and enacting a strong security program where levels of compliance are by-products.