In Part 1 we discussed risk, security and cloud computing at a high level. Having been a part of design teams as a contributor as well as project manager to include security and assessment team management over the last few years, I still find the same security concerns and issues directed at the cloud. Here is my take on a few of them with respect to a private cloud environment. Remember a private cloud can be housed within the infrastructure of a service provider (more cost effective for you) or within your own in-house network. Some of these thoughts can be translated into the public cloud environments, although some additional controls may be in order.

It's a given that security of data is a major concern for any entity considering a move toward a cloud computing environment. How your data will be kept secure from unauthorized access, modification or distribution can be a nagging concern. Data loss, modification, or misplacement will affect the entire organizational structure up to and possibly including shareholder value.

Major cloud providers therefore are going to great lengths these days to ensure that there are essential mitigative controls and response processes in place in the event of a security breach, which in most instances will include their client either actively or passively with updates in a predefined time-frame.

Some of these updates can include alerting, centralized logging, smart monitoring (not just signature-based events), and observing traffic to and from the client location into their private cloud environment. They will typically have processes are in place whereby all these systems are auditable and are aligned to established industry standards and aligned with emergency change management protocols.

One thing that I like to look at is a service provider's security policy (which is typically based off the ISO 27000 series) as well as an independent auditor's SAS 70 report. The SAS 70 report for example will identify and test that controls are in place to secure both the physical and logical environments, test access control privileges, test backup and recovery as well as a data protection at rest to name a few. One thing that is important here is getting clarification as to how data in motion is secured going into the cloud from the client's site as well as how the CSP provisions user rights and manage administrative access.

However, before transferring data to the cloud some things you should ask yourself are: Have you identified classified and defined ownership of your data before considering a move to the cloud?

Once there is some structure and organization with regard to data classification and ownership you have taken a step to securing your data and assigned some control as you move to a private cloud. This combined with the implementation of the CSP's stringent controls can ensure that anyone accessing your data is identified, tracked and most important - auditable.

Always remember your CSP wants your business and in this light will endeavor to make you happy by the manner in which they manage your data as well as with the service they provide within this sphere.

In almost all of my articles I have mentioned service level agreements. As cloud services mature, so will the SLAs implemented to protect your data. This will allow you to move your data without worrying about lock-in, incompatibility between CSPs or data loss; an assurance that will become common showing that CSPs are targeting all major areas of concern to earn your business and ensure the confidentiality, integrity and availability of your data.

In closing I wanted to share one question that I have been asked frequently, the one about hypervisor security and the potential of rootkit injection within this area, an attack that can possibly allow data exfiltration without a timely alert.

While there is always the possibility of a crack occurring in any one system, be assured that researchers and practitioners are constantly looking for ways to ensure the security of data.

With that said, I have seen the successful implementation of the Altor software firewall that for the VMware folks can be integrated via VMsafe application programming interfaces.

According to the manufacturer the firewall can see traffic as it moves through the hypervisor between virtual machines (VM) on the same physical host. This is a good baseline and will allow us to track and create auditable records for any notification of an unauthorized or suspicious event occurring.

For more on this hypervisor firewall and the hypervisor environments it can impact, see the VGW Series by Juniper Networks.

Reference

• http://www.juniper.net/us/en/products-services/software/security/vgw-series/