Follow GFI:
Find us on Facebook Follow us on Twitter Find us on Linkedin Subscribe to our RSS Feed Find us on YouTube Find us on Google+
 

The Cloud Is not a “Get out of Jail Free” Card

on February 13, 2013

Slowly but surely, many IT professionals have gotten past the initial fear and anger (which was based on the idea that the Cloud would drastically change or even eliminate their jobs). They are not only accepting the move to the cloud, but looking at it as a way to offload some of their responsibilities, especially in the area of security. It’s natural for overworked personnel to embrace the idea that now security is one less thing they need to worry about, but I think that’s a mistake.

Cloud computing is not a panacea for security woes. What Cloud computing will do is delineate separate areas of responsibility and allow corporate IT admins to focus more on securing the clients and mobile devices and remaining on-premises services (and there inevitably will be some) and not spread themselves so thin. Here’s how IT security will look after your move to the Cloud:

Cloud providers will obviously handle physical security related to their servers and network. They will also take charge of securing the software and data on those servers. Their roles (and yours) will differ slightly depending on whether they are providing software as a service (SaaS), platform as a service (PaaS) or infrastructure as a service (IaaS).

In any event, the cloud providers certainly have an obligation to their customers to ensure that their infrastructures have proper security controls in place to protect the applications and information that reside on their physical and virtual machines. But that doesn’t absolve cloud customers of their own obligations to their users, their companies’ clients, and others who entrust data – sometimes including very personal or confidential information – to them.

If you’re in a regulated industry such as healthcare or financial services, your organization is required by law to protect the privacy of certain client data. Whether you store the electronic forms of that data on your own premises or in the cloud, the liability rests with your organization if the data is compromised. Even if the physical location of the data is not on your premises, you are ultimately responsible for compliance and reporting. It’s up to you to make certain that not only are the proper logs and audit trails maintained, but that they are secured but accessible if/when needed.

Your security responsibilities begin with the process of choosing a cloud provider. The Federal Risk and Authorization Management Program (FedRAMP) in the U.S. is a government program that brings together cybersecurity and cloud computing experts from agencies such as DOD, NSA, DHS, NIST and more, along with private industry experts, to  provide security assessment of cloud service providers.

Some decision makers might assume that because a particular CSP is FedRAMP approved, its services will be just as secure as every other approved CSP. They’re thinking in terms of programs such as the FDIC (Federal Deposit Insurance Corporation), which guarantees that the money you deposit in an FDIC insured financial institution (in certain types of accounts and up to certain limits) is safe even if the bank fails. However, the two are in no way comparable. FedRAMP is not an insurance program; it’s merely a program for certifying that certain standards are met.

All CSPs approved by FedRAMP (or any other assessment program) are not likely to all be equal in terms of the level of security you get, any more than all physicians who meet the minimum standards to obtain a license to practice are equally competent. Approval status should be a starting point only.

On the other hand, not every business needs the same level of security for their cloud-based apps and data. It’s important to do a security needs assessment before you start comparing providers. Consider what types of services you are planning to move to the cloud, how sensitive the data is that you plan to store in the cloud, and what legal mandates (if any) your business falls under.

You should ask plenty of questions of each cloud provider you consider – don’t assume anything. Find out about the physical location and environment of the datacenter(s) and especially, how much separation is there between different customers’ networks and resources. A multi-tenant environment presents obvious security concerns; you want to know how the provider addresses them. Find out whether the provider hosts everything in the datacenter, or operates in a tiered environment, where the provider gets services from other providers.

Ask specific questions about such matters as identity management, access control technologies and authentication. Certainly two-factor authentication is a minimal requirement but what types of factors are used and who is the provider of the certificates or tokens? What type of encryption is used to protect data? Ask about preventative security measures such as patch management and deterrent measures such as firewalls and IDS/IPS. Also ask what incident response measures have been established, and find out what HR practices exist to screen the cloud provider’s personnel who will have access to your data.

Moving some of your IT services to the cloud can save money, lighten the burden on corporate IT, and free up facility resources. The move to the cloud doesn’t have to come at the expense of security – but the cloud is not a “Get out of Jail Free” card that liberates you from ever having to think about security again. Instead of looking to put the security of your data into a CSP’s hands, think about how you can work in partnership with your provider to keep your company’s vital information safe.

 

Looking for a cloud-based solution that can help you easily manage your IT with antivirus, asset tracking, network server monitoring and remote control in one unified platform? Have a look at GFI Cloud today. 

 

About the Author:

DEBRA LITTLEJOHN SHINDER is a technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and client and server security over the last fourteen years. These include Scene of the Cybercrime: Computer Forensics Handbook, published by Syngress, and Computer Networking Essentials, published by Cisco Press. She is co-author, with her husband, Dr. Thomas Shinder, of the best-selling Configuring ISA Server 2000, Configuring ISA Server 2004, and ISA Server and Beyond. Deb has been a tech editor, developmental editor and contributor on over 20 additional books on networking and security subjects, as well as study guides for Microsoft's MCSE exams, CompTIA's Security+ exam and TruSecure’s ICSA certification. She formerly edited the Element K Inside Windows Server Security journal. She authored a weekly column for TechRepublic’s Windows blog, called Microsoft Insights and a monthly column on Cybercrime, and is a regular contributor to their Security blog, Smart Phones blog and other TR blogs. She is the lead author on Windowsecurity.com and ISAServer.org, and her articles have appeared in print magazines such as Windows IT Pro (formerly Windows & .NET) Magazine. She has authored training material, corporate whitepapers, marketing material, webinars and product documentation for Microsoft Corporation, Intel, Hewlett-Packard, DigitalThink, GFI Software, Sunbelt Software, CNET and other technology companies. Deb specializes in security issues, cybercrime/computer forensics and Microsoft server products; she has been awarded Microsoft’s Most Valuable Professional (MVP) status in Enterprise Security for eight years in a row. A former police officer and police academy instructor, she has taught many courses at Eastfield College in Mesquite, TX and sits on the board of the Criminal Justice Training Center there. She is a fourth generation Texan and lives and works in the Dallas-Fort Worth area.

submit to reddit
 

Leave a Comment

Name Required
Email Required
Website
Comment