Inter-networking defined Security, Cloud is redefining it

As the hunger for the inter-contentedness increased over the past few decades, this has given rise to many newer concepts, technologies and solutions. One of them is obviously the “Cloud”. This puts me back to the classic question, what is Cloud, and how is it different for what we knew as traditional IT?

                Let’s take a brief look. Traditional IT operates mostly as an on premise model, where the hardware, Servers, applications and those processes which manage and store data are in the boundaries of the organization or in a data center where the organization has full control of its own infrastructure. But when it comes to cloud, this is little different where the infrastructure or the compute devices, data processing and storage will be on the internet somewhere away from the premises or physical reach of the organization.

                With the proliferation of cloud it has obviously solved the issues faced in traditional IT, like scalability, multi-tenancy, initial ramp up and up-time, cost of service etc., but as always, for every good thing that happens, there is always a flip side, and in case of cloud it is no different, there are many complex challenges that exists today for overall security of the cloud. Be it data, network, Geo-political, multi-tenancy, compliance and few other aspects.

                There is absolutely no doubt that cloud is transforming the IT today, but it also is redefining the Security, as the inter-networking did several years back. What I intend to do with this article is to bring up those aspects and probably hear back from you all, about the challenges that you as an individual or an organization are already facing, what are the major concerns that you see while dealing with the transformation from traditional IT to cloud environment.

What is cloud redefining in terms of security?

1. Physical Security to Virtual Security: Security is evolving from physical layer to virtual layer. As more and more services and applications are moving in the virtual or cloud layer, the effort of securing these layers are increasing more and more day by day. The focus now is not only the physical layer, but also the virtual/cloud layer.
2. Data Security: With more and more enterprises and organizations adopting cloud over the traditional IT, data is no more in one single location, where you can have full visibility and control. Data is now moving from one place to another depending on the workload, geo-location etc., this scenario is giving rise to whole new evolution of data related security. The dynamics of securing data in cloud is different than in traditional IT. The data today is residing in a distant unseen locations, beyond the security perimeter of the data owner, in most of the cases they also stay in multi-tenant environments where other organizations are sharing data storage spaces, vendor IT admin having access to the data cannot be ruled out completely. With all these scenarios evolving, the security for data is also getting redefined from all aspects. Control, Compliance and Usage.
3. Data Control: With the above scenarios evolving, control over your own data is not the same as it used to be in a legacy system few years back, where data was always either in the premises of the organization or in their data centers which was tightly controlled and monitored. Today there are possibilities that organizations data may be in different locations beyond control of the owner. It may also be a situation where the vendor data centers are across the geographical boundaries, in cases like these the control over data is very critical as the law of the land are different in different geo locations. Compliance, and policies related to control of data in these scenarios are evolving. Organizations must follow these to keep proper control over their own data.
4. Data Encryption: While the above two points are evolving, encryption of data in cloud is becoming more and more critical aspect of data security in cloud. Unlike in traditional IT environment where data was encrypted and stored within the perimeters of the organization’s boundary or within its own data centers, along with adequate security to the encryption keys, Cloud today is challenging that process already because data is no more within the boundaries of your enterprise walls or within the limits of enterprise controlled data centers, it is today stored in the data centers or storage locations provided by the cloud vendors which is not in the direct control of enterprises or organizations, there are only two way the data is safe in cloud today, one trust the vendor, OR encrypt the data. Even though encryption is one of the best method to secure your data in the cloud but key management in the cloud is equally challenging and complex. There are enough evolution that is happening today to secure the data and the encryption key for cloud solutions, and this is true for all three stages of data, data in motion, data during compute and data at rest. Proliferation of cloud has truly put data encryption into test and pushing it to redefine how we handle encryption and key management.
5. Data Segregation: Unlike the legacy IT systems, cloud is highly elastic, it can scale up and down as the need arises, along with the biggest benefit of sharing the work load with other tenants in that elastic environment, classically known as multi-tenancy. There is no doubt that this is changing some of the core concepts of infrastructure management and the way business work today, efficiently and cost effectively. This is also increasing the challenges related to data segregation. As the storage and compute is shared amongst other cloud tenants, accidental or intentional mingling of data is a possibility, which was never a case in traditional IT environment. In multi-tenancy data may also travel across geo, which increases the complexity of not only technical aspects, but also the legal aspects of data usage, according to the geo-location of those data centers where the data will finally reach, store or get processed. So for enterprises who wants their data to be in one geo-location only, may have to deal with these separation issues. There are already few data related compliance that has evolved in past few years, and many different technical solutions that are being explored by enterprises for logically separate data from one another, like separate data partitions in the same store, data tagging, user authentications, encryption, etc.
6. Identity and Access Management: With the rise in use of cloud computing the scenario of IAM has changed compared to the enterprise and network based IAM. As there is a distinct need of securely authenticate, authorize and control of cloud based applications, IAM has evolved to technologies like federated access, role based access control etc., cloud computing has also given rise to the concept of Identity-as-a-Service. IDaaS is actually leveraging the benefits of traditional IAM and converging them into the services like federated authentication, authorization etc. for the cloud. Also on the other hand, in case of hybrid IT, where the organizations have presence in both, enterprise network and in the cloud, both the technologies, IAM and IDaaS will co-exist to have proper integration. Another reason why cloud is key factor for the IAM to evolve to IDaaS is because of the use of mobile devices and the way they are being used along with the cloud. Because of the rise in usage of both cloud and on-prem simultaneously by enterprise users to access their devices and applications in various locations and platforms, they are required to remember different user name and passwords, which makes it complex, and also when the employee leave the company it is very important to deactivate access from all the devices and for all the assigned user IDs for the user. Cloud is redefining this very factor, and IAM is being leveraged today to achieve the goals for IDaaS.
7. Data Loss Prevention: Traditional DLP solutions work best within the enterprise perimeter walls, but cloud changed the whole dynamics. As data is no more within the walls of the enterprise, and its own controlled data centers, in traditional DLP, the protection of data was mainly achieved by having control over the physical servers and the endpoint. But cloud applications are creating significant dark spots for the available DLP solutions. Moreover majority of the Cloud providers use encrypted channels for communication. Therefore it is very hard for the DLP to act if there are no visibility into the data that is moving to cloud. Without the knowledge what is begin exported to cloud, DLP in traditional sense will not work. Which means we need a different solution or model to track and control data in cloud. Unlike in a regular DLP solution, where it has direct access to the data while in use, motion, or at rest, and it can analyze these files for compliance violations, on site, cloud poses the challenge to this whole concept itself, as the data is never directly visible, it is in a virtual space and the viewing device is only pointing to the data source, all we see in the network is the URL which does not reveal enough data to conduct DLP. So the control also has to move out from the promises to the cloud where the actual data is, to have effective control over organizations data. DLP has evolved for cloud in past many years, and it will continue to do so in my opinion.
8. Security Incident Response: Unlike incident response in traditional network where the monitoring is for an internal network, on-prem devices and applications, with full control over those applications and devices, Cloud IR is different and challenging, as you do not have access to internal network where the cloud is hosted (in case of public cloud), or the physical devices, and in most cases the applications are spread across multiple locations with no direct control and access. Collection of logs are conducted directly from the effected systems or the internal network in case of a traditional network, and are easily manageable. In cloud the scenario is completely different, as the very nature of cloud is elastic and volatile, for example, a VM that might have the breach may be brought down without intimation during automatic scale down, unless there are rules or policies that exists as part of IR not to do so. This will cause the loss of valuable forensic data. The response process is more direct in nature in case of traditional IT than in cloud, as there are many different external participants in case of cloud. Breach in a usual network is a direct impact and can be addressed quickly, but because cloud is a multi-tenant environment, a breach in the neighboring tenant may also affect your network, how to perform IR in those scenarios will be very different, and this needs very tighter SLAs between the cloud vendor and the enterprise. Matter of fact the forensic process during IR will be completely different for a VM which is running on a shared pool of resources (say memory is shared) which complicates the situation. In another word IR is seeing lot of changes in its methodologies and process because of cloud.