Five Essential Considerations for Securing IaaS Cloud

The third annual survey of “Future of Cloud Computing” by North Bridge Venture Partners and GigaOM Research with 57 other collaborating organizations reveals that security is one of the biggest concerns for cloud adoption. Security and compliances concerns remain inhibiters to cloud adoption according to the survey results for a large percentage of respondents (55% in 2012, and 46% in 2013).

While using Infrastructure as a Service (IaaS) cloud environment, what can you do to alleviate these concerns and to improve the security of cloud environment? Following are my top five recommendations that you should consider as a strategy.

1. IaaS Cloud Vendor Selection
2. Application Vulnerability Scanning and Application Integration
3. Identity and Access Control Management
4. Log Monitoring and Management
5. Data Encryption

Following is a short description for each of these considerations.

Not every cloud is built the same. The first step to a secure IaaS cloud environment is to select a vendor that has built security features in the cloud, not as an after-thought. While selecting IaaS Cloud vendors consider the following:

• Ask Hard Questions – Ask the cloud vendor hard security questions starting with physical security, built-in security features (e.g. firewalls, load balancers, network segmentation), role based access controls, and APIs.
• Transparency – Demand transparency for data location and cloud infrastructure technologies.
• Compliance to Standards – Ask which standards (ISO 27000, PCI, SSAE 16, NIST, etc.) the Cloud provider complied with.

The Verizon Data Breach Investigations Report (DBIR) shows that a large number of data breaches were related to application security. When hosting applications in IaaS Cloud, consider the following:

• Vulnerability Scanning – Provide ongoing application vulnerability scanning and testing.
• SDLC Updates – Update software development lifecycle (SDLC) to take into account the cloud environment.
• Application Integration - Review application integration interfaces with external systems. When you move applications to the Cloud, some interfaces may no longer be on a trusted network and may need additional security.

The Verizon 2013 DBIR shows that 76% of breaches involved some kind of weak or stolen credentials and another 13% used privileged misuse or abuse. Identity and Access Controls are even more important in the Cloud as, unlike corporate networks, users may not need physical network connection to access resources in Cloud.

• Multifactor Authentication – Think about multi-factor authentication for the cloud.
• Integration with Corporate Directory – For effective and timely termination of user accounts, consider integrating corporate directory with Cloud.
• RBAC - Use role-based access controls (RBAC).

Verizon Universal Identity Services is an excellent option for strong authentication, access control, multifactor, and integration with corporate directories.

A large majority of data breaches are still discovered by third parties because most organizations don’t have effective log monitoring. When implementing log monitoring and management in the Cloud, consider the following:

• Integration with Corporate Strategy – Consider integrating log data from the Cloud environment to your corporate log management strategy.
• Comprehensive Monitoring – Monitor logs for operating systems, applications, and security devices in the Cloud. Check if your IaaS Cloud vendor provide you firewall logs for correlation.
• Log Monitoring Service – If you don’t have an effective log monitoring and management strategy, check if the IaaS Cloud vendor provide a service for log monitoring?

As I described in one of my previous blog posts, encryption is the most important control for security of sensitive data. You can consider a number of encryption methods including the following:

• Full Disk Encryption – Full disk encryption, or policy-based partial encryption of data at rest.
• Database Encryption - Using database level encryption controls.
• Network Encryption - Network level encryption controls including but not limited to SSL, IPSec, and encryption gateways.
• Backup Data – Ensure the Cloud vendor provides encrypting for backup data.

There are multiple solutions available depending upon your needs. These solutions include both commercial as well as open source (free) options.

Information security is a big consideration for cloud adoption. While basic concepts of information security are the same in private data centers as well as in cloud, this blog post identifies five ways to help alleviate security concerns and providing peace of mind while benefitting from the IaaS cloud technologies.