Cloud Security Challenges Include Audit Trails, Preventing Attacks
How to build an effective Security Operations Center to cope with new threats in the era of virtualization and cloud computing will be a major topic at the upcoming Connections Conference in Las Vegas in April.
(click image for larger view)
Slideshow: Top 10 Cloud Stories Of 2010
The brief called for a Security Operations Center with six core attributes, such as knowing the IT infrastructure well and understanding where the crown jewels resided and mapping possible avenues of attack against them. The center would be able to conceive in advance the protections needed against those attacks, and could plot the swift action needed if those defenses are breached.
In this view, virtualization is not a vulnerability, but one of the lines of defense in depth. A virtual machine can isolate a database or other target and its hypervisor can be closely monitored for any sign of intrusion. If such a sign is detected, the virtual machine can be easily shut off from other resources or even shut down, with a clean copy restarted.
Puhlmann said a cloud environment can be made as secure as a data center and, when it comes to PCI transactions, "I don't see why they shouldn't become a commonplace" in the cloud. But the PCI standard will have to "adjust itself to the times" before that will be true, he said.
Puhlmann will try to relate security to the process of innovation that is underway, particularly in cloud computing, "which is moving ahead faster and faster. The cloud is a huge disrupter. It's up to us and others to make sure its security is discussed."
Cloud practices that move data between data centers around the world illustrate how archaic the laws governing data management and security have become, he pointed out. In some cases, data arising in Europe can't leave a nation's borders. Canadian healthcare data can't be stored on U.S. servers.
"We have completely conflicting rules of law enforcement," he said, and until Jan. 1, the PCI council hadn't acknowledged that a PCI compliant process could be established, even if part of it was running on a virtual machine.
"Virtualization is just an enabling technology. What's so different with the cloud is the consuming model," with consumers accessing the cloud from a wide variety of locations. The challenge of managing access is about to expand with the advent of many tablets, smart phones and other mobile devices tapping into the cloud.
Only part of the problem is technical complexity. Just as important is getting the people processes straight and having governance in place so the initiator of an operation in the cloud is doing things correctly, he said.
Another complexity is lines of responsibility, who's doing what. "Now there are people handling the system and data who are not employed by you. That changes the notion of who works for your company," he noted.
A cloud's APIs need to be secure and only do the things they are designed to do, not leave maneuvering room for interlopers. "It's crucial these interfaces are rock solid," he said.
There's been no publicized breach based on a malformed API but such an event is probably only a matter of time. From Puhlmann's perspective, the cloud isn't inherently insecure, but neither has it matured to the point where users are assured in all cases of its security.
Multicloud Infrastructure & Application ManagementEnterprise cloud adoption has evolved to the point where hybrid public/private cloud designs and use of multiple providers is common. Who among us has mastered provisioning resources in different clouds; allocating the right resources to each application; assigning applications to the "best" cloud provider based on performance or reliability requirements.