|By Denis Martin||
|July 6, 2010 10:15 AM EDT||
Cloud Infrastructure as a Service (IaaS) provides compelling cost and strategic benefits. These include scalability with reduced capital expenditure, more efficient use of IT resources, and the ability for an organization to focus on their enterprise's core competency. Despite fears to the contrary, many well-established security technologies and procedures can be applied cloud computing and provide enterprise-class security. In many cases the cloud vendor may even provide better security in a virtualized environment than the individual enterprise can achieve in a purely physical architecture.
The most effective security is a comprehensive, layered defense based on a framework. A cloud platform can leverage specialized tools to protect the integrity of virtual machines and Internet communications. Virtualization creates logical abstraction layers that allow for multi-tier security policies in order to provide true defense in depth. Enterprises with limited IT resources may not be able to afford the same security measures as a cloud provider and remain competitive. Deploying cloud-based IaaS represents an opportunity for the enterprise to build in security from the ground up.
Increasing Demands on IT Require Security Frameworks
IT must become more responsive to business drivers originating beyond IT, such as a greater role in meeting compliance requirements. Compliance legislation for different business types, even departments within the enterprise, will dictate some security requirements: FISMA/NIST guidelines for US Federal agencies, Sarbanes-Oxley reporting for publicly held companies, PCI DSS or HIPAA for those dealing with Personally Identifiable Information (PII) - the list goes on.
The better way to approach security is working within a comprehensive framework. Though virtualization does present some unique threat surfaces, defensive layers using new tools must be organized within these frameworks.
Hypervisors provide a consolidated, logical view of multiple virtual machines (VMs). VMs running on the same physical machines must be guaranteed to remain isolated from one another, through omission, mis-configuration, or intentional breach.
The Center for Internet Security and the Defense Information Systems Agency (DISA), as well as hypervisor vendors, publish "hardening" guidelines. Hardening examples include how to correctly protect memory segmentation using container rings, and familiar steps like best-practice configurations, deploying the latest patches, and proper cleaning up of de-provisioned virtual machines and resources.
A virtual network switch can provide further layers of platform defense to the same level as a physical switch. An "intelligent" switch can "lock down" Machine Access Codes (MAC), and perform dynamic inspections of the Address Resolution Protocols (ARP). Used with other authentication protocols, they mitigate man-in-the-middle attacks and ARP cache poisoning.
Hardening helps guarantee virtual machine isolation and challenges penetration from without. Properly hardened hypervisor layers prevent IaaS end users from inadvertently mapping IP addresses across virtual machines, IP spoofing, or intentionally leveraging Network Address Table (NAT) mapping to hijack communications. Hardening makes it difficult to install "eavesdropping programs" to monitor virtual machine memory space.
The hypervisor can also rapidly propagate new configurations, patches, or layered security policies across the infrastructure. Employed correctly, this level of abstraction can strengthen IaaS security.
Identity Management and Administrative Access Control
Identity management takes on increased urgency in the virtual environment; administrative access control is crucial. Best practices include multi-factor authentication and role-based access management. Role-based access instantiates existing written policies, and provides an additional layer of user discrimination - and detection - in system access.
Segregation of duties for the server, network, and security administration is required. Strict employee screening and qualification is key. It's critical to manage access of privileged third parties; best practices have all third-party activity monitored by your staff.
Ideally you should deploy Privileged Identity Management (PIM) software. A PIM application can enforce administrative access rules throughout a virtual environment - greatly mitigating the risk of undocumented or malicious access.
PIM software can also support Information Technology Infrastructure Library (ITIL) best practices, such as audit trails required for compliance regulations SOX, FISMA, PCI-DSS and HIPAA. The more advanced packages can perform continuous discovery across new hardware and software applications, and can rapidly and comprehensively propagate changed passwords after third-party access or staff turnover.
Network Segmentation and Traffic Protection
It is critical to segregate and protect the data flowing through virtual or private virtual LANs (VLANs or PVLANs). The hardening process secures machine access code (MAC) assignments and Network Address Translation (NAT) mapping. Further inter-VLAN protection comes from firewalls between VLANs (over and above port-forwarding within a VLAN).
Application firewalls should be placed monitoring web application traffic. Application firewall functions such as cookie consistency, buffer overflow protection, and HTML checks permit only defined application behavior (at least in regards to web traffic). Besides critical application protection, they provide fundamental IaaS defense against distributed denial of service (DDoS) attacks.
Security can be configured into a virtual IaaS by using application firewalls to "lock down" data entry by web users. An example would be monitoring credit card number entries on a shopping cart payment page. The application firewall can be "trained" to recognize a set number of numeric characters only - any other data is prevented from reaching the web server. Locking down data entry prevents "cross-sight scripts" from penetrating the IaaS.
Proactive System Management
The biggest risks to enterprise security come not from virtualized architecture but are operational, usually involve mis-configuration (or configuration not aligned with the security framework), and poor change management resulting in out of date patches.
Systematically mitigating such vulnerabilities is another benefit of working within a time-tested security framework. Where vulnerability due to error or omission can proliferate rapidly across VMs, strong change management is crucial. Leverage guidelines provided by a service management framework such as ITIL.
The compulsory entry of change data should be part of the user interface wherever possible. Logging change data - not just patches, but to firewalls, provisioning of machines, IP addresses, NAT mapping, administrative access, etc., is imperative for the tracking of incidents, errors and process improvement. More and more compliance requirements require the ability to audit system changes.
The strongest defense is proactive system management. A strong security posture has never been a static endeavor. You must continue to invest in ongoing system and security training. A proactive security posture includes a documented, standards-based (like ITIL) incident escalation and notification procedure. Regular automated vulnerability scans and third-party penetration testing, file-integrity software, and anti-virus software - all provide preemptive layers of security - and not just in virtual environments.
The cost benefits of virtual IaaS continue to drive enterprises to cloud deployments. Mid-size and large enterprises can enjoy the business advantages of elasticity and leverage the security investment and expertise of the vendor.
The most effective security is still a layered defense based on a framework. Security technology and procedures are augmenting security frameworks to accommodate virtual architectures. There is the opportunity for the enterprise to build in security from the ground up. Properly configured and managed, security in the cloud from an experienced vendor will be better than what could be achieved in-house.
- See "Security Compliance in a Virtual World: Best Practices to Build a Solid Foundation", RSA Security Brief, 2009.
- See "Privileged Identity Management in the Cloud", Steve Staso, pgs 19-20, April, 2010.
- For an overview of IT security and current compliance regulations see Information Security Standards and Certifications in Contracting, May 26, 2010 by W. Scott Blackmer.
- COBIT standards are published by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA): http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx
- "Top Threats to Cloud Computing V1.0": the Cloud Security Alliance: http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
- "Cloud Computing Information Assurance Framework", The European Network and Information Security Agency (ENISA): http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
- "Security Compliance in a Virtual World: Best Practices to Build a Solid Foundation", RSA Security Brief, August, 2009.
- "Privileged Identity Management in the Cloud", Steve Staso, April, 2010.
- The ITIL Best Practices website including Change Management: http://www.best-management-practice.com/
SYS-CON Media announced today that @WebRTCSummit Blog, the largest WebRTC resource in the world, has been launched. @WebRTCSummit Blog offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. @WebRTCSummit Blog can be bookmarked ▸ Here @WebRTCSummit conference site can be bookmarked ▸ Here
Mar. 29, 2015 10:00 PM EDT Reads: 1,805
SYS-CON Events announced today that Cisco, the worldwide leader in IT that transforms how people connect, communicate and collaborate, has been named “Gold Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Cisco makes amazing things happen by connecting the unconnected. Cisco has shaped the future of the Internet by becoming the worldwide leader in transforming how people connect, communicate and collaborate. Cisco and our partners are building the platform for the Internet of Everything by connecting the...
Mar. 29, 2015 07:00 PM EDT Reads: 5,223
Temasys has announced senior management additions to its team. Joining are David Holloway as Vice President of Commercial and Nadine Yap as Vice President of Product. Over the past 12 months Temasys has doubled in size as it adds new customers and expands the development of its Skylink platform. Skylink leads the charge to move WebRTC, traditionally seen as a desktop, browser based technology, to become a ubiquitous web communications technology on web and mobile, as well as Internet of Things compatible devices.
Mar. 29, 2015 06:00 PM EDT Reads: 1,849
SYS-CON Events announced today that robomq.io will exhibit at SYS-CON's @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. robomq.io is an interoperable and composable platform that connects any device to any application. It helps systems integrators and the solution providers build new and innovative products and service for industries requiring monitoring or intelligence from devices and sensors.
Mar. 29, 2015 06:00 PM EDT Reads: 1,484
The WebRTC Summit 2014 New York, to be held June 9-11, 2015, at the Javits Center in New York, NY, announces that its Call for Papers is open. Topics include all aspects of improving IT delivery by eliminating waste through automated business models leveraging cloud technologies. WebRTC Summit is co-located with 16th International Cloud Expo, @ThingsExpo, Big Data Expo, and DevOps Summit.
Mar. 29, 2015 06:00 PM EDT Reads: 1,594
Docker is an excellent platform for organizations interested in running microservices. It offers portability and consistency between development and production environments, quick provisioning times, and a simple way to isolate services. In his session at DevOps Summit at 16th Cloud Expo, Shannon Williams, co-founder of Rancher Labs, will walk through these and other benefits of using Docker to run microservices, and provide an overview of RancherOS, a minimalist distribution of Linux designed expressly to run Docker. He will also discuss Rancher, an orchestration and service discovery platf...
Mar. 29, 2015 04:15 PM EDT Reads: 2,437
Wearable technology was dominant at this year’s International Consumer Electronics Show (CES) , and MWC was no exception to this trend. New versions of favorites, such as the Samsung Gear (three new products were released: the Gear 2, the Gear 2 Neo and the Gear Fit), shared the limelight with new wearables like Pebble Time Steel (the new premium version of the company’s previously released smartwatch) and the LG Watch Urbane. The most dramatic difference at MWC was an emphasis on presenting wearables as fashion accessories and moving away from the original clunky technology associated with t...
Mar. 29, 2015 04:00 PM EDT Reads: 1,420
SYS-CON Events announced today that Vitria Technology, Inc. will exhibit at SYS-CON’s @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Vitria will showcase the company’s new IoT Analytics Platform through live demonstrations at booth #330. Vitria’s IoT Analytics Platform, fully integrated and powered by an operational intelligence engine, enables customers to rapidly build and operationalize advanced analytics to deliver timely business outcomes for use cases across the industrial, enterprise, and consumer segments.
Mar. 29, 2015 03:30 PM EDT Reads: 2,171
SYS-CON Events announced today that Solgenia will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY, and the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Solgenia is the global market leader in Cloud Collaboration and Cloud Infrastructure software solutions. Designed to “Bridge the Gap” between Personal and Professional Social, Mobile and Cloud user experiences, our solutions help large and medium-sized organizations dr...
Mar. 29, 2015 03:00 PM EDT Reads: 2,852
SYS-CON Events announced today that Liaison Technologies, a leading provider of data management and integration cloud services and solutions, has been named "Silver Sponsor" of SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York, NY. Liaison Technologies is a recognized market leader in providing cloud-enabled data integration and data management solutions to break down complex information barriers, enabling enterprises to make smarter decisions, faster.
Mar. 29, 2015 03:00 PM EDT Reads: 3,458
@ThingsExpo has been named the Top 5 Most Influential M2M Brand by Onalytica in the ‘Machine to Machine: Top 100 Influencers and Brands.' Onalytica analyzed the online debate on M2M by looking at over 85,000 tweets to provide the most influential individuals and brands that drive the discussion. According to Onalytica the "analysis showed a very engaged community with a lot of interactive tweets. The M2M discussion seems to be more fragmented and driven by some of the major brands present in the M2M space. This really allows some room for influential individuals to create more high value inter...
Mar. 29, 2015 01:45 PM EDT Reads: 4,665
After making a doctor’s appointment via your mobile device, you receive a calendar invite. The day of your appointment, you get a reminder with the doctor’s location and contact information. As you enter the doctor’s exam room, the medical team is equipped with the latest tablet containing your medical history – he or she makes real time updates to your medical file. At the end of your visit, you receive an electronic prescription to your preferred pharmacy and can schedule your next appointment.
Mar. 29, 2015 12:00 PM EDT Reads: 790
The world's leading Cloud event, Cloud Expo has launched Microservices Journal on the SYS-CON.com portal, featuring over 19,000 original articles, news stories, features, and blog entries. DevOps Journal is focused on this critical enterprise IT topic in the world of cloud computing. Microservices Journal offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. Follow new article posts on Twitter at @MicroservicesE
Mar. 29, 2015 12:00 PM EDT Reads: 1,455
The list of ‘new paradigm’ technologies that now surrounds us appears to be at an all time high. From cloud computing and Big Data analytics to Bring Your Own Device (BYOD) and the Internet of Things (IoT), today we have to deal with what the industry likes to call ‘paradigm shifts’ at every level of IT. This is disruption; of course, we understand that – change is almost always disruptive.
Mar. 29, 2015 11:45 AM EDT Reads: 1,115
SYS-CON Events announced today the IoT Bootcamp – Jumpstart Your IoT Strategy, being held June 9–10, 2015, in conjunction with 16th Cloud Expo and Internet of @ThingsExpo at the Javits Center in New York City. This is your chance to jumpstart your IoT strategy. Combined with real-world scenarios and use cases, the IoT Bootcamp is not just based on presentations but includes hands-on demos and walkthroughs. We will introduce you to a variety of Do-It-Yourself IoT platforms including Arduino, Raspberry Pi, BeagleBone, Spark and Intel Edison. You will also get an overview of cloud technologies s...
Mar. 29, 2015 11:00 AM EDT Reads: 2,096
SYS-CON Events announced today that SafeLogic has been named “Bag Sponsor” of SYS-CON's 16th International Cloud Expo® New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. SafeLogic provides security products for applications in mobile and server/appliance environments. SafeLogic’s flagship product CryptoComply is a FIPS 140-2 validated cryptographic engine designed to secure data on servers, workstations, appliances, mobile devices, and in the Cloud.
Mar. 29, 2015 11:00 AM EDT Reads: 1,419
SOA Software has changed its name to Akana. With roots in Web Services and SOA Governance, Akana has established itself as a leader in API Management and is expanding into cloud integration as an alternative to the traditional heavyweight enterprise service bus (ESB). The company recently announced that it achieved more than 90% year-over-year growth. As Akana, the company now addresses the evolution and diversification of SOA, unifying security, management, and DevOps across SOA, APIs, microservices, and more.
Mar. 29, 2015 08:30 AM EDT Reads: 2,053
GENBAND has announced that SageNet is leveraging the Nuvia platform to deliver Unified Communications as a Service (UCaaS) to its large base of retail and enterprise customers. Nuvia’s cloud-based solution provides SageNet’s customers with a full suite of business communications and collaboration tools. Two large national SageNet retail customers have recently signed up to deploy the Nuvia platform and the company will continue to sell the service to new and existing customers. Nuvia’s capabilities include HD voice, video, multimedia messaging, mobility, conferencing, Web collaboration, deskt...
Mar. 29, 2015 01:00 AM EDT Reads: 1,464
SYS-CON Events announced today that Akana, formerly SOA Software, has been named “Bronze Sponsor” of SYS-CON's 16th International Cloud Expo® New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. Akana’s comprehensive suite of API Management, API Security, Integrated SOA Governance, and Cloud Integration solutions helps businesses accelerate digital transformation by securely extending their reach across multiple channels – mobile, cloud and Internet of Things. Akana enables enterprises to share data as APIs, connect and integrate applications, drive part...
Mar. 28, 2015 04:15 PM EDT Reads: 1,546
Cloud is not a commodity. And no matter what you call it, computing doesn’t come out of the sky. It comes from physical hardware inside brick and mortar facilities connected by hundreds of miles of networking cable. And no two clouds are built the same way. SoftLayer gives you the highest performing cloud infrastructure available. One platform that takes data centers around the world that are full of the widest range of cloud computing options, and then integrates and automates everything. Join SoftLayer on June 9 at 16th Cloud Expo to learn about IBM Cloud's SoftLayer platform, explore se...
Mar. 28, 2015 02:00 PM EDT Reads: 1,637