DIGITAL SPOTLIGHT WINTER 2014 Cloud Security MODERNIZING ENTERPRISE IT Introduction 2 The leap of faith to the cloud 4 Identity management meets the cloud 9 Hanging on to cloud identity 13 Practical cloud encryption solutions 17 CLOUD SECURITY SPOTLIGHT DIGITAL Staying safe INSIDE Introduction 2 in the cloud BY ERIC KNORR The leap of faith to the cloud 4 HE CLOUD IS fast becoming an underlying assumption Cloud providers typically have better security defenses of computing, mainly because everyone wants the ability to than your own data center – yet risks remain. The Cloud provision and scale applications with minimal fuss. Often, Security Alliance flags the nine most likely threats. T public cloud services — from SaaS apps such as Salesforce to BY ERIC KNORR IaaS offerings such as Rackspace Cloud — present the best options. Identity management The problem for IT is that business managers frequently fire up meets the cloud 9 accounts with public cloud services and fail to think through the se- Organizations always wrestle with authentication and curity implications. That can lead to increased risk of data loss, indus- access control, but rapid adoption of cloud apps and services is complicating the problem. trial spying, compromised customer data, and more. In this Digital BY FAHMIDA Y. RASHID Spotlight on cloud security, we dive into the key security issues for organizations that — by accident or design — have moved a substan- Hanging on to cloud identity 13 tial portion of their computing workloads to the cloud. Organizations are embracing cloud-based apps – and incurring new risks in the bargain. We begin by walking through the nine most pressing cloud se- Identity management lowers the liability. curity liabilities. Next, we explain identity management, and delve BY PAUL F. ROBERTS into the ways organizations are using it to extend authentication and authorization to the cloud. Finally, we tackle data encryption and the Practical cloud encryption options cloud providers should offer to ensure your data stays safe. solutions 17 Encryption has become a huge issue, thanks to the NSA. Today, nearly all businesses have one foot in the cloud whether For cloud customers, this has already led to a wider array of they realize it or not. We hope this Digital Spotlight helps enable encryption solutions. you to assess your own exposure and reap the benefit of public BY ROGER A. GRIMES cloud services without creating worry or unnecessary risk. —Eric Knorr, Editor in Chief Digital Spotlight | CLOUD SECURITY | WINTER 2014 infoworld.com 2 STOP DANCING AROUND THIS GUY. Instead, face real security threats head on. NaviSite’s managed cloud services provides a holistic approach to enterprise-class data security. Learn more at NaviSite.com. A TIME WARNER CABLE COMPANY 3 CLOUD SECURITY SPOTLIGHT DIGITAL of faith The leapcloud to the Cloud providers have better security defenses than your average enterprise data center – as they should, since any flaw could affect many, many customers. The Cloud Security Alliance identifies the nine most likely threats. BY ERIC KNORR OT LONG AGO, the notion of en- trusting vital company data to a public cloud service would have struck most IT managers as mildly insane at best. My data? Out there on some shared platform in a data center I’ve never Nseen? You’ve got to be kidding me. Digital Spotlight | CLOUD SECURITY | WINTER 2014 infoworld.com 4 CLOUD SECURITY SPOTLIGHT DIGITAL That attitude has shifted. The risks is reckless at best. Fortunately, availability and security of cloud pro- Subscribing to cloud services there’s a nonprofit organization solely viders have continuously improved, without considering the dedicated to addressing the problem. to the point where you frequently hear that your own data center is potential security risks is The Cloud Security Alliance’s much more likely to experience reckless at best. “notorious nine” downtime or a successful malicious Formed in 2008, the Cloud Security attack than the hardened, redundant Alliance is dedicated to promoting fortresses of big-name cloud service best security practices for the cloud. providers. cloud customer data — but even default, deployed in such a way that Membership includes a who’s who True, cloud providers’ reputations that episode may ultimately work in outside, unauthorized parties will of tech companies, from traditional were dealt a damaging blow in 2013 cloud providers’ favor. In response to have a very hard time cracking it. software vendors Microsoft and Or- when reports surfaced that the NSA the NSA debacle, some providers are The truth is that today, evalua- acle to native cloud providers Ama- demanded and received access to already offering strong encryption by tions of cloud risk tend to occur in zon and Google. In 2013, the Cloud hindsight. With or without the bless- Security Alliance published what ing of IT, many line-of-business and it called its Notorious Nine cloud departmental managers have sub- computing threats based on a survey scribed to cloud services — in part of industry experts. Here are those to gain much-needed capabilities threats in order of severity, with my that IT departments can’t or won’t own interpretation of the implica- deliver, and in part because some key tions of each. cloud services are simply better than solutions obtainable on premises. It’s becoming a cloud world, to Data breaches the point where corporate CIOs are No surprise that data attempting to emulate the hyperef- breaches are the No. 1 ficient clouds of major providers in 1.fear, since anxiety over exposing data their own data centers. Nonetheless, has always been the chief inhibitor subscribing to cloud services without to cloud computing adoption. On considering the potential security one level, the antidote is simple: a Digital Spotlight | CLOUD SECURITY | WINTER 2014 infoworld.com 5 CLOUD SECURITY SPOTLIGHT DIGITAL full array of strong encryption op- ing it — and when they call on IT to through phishing or social engi- tions. Roger Grimes’ article “Practi- recover data from a cloud service, neering can result in compromised cal encryption solutions” walks you it may be too late. financial data, stolen intellectual through the options. Moreover, although top cloud property, and other dire conse- But locking down data with en- service providers have an excellent quences for any business. But stolen cryption is only part of the story. record when it comes to accidental cloud service logons incur a special Encryption keys can fall into the data corruption or loss, users some- set of risks. wrong hands. You need proper au- times select third-tier providers with- For one thing, security profes- thentication and access control to out making a realistic assessment sionals routinely use a specific set of ensure only those authorized can ac- of their viability. An SLA may be in tools to determine whether an orga- cess data. Plus, you need proper data place, but a subscription refund does nization has been compromised — governance to manage the lifecycle of not amount to adequate compensa- and few would be willing or able to data — and under which conditions tion for data lost by a dysfunctional use those tools to check cloud ser- data can be stored in a shared cloud provider. In addition, if either the vices. If a SaaS application is com- environment or in any other location. user or the provider practices lax ac- promised, for example, an intruder Another issue is data deletion. cess control, data could be deleted by might be able to monitor activity Over the years, occasional reports vandals, disaffected former employ- and peruse data over a long stretch have surfaced that customer data ees, or other malicious individuals. of time without being detected. that was supposed to have been de- In a 2013 study by the security Other risks can be incurred if a leted remained with the cloud pro- vendor Symantec, 43 percent of the malicious hacker steals logon cre- vider. Encryption obviously reduces 3,200 organizations surveyed lost dentials to a business user’s IaaS risk should that slipup occur. data in the cloud and had to recover account. In the past, infrastructure from backups. Data in the cloud clouds have been used to launch needs to be protected as you would new VMs for botnets, DDoS at- Data loss protect it on any system. tacks, and other malicious activity. Because cloud ser- That’s one reason cloud monitoring vices are often ad- is essential. 2.opted without IT’s permission, users Account or service may lose company data simply by traffic hijacking misplacing it or accidentally delet- 3. Logons stolen Digital Spotlight | CLOUD SECURITY | WINTER 2014 infoworld.com 6 CLOUD SECURITY SPOTLIGHT DIGITAL have now deployed rela- Insecure inter- tively effective, automated faces and APIs defenses against DDoS Cloud interfaces and attacks. Smaller providers 4.APIs enable integration with SSO may or may not have the (single sign-on) solutions, as well as wherewithal to mount such data or process integration with other a defense. cloud services or on-premises soft- ware. But those interfaces and APIs are also potential targets for attack. Malicious To secure APIs, providers give users insiders tokens or API keys that are validated In a 2013 in order for a client to connect. 6.survey by Forrester re- If an API is secured poorly, an search, 25 percent of re- attacker could launch a DoS attack spondents said that abuse and render a cloud service unusable. by a malicious insider was the most Second, due to the decentralized APIs may provide access to all sorts common cause of data breaches. pattern of cloud adoption typical of Abuse of cloud of cloud functions, including ac- The truth, however, is that no one many organizations, IT’s purview services count provisioning; if compromised, knows.