With the adoption of cloud computing continuing to accelerate, the need to adopt and maintain effective security and compliance practices is more important that ever.
"Securing a cloud-based computing environment is key to creating a robust compliance program," said Bart Vansevenant, executive director, global security solutions, Verizon. "The essential elements - planning, design and operations - are the same for traditional and cloud platforms. By applying proven security best practices and paying special attention to the unique characteristics and features of the cloud, enterprises can develop and maintain compliance programs while leveraging the agility, flexibility and improved economics the cloud has to offer."
To help enterprises maintain compliance while using the cloud, and keep their networks, applications and data safe, Verizon is offering the following best practices and tips:
Cloud Infrastructure Security Is at the Heart of the Matter
- Physical Security. Facilities should be hardened with climate control, fire prevention and suppression systems, and uninterruptable power supplies, and have round-the-clock onsite security personnel. Look for a provider that offers biometric capabilities, such as fingerprints or facial recognition, for physical access control, and video cameras for facility monitoring.
- Network Security and Logical Separation. Virtualized versions of firewalls and intrusion prevention systems should be utilized. Portions of the cloud environment containing sensitive systems and data should be isolated. Regularly scheduled audits using industry-recognized methods and standards, such as SAS 70 Type II, the Payment Card Industry Data Security Standard, ISO 27001/27002 and the Cloud Security Alliance Cloud Controls Matrix, should be conducted.
- Inspection. Anti-virus and anti-malware applications, as well as content filtering should be employed at gateways. Data loss prevention capabilities should be considered when dealing with sensitive information, such as financial and personal data, and proprietary intellectual property.
- Administration. Special attention should be paid to cloud hypervisors, the servers that run multiple operating systems, since they provide the ability to manage an entire cloud environment. Many security and compliance requirements mandate different network and cloud administrators to provide a separation of duties and added level of protection. Access to virtual environment management interfaces should be highly restricted, and application programming interfaces, or APIs, should be locked down or disabled.
- Comprehensive Monitoring and Logging. Nearly all security standards require the ability to monitor and control access to networking, systems, applications and data. A cloud environment, whether in-house or outsourced, must offer the same ability.
Cloud Application Security Is a Must
- System Security. Virtual machines, or VMs, should be protected by cloud-specific firewalls, intrusion prevention systems and anti-virus applications, as well as consistent and programmatic patch-management processes.
- Application and Data Security. Applications should utilize dedicated databases wherever possible, and application access to databases should be limited. Many security compliance standards require monitoring and logging of applications and related databases.
- Authentication and Authorization. Two-factor authentication, such as digital authentication, should be used for user names and passwords and are a necessity for remote access and any type of privileged access. Roles of authorized users should be clearly defined and kept to the minimum necessary to complete their assigned tasks. Password encryption is advisable. In addition, authentication, authorization and accounting packages should not be highly customized, as this often leads to weakened security protection.
- Vulnerability Management. Applications should be designed to be invulnerable to common exploits, such as those listed in the Open Web Application Security Project (OWASP) Top 10. Applications deployed in the cloud require regular patching, vulnerability scanning, independent security testing and continuous monitoring.
- Data Storage. Enterprises should know the types of data stored in a cloud environment and segregate data types, as appropriate. Additionally, the physical and logical location of data should be known due to potential security and privacy implications.
- Change Management. It is highly recommended that change-management policies for network, system, application and data administrators be clearly documented and understood to avoid inadvertent issues and potential data loss.
- Encryption. Encryption of data in a cloud environment can be more complex and requires special attention. Many standards contain requirements for both in-transit and at-rest data. For instance, financial data and personal health information should always be encrypted.
Public, Private and Hybrid Clouds: What You Should Know
- Shared Virtualized Environment. Public clouds, many using a shared virtualized environment, offer basic security features. This means proper segmentation and isolation of processing resources should be an area of focus. To meet your enterprise's security and compliance requirements, be prudent in choosing the proper cloud environment.
- Public Cloud Providers. While the economics may be attractive, some public cloud providers may not sufficiently support the types of controls required by enterprises to meet security and compliance requirements. Be sure to ask a lot of questions.
- Prudent Security Measures. No matter what the cloud model, enterprises should employ segmentation, firewalls, intrusion protection systems, monitoring, logging, access controls and data encryption.
- Private Clouds are a Double-Edged Sword. Private clouds can be hosted on premises or at a service provider's facility. As with traditional environments, security design and controls are critical. When using a service provider's offering, it's important to select the right cloud that meets your requirements. Just because it's a private cloud, doesn't mean it's inherently secure.
- Hybrid Clouds. Hybrid clouds can offer enterprises the best of both of worlds, enabling them to meet a wide range of IT and business objectives. Hybrid clouds offer an enterprise the ability to house applications in the most suitable environment while leveraging the benefits and features of shared and on-premises cloud environments and the ability to move applications and data between the two.
Verizon, through its Terremark subsidiary, offers advanced enterprise-class IT, cloud and security services on a global scale. Terremark provides customers with the ability to improve IT infrastructure and boost application performance in today's complex and dynamic business environment. Visit the Verizon IT Solutions & Hosting website for more information.
Verizon is a global leader in driving better business outcomes for enterprises and government agencies. Verizon delivers integrated IT and communications solutions via its high-IQ global IP and mobility networks to enable businesses to securely access information, share content and communicate. Verizon is rapidly transforming to a cloud-based "everything-as-a-service" delivery model that will put the power of enterprise-class solutions within the reach of every business. Find out more at www.verizonbusiness.com.
Verizon Communications Inc. (NYSE, Nasdaq: VZ), headquartered in New York, is a global leader in delivering broadband and other wireless and wireline communications services to consumer, business, government and wholesale customers. Verizon Wireless operates America's most reliable wireless network, with more than 107 million total connections nationwide. Verizon also provides converged communications, information and entertainment services over America's most advanced fiber-optic network, and delivers integrated business solutions to customers in more than 150 countries, including all of the Fortune 500. A Dow 30 company with $106.6 billion in 2010 revenues, Verizon employs a diverse workforce of more than 195,000. For more information, visit www.verizon.com.