Embed Size (px)
Citation preview
ADVENT ONE
The Risks and Rewards of Cloud Migration
The Risks and Rewards of Cloud Migration
The migration to cloud computing is one of the major technology trends of this decade. The lure of a fixed monthly cost for constantly up-to-date Infrastructure-as-a-Service is a compelling financial argument. Add to this the rapid go-to-market strategy enabled by on-demand cloud infrastructure and it looks like a no brainer. But as we all know, there’s no such thing as a free lunch. We always pay a price for progress. One of the often underestimated costs of the decision to deploy cloud computing involves security. Every organisation contemplating the move to the cloud must realistically assess the security protection offered by the provider, and then calculate the additional protection required to mitigate security and compliance risks generated by migrating to the cloud. A key point to consider is that your provider’s security concerns may not map completely to your security needs. While cloud solution providers apply the best systems to ensure the security of their service, their focus is on the prevention of breaches into their infrastructure as opposed to breaches that allow unlawful access to your data, as occurs with compromised credentials. As a user of that cloud service, the increased accessibility of your data opens up an entirely new group of security concerns. These risks revolve around the potential leakage of commercially sensitive data, either inadvertent or malicious, including the theft of user or customer credentials. That means you need additional security to protect your data, your people and your customers from targeted attacks.
Throwing light on to Shadow IT The advent of the cloud upends the traditional security models used by organisations. Until recently, your IT department was able to dictate the software applications used by your employees. This rigid model enabled a security policy that made your on-premises platform very secure from the outside world. Firewalls and other security infrastructure protected your network perimeter while password policies controlled internal access. That secure environment exists no longer. The convergence of technologies such as the cloud, Software-as-a-Service and ubiquitous powerful mobile devices – that is, the mobile phone in your pocket – has poked countless holes in the network perimeter that traditional security models are unable to defend against. A persistent and perplexing problem is that employees increasingly use multiple devices – from phones and tablets to notebook and desktop computers – to access unauthorised Software-as-a-Service solutions, creating a largely unknown and often unprotected environment of “Shadow IT”. Rather than try to hold back the river, organisations need to recognise this shift as an opportunity rather than a threat. By identifying and managing the associated security threats, you can equip your employees to increase their productivity by supporting their use of new IT solutions. Your security solution should be transparent, allowing employees to maintain their privacy and not hampering where, when and on what device they want to work, as long as it complies with your security policy.
Understanding the security challenges The adoption of cloud computing within the delivery platform forces consideration of three key strategic, operational and people challenges:
The Risks and Rewards of Cloud Migration
1. Governance: Cloud computing enables speed, agility and innovation. Is your organisation prepared to adapt and implement cloud services within its overall application mix?
2. Platform: Choose a cloud computing environment that's right for your organisation, whether that’s private cloud, public cloud or a hybrid cloud solution. A key element of your platform involves selecting reliable and dependable vendors and partners.
3. Security: Migrating any part of your IT delivery platform to cloud computing requires increased reliance on an external service provider to maintain a portion of your security solution. It is imperative that you identify the necessary changes to enable your enterprise security policy to incorporate the cloud.
The following list outlines some of the security challenges that arise from migrating identified applications to a cloud computing platform:
Increased attack surface: Whereas hackers previously had to first gain access to your corporate network to launch an attack, cloud-hosted applications enable malicious users to launch that attack from anywhere.
Inconsistent data monitoring: While an organisation can readily identify suspicious activity seeking access to sensitive data on internal applications, this is much more difficult when using third-party SaaS applications, especially when your service provider controls data encryption within their application.
Incomplete application auditing: The inability to monitor all aspects of a cloud-hosted application could lead to incomplete audit trails and compliance.
Limited security control: Organisations using SaaS applications must rely on vendors’ security solutions. While many SaaS vendors undertake quality assurance audits, constant pressure to innovate and support application programming interfaces (APIs) for third-party integration can create unintended security vulnerabilities.
Increased traffic at the network perimeter: Adopting cloud-based services will inevitably increase the load on secure web gateways and perimeter firewalls. Since much of this traffic is encrypted, these security devices must be continually updated.
Entry point threats from Shadow IT The shared nature of cloud computing increases the risk of new security breaches and requires additional defences if cloud adoption is to deliver a net benefit to your organisation. As cloud services enable users to bypass corporate security policies by establishing their own personal accounts – effectively building “Shadow IT” – you need to employ new controls to manage all cloud activity. Cloud environments face many of the same threats as traditional corporate networks, but offer highly attractive targets due to the combination of large user numbers and a vast amount of stored data. Common threats include:
Data breaches: The severity of potential damage depends on the sensitivity of exposed data, with the most sensitive data including personal financial information, health information, trade secrets, and intellectual property. While cloud providers are responsible for the security of their infrastructure, organisations using the service are responsible for the security of data as it moves across the cloud to and from their users.
Compromised credentials and broken authentication: Data breaches and other attacks frequently result from weak authentication and poor key or certificate management. Managing appropriate user permissions is often poorly
The Risks and Rewards of Cloud Migration
maintained within an identity management policy. Cloud service providers need to adopt advanced authentication systems that provide the highest standards of protection to users and their sessions.
Hacked interfaces and APIs: Virtually all cloud service and application providers offer interfaces and APIs that allow supplementary products and services to enhance the overall customer solution. The downside is that weak interfaces and APIs expose organisations to security issues related to availability, confidentiality, integrity, and accountability. Your organisation needs to pay special attention to ensure providers undertake security-focused code reviews and rigorous penetration testing.
Exploited system vulnerabilities: System vulnerabilities can include both program exploitable bugs as well as platform issues arising from shared resources such as memory, storage and databases within a multitenancy cloud computing platform. Service providers can largely mitigate attacks on system vulnerabilities by adopting best practices, including regular vulnerability scanning, prompt patch management, and quick follow-up on reported system threats.
Account hijacking: While phishing, fraud, and other software exploits still occur, a cloud service creates new dimensions that enable attackers to eavesdrop on activities, manipulate transactions, and modify data. Attackers may also be able to use the cloud application to launch other attacks. Authentication protection strategies should monitor transactions carefully to protect account credentials from being stolen.
Malicious insiders: The threat from malicious insiders can include current or former employees, system administrators, contractors, or even business partners. Malicious threats range from minor data theft or damage to large scale infrastructure destruction. Organisations can minimise this threat by implementing security protection beyond that provided by the cloud service, such as logging, monitoring, and auditing all activity.
The APT parasite: Advanced Persistent Threats (APTs) are a form of attack that infiltrates systems, then stealthily exfiltrate data and intellectual property over an extended period of time. APTs are difficult to detect because they typically move laterally through the network and blend in with normal traffic. Major cloud providers apply advanced techniques to prevent APTs from infiltrating their infrastructure. Common points of entry include spear phishing, direct attacks, USB drives preloaded with malware, and compromised third-party networks.
Permanent data loss: While data loss due to cloud provider error is extremely rare, malicious users or hackers can cause considerable harm by deleting or damaging data, and cloud data centres are always vulnerable to natural disasters. Many cloud providers offer multiple geographic locations for distributed data-sets as part of business continuity and disaster recovery planning. Data backup and off-site replication and/or storage remain as important for cloud services as for on-premises platforms. If a customer encrypts data as part of the security approach before uploading to the cloud, then the encryption key must be carefully protected as once lost, so is the data.
Inadequate diligence: The rules of due diligence apply to an organisation that embraces cloud computing, whether or not there is a full understanding of associated risks. As in all contract law, a failure to scrutinise a cloud service contract does not mitigate an organisation’s liability in case of data loss or breach. The key is to perform extensive due diligence before entering into any new cloud service.
Cloud service abuses: Cloud services can be commandeered to support nefarious activities, such as using cloud computing resources to break an encryption key in order to launch an attack, launching Distributed Denial of Service (DDoS) attacks, sending spam and phishing emails, and hosting malicious content. While it is largely the cloud service provider’s responsibility to monitor the health of their cloud environments, service availability issues and data loss can impact users of the service.
The Risks and Rewards of Cloud Migration
DDoS attacks: While a DDoS attack is nothing new, they have gained traction recently thanks to the growth of cloud services. System availability is impacted, slowing to a crawl or simply timing out. DDoS attacks consume large amounts of processing power and may incur a large bill for a specific customer.
Shared technology, shared dangers: Vulnerabilities in shared technology pose a threat to cloud computing. Cloud service providers share infrastructure, platforms, and applications. If vulnerability arises in any of these layers, it can affect everyone.
Managing threats is an ongoing commitment which requires regular activity. Awareness programs should keep users alert to risks that may trick them into allowing a potential threat into the network. IT departments need to stay informed of the latest threats and advanced attacks. Your organisation needs to continually review advanced security controls, process management and incident response plans to ensure they are all up-to-date. Expenditure on security protection needs to be viewed as insurance, much like Backup and Disaster Recovery - a good investment to avoid the potential operational and reputational damage of a major attack.
Data threat protection Your organisation can employ various security measures to minimise data threats associated with cloud service use. Popular approaches include encrypting data prior to transmission across the network or storage in the cloud, which requires efficient encryption key management and protection. Other approaches include properly isolating Virtual Machines (VMs) to prevent information leakage, implementing proper access controls to prevent unauthorised access, and undertaking a comprehensive risk assessment of the cloud environment to know where sensitive data is stored and how it is transmitted across the network. A vital activity in data protection for the cloud is maintaining rigorous backups of all data, ensuring it can be accessed and restored in the case of data loss. These backups require a high level of security to protect their integrity and confidentiality. Your organisation can employ various data loss prevention (DLP) mechanisms to prevent data loss within your network, processing, and storage. Many companies including IBM, Actifio and CommVault have also developed solutions to implement data loss prevention across storage systems, networks and end points.
Network threat protection Diverse security features on the cloud network can avoid account or service hijacking. These include employing intrusion detection systems (IDS) to monitor network traffic and nodes for malicious activities. You can also implement identity and access management to avoid unauthorised access to credentials. Multi-factor authentication, requiring at least two credentials, can be used for remote access to avoid account hijacking threats. Initially, the user is authenticated by the cloud access password and in the next level the service access password is verified. All user activities and security events should be audited effectively to avoid potential threats. To avoid DDoS attacks, it is important to identify and implement all basic security requirements of the cloud network, applications, databases, and other services. Rigorously test application solutions after development to verify they have no loopholes that attackers can exploit. Typically, prevention and/or management of DDoS threats is the responsibility of the service provider.
Cloud environment protection Responsibility to protect the cloud delivery environment from abuse and ensuring it is free from security flaws lies largely with the cloud service provider. Each provider needs to design and implement both interfaces and APIs securely, checking rigorously for possible vulnerabilities. They also need to carefully manage access to cloud infrastructure, with strong auditing of staff and operations to check for any suspicious behaviour.
The Risks and Rewards of Cloud Migration
Organisations choosing cloud services need to fully understand the risks associated with those services before shifting their critical data and operational reliance on to the new platform. This should include a full investigation of the service provider’s infrastructure, to determine the security of applications and data. The service level agreement (SLA) between customer and service provider should contain full policies outlining the protection of data and processing.
Security information and event management (SIEM) Security information and event management (SIEM) systems, which provide centralised logging capability for an organisation, can extract security analytics from those event logs to quickly detect targeted attacks and data breaches. SIEM technology aggregates event data with contextual information about users, assets, threats and vulnerabilities and analyses for specific purposes, such as incident response, forensics and regulatory compliance. Some SIEM solutions can also be configured to stop certain detected attacks, generally by directing the reconfiguration of other enterprise security controls. Traditionally, only large organisations with advanced security capabilities tended to deploy SIEM services. This involved duplicating network security logs in a centralised location, so that security administrators and analysts could view all the logs through a single console, correlating events across multiple log sources to detect and respond to potential incidents. Increasingly, SIEMs have become a core security component for nearly every organisation. As the number of sources of security log entries has grown, so has the need to view, analyse and report on the contents of those log entries from a single console. Even small and medium-sized organisations typically need a SIEM today for regulatory purposes, to automatically generate reports that provide evidence of the organisation's adherence to various compliance requirements. Organisations considering a SIEM product should carefully consider both its deployment and required functionality. As a SIEM solution collects security log data from a wide variety of sources, the transfer and translation of log data may require considerable integration effort. The overall cost of a SIEM project needs to include all required product functions, along with management costs. As many organisations under-estimate the end-point cost of SIEM deployments, the SIEM solution’s value should include the expense of its configuration, monitoring and management.
Cloud access security brokers (CASB) As part of the move to the cloud, staff can use mobile devices to bypass existing security policies by accessing data within firewall and proxy gateways. While the IT department can ban identified SaaS risks, staff can access less-known potentially riskier cloud services that are not blocked - causing the previously mentioned phenomenon known as “Shadow IT”. One effective way to allow an organisation’s users to approach new cloud services within an integrated organisation security approach is a cloud access security broker (CASB) solution. A CASB acts as a gatekeeper, allowing the organisation to extend the reach of its security policies beyond their own infrastructure. The downside of Software-as-a-Service (SaaS) offerings that are fully managed by a cloud provider is that you are at the mercy of the provider’s security policy. Worse still, the provider typically has access to your confidential data in the application. A CASB solution delivers better security by giving your organisation control over all facets of security including: protecting data by encryption; visibility of user behaviour and activities across all cloud applications; integrated identity management to enforce password policy across cloud apps; and access control under defined conditions and context. Gartner, in its 2015 report How to Evaluate and Operate a Cloud Access Security Broker, predicts that by 2020, 85 per cent of large enterprises will use a cloud access security broker solution for their cloud services, which is up from fewer than five per cent in 2015. CASB solutions offer a range of security capabilities depending upon the chosen deployment model. Those offering proxy-based controls, rather than API controls, are well situated for the future especially if they offer both on-premises and cloud-based
The Risks and Rewards of Cloud Migration
proxy models. Although CASB solutions are a promising security component, organisations must still account for the impact and limitations of any solution. The following list outlines procedures to help IT security professionals develop a CASB strategy that is based on a continuous and adaptive approach to cloud security and governance:
Cloud service visibility and risk compliance assessment: Identify cloud services used by your organisation, including “Shadow IT”, the location and sensitivity of data, who accesses it, from what devices and from where.
Appropriate cloud services selection: Enable organisations to understand and verify the compliance and security features of all cloud service providers, including the minimum requirements each provider must meet before being considered for use by your organisation.
Adaptive access: Require the CASB to apply real-time context to the cloud service access decision, that is, restricting access based on the location, time of day or whether the device is enterprise-managed. Context is key to determining whether a cloud service should be accessed. Without context, you are forced to take a binary approach to cloud usage by implementing a policy of allowed vs. blocked.
Encryption and tokenisation of data: CASB solutions enable enterprises to meet their legal and regulatory requirements by supporting the optional encryption and/or tokenisation of data at the field or file content/object level. Implemented properly, this enables the enterprise to maintain control of the key/tokenisation dictionary, providing powerful protection of sensitive data in the cloud and denying visibility to the cloud service provider.
Verify secure and compliant sensitive data usage: Many enterprises have a blind spot when sensitive data is stored in cloud services. The CASB platform should provide for continuous sensitive data monitoring sometimes referred to as “Cloud DLP” (data loss prevention).
Verify secure usage: In addition to sensitive data monitoring, CASBs should continuously monitor, log and analyse all cloud activities, both actions and transactions. This provides a secure alternative to real-time, cloud service, transactional decision making on a per-user, application, device or transaction basis.
Investigate and respond to exceptions: CASBs should flag exceptions in the access and use of cloud services for investigation. As any enterprise CASB strategy is based on continuous visibility, security analysts should have access to data, including existing tools such as security information and event management (SIEM) to investigate flagged incidents.
Manage usage: As well as managing exceptions, the CASB should allow analysis of the rich seam of cloud services usage data to better manage cloud use.
Conclusion: Managing secure migration to the cloud Businesses around the world are adopting cloud computing. While organisations anticipate improved business growth through the productivity gains of end-users adopting cloud computing solutions, they need to manage effectively the security threats posed by the cloud environment to produce a sustainable business operation. The increased attack surface caused by highly mobile workers using external cloud solution providers requires ever evolving security measures to ensure safety from potential threats. Each organisation faces unique security issues when cloud services are compared to on-premises networks. To maintain their operational and reputational integrity, organisations need to consider security as an integral part of the cloud. Security threats in cloud computing fall into the categories of: data threats, networks threats, and cloud environment specific threats. While these
The Risks and Rewards of Cloud Migration
threats are real, organisations that adopt an appropriate security strategy, with associated security solutions, can minimise potential vulnerabilities. A major source of risk is the rapid rise in cloud service uptake by employees, which has many organisations scrambling to stay in control of service adoption. This encourages organisations looking to cloud access security broker (CASB) solutions to help define what data goes to the cloud and how it’s accessed, shared, and protected. A CASB can create a control point for the cloud, centralising security policies for all services regardless of where users, their devices, or your data reside. We need to rethink security. Yesterday’s perimeter-based approaches will not work for our borderless enterprises that seek to leverage the cloud with a mobile and outsourced workforce. As security threats seek to compromise identity credentials and attack confidential data, organisations must respond with new security strategies to reduce the risk of breaches and secure the organisation in the new world of mobile and cloud. At Advent One, we have the expertise and experience of specialist technical teams who have worked with many organisations that face the transition from in-house management to the cloud. We can advise on practical methodologies required to design and implement transformative IT environments unique to every business. Advent One is a trusted and proud Premier IBM Business Partner.
