- Physical Security. Facilities should be hardened with climate control, and fire prevention and suppression systems, uninterruptable power supplies, and have round-the-clock onsite security personnel. Look for a provider that offers biometric capabilities, such as fingerprints or facial recognition, for physical access control and video cameras for facility monitoring.
- Network Security and Logical Separation. Virtualised versions of firewalls and intrusion prevention systems should be utilised. Portions of the cloud environment containing sensitive systems and data should be isolated. Regularly scheduled audits using industry-recognised methods and standards, such as SAS 70 Type II, the Payment Card Industry Data Security Standard, ISO 27001/27002 and the Cloud Security Alliance Cloud Controls Matrix, should be conducted.
- Inspection. Anti-virus and anti-malware applications, as well as content filtering should be employed at gateways. Data loss prevention capabilities should be considered when dealing with sensitive information, such as financial and personal data, and proprietary intellectual property.
- Administration. Special attention should be paid to cloud hypervisors, the servers that run multiple operating systems, since they provide the ability to manage an entire cloud environment. Many security and compliance requirements mandate different network and cloud administrators to provide a separation of duties and added level of protection. Access to virtual environment management interfaces should be highly restricted and application programming interfaces, or APIs, should be locked down or disabled.
- Comprehensive Monitoring and Logging. Nearly all security standards require the ability to monitor and control access to networking, systems, applications and data. A cloud environment, whether in-house or outsourced, must offer the same ability.
Cloud application security is a must
- System Security. Virtual machines, or VMs, should be protected by cloud-specific firewalls, intrusion prevention systems and anti-virus applications, as well as consistent and programmatic patch-management processes.
- Application and Data Security. Applications should utilise dedicated databases wherever possible, and application access to databases should be limited. Many security compliance standards require monitoring and logging of applications and related databases.
- Authentication and Authorisation. Two-factor authentication, such as digital authentication, should be used for user names and passwords and are a necessity for remote access and any type of privileged access. Roles of authorised users should be clearly defined and kept to the minimum necessary to complete their assigned tasks. Password encryption is advisable. In addition, authentication, authorisation and accounting packages should not be highly customised, as this often leads to weakened security protection.
- Vulnerability Management. Applications should be designed to be invulnerable to common exploits, such as those listed in the Open Web Application Security Project (OWASP) Top 10. Applications deployed in the cloud require regular patching, vulnerability scanning, independent security testing and continuous monitoring.
- Data Storage. Enterprises should know the types of data stored in a cloud environment and segregate data types, as appropriate. Additionally, the physical and logical location of data should be known due to potential security and privacy implications.
- Change Management. It is highly recommended that change-management policies for network, system, application and data administrators be clearly documented and understood to avoid inadvertent issues and potential data loss.
- Encryption. Encryption of data in a cloud environment can be more complex and requires special attention. Many standards contain requirements for both in-transit and at-rest data. For instance, financial data and personal health information should always be encrypted.
Public, private and hybrid clouds: What you should know
- Shared Virtualised Environment. Public clouds, many using a shared virtualised environment, offer basic security features. This means proper segmentation and isolation of processing resources should be an area of focus. To meet your enterprise’s security and compliance requirements, be prudent in choosing the proper cloud environment.
- Public Cloud Providers. While the economics may be attractive, some public cloud providers may not sufficiently support the types of controls required by enterprises to meet security and compliance requirements. Be sure to ask a lot of questions.
- Prudent Security Measures. No matter what the cloud model, enterprises should employ segmentation, firewalls, intrusion protection systems, monitoring, logging, access controls and data encryption.
- Private Clouds are a Double-Edged Sword. Private clouds can be hosted on premises or at a service provider’s facility. As with traditional environments, security design and controls are critical. When using a service provider’s offering, it’s important to select the right cloud that meets your requirements. Just because it’s a private cloud, doesn’t mean it’s inherently secure.
- Hybrid Clouds. Hybrid clouds can offer enterprises the best of both of worlds, enabling them to meet a wide range of IT and business objectives. Hybrid clouds offer an enterprise the ability to house applications in the most suitable environment while leveraging the benefits and features of shared and on-premises cloud environments and the ability to move applications and data between the two.
Posted by Bart Vansevenant, executive director of global security solutions, Verizon.