For Logiq³ Inc., the decision to go with a cloud-based provider of IT infrastructure as a service (IaaS) was a matter of cost and flexibility. So Logiq³ instead chose cloud computing and managed IT services provider BlueLock LLC to handle its data needs in the cloud. A start-up that began operations in 2006, the Toronto-based life reinsurance management firm could not afford to build and staff a data center from scratch, according to David Westgate, Logiq³'s vice president of technology.
BlueLock's virtualized environment allowed data and volumes to move between systems in a dynamic, low-cost way that would be impossible with a traditional, hosted environment, Westgate says. The life reinsurance company handles death records, which include personal information like social security numbers, as well as financial data and information about major assets that its large financial customers have on their books. There were, however, security concerns to be addressed before Logiq³ would entrust its critical systems to BlueLock's cloud. Although Logiq³ isn't regulated by the U.S. government's Sarbanes-Oxley Act, its customers in the financial sector are, "so they'll be auditing us," says Westgate. Logiq³ is far from alone. As a result, Logiq³ needed potential cloud vendors to demonstrate that they were in compliance with applicable regulations and could provide high levels of security.
While security and compliance issues crop up in any Web-based outsourcing arrangement, businesses are justifiably concerned about putting everything in a virtualized cloud. If you are going with an infrastructure-as-a-service provider, ask what tools it can provide you to protect your virtual environment. * Encrypt data at rest and in transit; otherwise, don't put sensitive information in the cloud. * Divvy up responsibilities between your administrators and the service provider's administrators, so no one has free access across all security layers. * Check whether a vendor has been accredited as meeting SAS 70 Type 2 and ISO 27001 security standards. It's a comparatively new service area where risks are unknown - "which in itself is a risk," says Jay Heiser, an analyst at Gartner Inc. "If I can't figure out how risky something is, I have to assume it isn't secure." 5 tips for effective cloud security * Find out as much as you can about a software-as-a-service provider's security measures and infrastructure. If you are an international company, check for European Safe Harbor accreditation as well. * Go with a high-end service provider with an established security record. "You get what you pay for," says Gartner analyst Jay Heiser. So far, there have been few instances of a successful, large-scale data breach on a public cloud.
The extent to which hackers can take advantage of unique cloud vulnerabilities is being hotly debated at Web sites like Linkedin.com's Cloud Computing Alliance. Just recently, however, someone managed to set up the Zeus password-stealing botnet inside Amazon.com Inc.'s EC2 cloud computing infrastructure by first hacking into a Web site that was hosted on Amazon servers. Cloud vendors are, in some instances, playing catch-up on the security front, and IT managers are trying to figure out just exactly what the risks are and how to counter them. It is, in other words, early days yet in the cloud computing industry. Divvy up responsibility A crucial first step is for cloud-based service providers and their potential clients to sit down and determine who has responsibility for securing and protecting what components of the IT infrastructure, which often spans both companies' systems. For example, at Logiq³, Westgate decided to let BlueLock handle patching and configuration management because he was familiar with the software BlueLock was using, a tool from Shavlik Technologies LLC. The division of labor between Logiq³ and BlueLock actually strengthened security, because "no one person, or company, has all the keys to the kingdom." says Westgate.
Sometimes, particularly with an IaaS provider, the division of labor is negotiable. Because BlueLock manages the firewall, for example, "none of my admins can go in and decide to sell or move the data," he notes. "And BlueLock admins can't do it either, because they don't control the systems." How much responsibility lies with the cloud-based service provider largely depends on the type of service. The terms of service for Amazon's IaaS offering, for example, state that the customer is responsible for protecting the data it puts into the public cloud, he adds. With an IaaS setup, for example, the customer is usually responsible for protecting everything above the middleware and APIs, including the applications and operating system, says Todd Thiemann, senior director of security vendor Trend Micro Inc.'s Data Protection group. In contrast to IaaS arrangements, a software-as-a-service provider is usually responsible for protecting whatever customer applications and data reside on its cloud.
IBM's LotusLive SaaS offering, for example, which was launched January 2009, utilizes "the same standards, security, compliance and governance we use to run major business systems for some very large and important companies," says Sean Poulley, IBM's vice president of online collaboration services. That setup often works well for budget-challenged businesses, because it gives them access to advanced security technologies and resources that they might not be able to afford in-house. For example, LotusLive data centers are protected by environmental and biometric controls, including closed-circuit TV. Access control is handled by IBM's enterprise-scale Tivoli software. This means companies have to take the vendor's word that its systems are indeed secure and compliant. "Vendors have done little to accommodate security risk evaluation," says Gartner's Heiser. "They may have incredibly secure and robust systems, but there's no sensible way to ensure this." Security accreditation standards such as ISO 27001 and SAS 70 Type 2 provide some assurance, he adds, noting that "27001 is more relevant to cloud security issues, but weak when applied to new forms of technology." Playing nicely with the cloud Many SaaS vendors are understandably reluctant to have a customer insert third-party security products into their proprietary platforms, even if it's just an agent that would permit a customer's security system to interact with theirs. However, many cloud-based service providers - and SaaS providers in particular - feel that their security practices and technologies give them a competitive advantage, so they don't like to reveal details about how they approach security. For example, Pfizer Inc. had outsourced some security services to D3 Security Management Systems Inc. and was interested in using Oracle Corp.'s Access Manager in D3's incident management applications.
Anderson solved the problem by using Symplified Inc.'s SinglePoint Cloud Access Manager, which does not use an agent, but rather interacts with D3's published APIs, he says. But D3 expressed concerns about installing Oracle agents on its systems, says Kurt Anderson, the pharmaceutical company's manager of global operations business technology. Since IaaS customers technically own their virtualized slice of a vendor's infrastructure, they can install security software and controls. One such product is Trend Micro's Deep Security 7. Once its agent is installed in a private or public cloud infrastructure, it can perform deep packet inspection, monitor event logs and monitor system activity such as file changes for unauthorized activities, Thiemann says. However, only a few vendors provide products that can protect both private and public cloud-based environments. Shavlik, a cloud-based vendor that provides systems management for private cloud installations, tackles public cloud security from a different angle.
For Logiq³'s Westgate, BlueLock's use of Shavlik's software was a definite selling point. "I am very familiar with Shavlik: I've been using it for patch and configuration management for years," he says. It licenses its patch and configuration management and compliance-monitoring software to cloud-based service providers - including its own IaaS provider, says Mark Shavlik, the company's CEO. Cloud-based service providers are catching on to the fact that using an established commercial security product can attract customers. Access control in the cloud The dynamic, flexible resource provisioning that makes virtualization and cloud services so attractive to cost-challenged IT executives also makes it difficult to track where data is located at any given time, and who is accessing it. Pfizer uses Symplified's Single Point Cloud Access Manager to provide single sign-on (SSO) functionality across different SaaS providers and applications. This is true in private clouds, and even more so in public cloud-based systems, where access control has to be correlated between the customer and the service provider - and often several service providers.
When the end user moves between an Oracle- and a Symplified-managed domain, for example, he still has to log on again but he can use the same set of credentials, Anderson says. However, Anderson feels that it's up to the SaaS vendors to adopt a more holistic and standardized form of access management, so the customer would no longer have to bear that burden. Symplified and Ping Identity Corp. are two vendors that currently provide SSO systems for both internal and SaaS cloud-based applications, using federated identity technology that coordinates user identity and access management across multiple systems. Another access management concern when dealing with a cloud-based service - or any outsourced service for that matter - is how to ensure that the service provider's system administrators don't abuse their access privileges. IaaS providers, in contrast, will often allow a customer to install event log monitoring software on their virtualized portion of the infrastructure.
Again, SaaS customers don't have a lot of control or oversight of how the service provider addresses that issue. Logiq³, for instance, uses Sentry Metrics Inc.'s security event management service, which monitors event logs, does trend analysis and reports on anomalies. Checking bona fides Customer control and monitoring of a carrier's cloud can only go so far, however, no matter what the type of service. So the Sentry Metrics system could, for example, alert Logiq³ when a BlueLock administrator logs on without being given a specific job to do, Westgate says. So how do you ensure that sensitive data is adequately secured and protected? Therefore, due diligence is critical, Anderson says.
Service level agreements with monetary penalties don't cut it, says Pfizer's Anderson, especially for a Fortune 50 company, since "the small amount they get back is a pittance" compared to the cost of a major security breach. Pfizer uses SAS 70 Type 2 certification, in which an independent third party audits the service provider's internal and data security controls. Another standard by which to evaluate a service provider is ISO 27001, which defines best practices for designing and implementing secure and compliant IT systems. Anderson also verifies the vendor's level of Safe Harbor compliance and checks Dun & Bradstreet research to make sure it's legitimate, he adds. While such standards provide a useful starting point, their criteria tend to be generic, says Gartner's Heiser.
For example, after checking out BlueLock's SAS 70 Type 2 accreditation, Logiq³'s IT staff did a further evaluation to "make sure the controls we require are supported by the controls they have in place," Westgate says. Companies still need to match a service provider's specific controls to their specific requirements, he adds. His team then followed up on discrepancies, identifying missing controls and working with the vendor on solutions. Cautioning users doesn't work Many companies that want the cost benefits of cloud-based services but still have security concerns tell their end users not to put sensitive data on the cloud. The company plans to repeat the process at least once a year, he says. But this is generally an exercise in futility, according to Heiser. "The problem is that users often don't know what's sensitive, and probably won't follow the rules anyway," he says. "You can assume that any application or data service end users can pump with data will get sensitive data eventually." Pfizer is in the process of establishing a SaaS center of excellence to educate users about the correct way to deal with SaaS activities, Anderson says.
Among other things, those best practices forbid applications that involve competitive or personally identifiable information from being included in a SaaS setup. In addition, his group is establishing best practices for procurement of SaaS services. Basic security tasks such as access control and rights management become even more complicated when, as often happens, a SaaS provider outsources its infrastructure or development platform to another cloud-based service provider - adding yet another party to the equation. The company entrusted its infrastructure to Amazon because it's the most proven service provider, according to founder Robbie Forkish. Take the case of Cloud Compliance Inc., which provides access-control monitoring services for private cloud environments.
However, he acknowledges that the arrangement introduces potential security problems. "There are certain areas where we, as a consumer of their services, need to fill in security capabilities they lack" in order to meet Cloud Compliance's internal security requirements and to reassure its customers. The latter option involves a performance hit, since customers have to re-upload data into the cloud every time an application is run, but some customers accept that trade-off in return for a higher level of security, Forkish notes. For example, Cloud Compliance encrypts data in transit and gives customers the option of either encrypting data at rest - on Cloud Compliance's Amazon-hosted servers - or not putting any data in the cloud. Cloud Compliance's external customers do ask about Amazon's security, Forkish says. Cloud Computing will either address their concerns or, if it can't, pass them on to Amazon. "In some cases, we don't get a response, and we figure this is a real issue, but they're working on it," Forkish says. The concerns they raise change from month to month, depending on what vulnerabilities the press has been writing about, he adds.
But the recent Zeus botnet incident on Amazon, he says, "as far as we can tell, was not a threat over and above what we would expect for an Internet service, cloud-based or not." Compliance in the cloud
