The senior IT manager of a manufacturing firm is convinced about the benefits of cloud - but losing sleep over security
Is Kunal Joshi in a position to secure all applications on-premise and on cloud via closer relationships with his cloud provider?
Joshi and his business group do not deny the benefits of cloud computing which include cost savings, elasticity and agility. However, for Joshi, a senior IT manager with a large manufacturing company, these benefits are not enough to move entirely to the cloud.
While cloud computing frees him from day-today core IT activities and lets him focus on business strategies, he has nightmares about securing the applications he has moved to the cloud. Joshis recent decision to move his HR, ERP, CRM, design and production related applications to the cloud also has him worried about its security.
While the cloud model makes a compelling case where he is even thinking of integrating applications, both on-premise and in the cloud, Joshi is apprehensive about how secure these would be on the cloud. He has been hearing a lot about cloud security (referred to in the context of securing the applications on cloud and not security as a service), but is concerned about how he can ensure that the entire infrastructure is secure on a cloud model.
Joshi is clued-in to the protocols and techniques to secure the links between applications, but his challenge lies in being vigilant over all the connections. And much depends on how well the cloud service providers are equipped to secure the entire infrastructure.
Naturally, Joshis challenge also lies in putting a cloud security strategy in place to secure all their assets; this includes addressing governance, security and reliability. How much of the security aspect should be attributed to the cloud service provider and how much should be under his control? Another challenge lies in understanding the various dimensions of security within the framework.
Against this backdrop, Joshi expects to find answers to two questions from the experts around his cloud security strategy.
THE BIG QUESTIONS
1) What are the key security areas of concerns in a cloud model? And what kind of cloud security strategy should Joshi adopt?
2) How much can he rely on the cloud service provider and what broad set of policies, technologies, and controls should he look at deploying to protect data, applications, and the associated infrastructure?
Here are the answers...
Suresh A Shanmugam, Head Business Information Technology Solutions (BI TS), M&M Financial Services Limited
Since Kunal Joshi has to secure all the applications on premise and on cloud via closer relationships with his cloud service provider, he and his business group must realise the benefits of cloud computing that include cost savings, elasticity and agility. The key applications he should secure are HR, ERP, CRM design and production both on-premise and in the cloud as part of cloud security initiative. He seems to be looking for a smart, secure and IaaS (Infrastructure as a Service) designed solution as per the manufacturer expectations to provide faster access to build security-rich platform for a class enterprise, multi-tasking, virtual server environment; the same can be used for development and test activities and other dynamic workloads.
If he wants his team to have greater control over the accounts with more visibility, he has to deploy effective monitoring and efficient management capabilities. He should ensure to create methods to manage and monitor every instance by providing clearly defined permissions to modify user information and with controlled access. Manage multiple keys, more passwords and specific encrypted connections, and the value proposition of assigning instances to all networks, gain assistance where and when he needs it. Enhance production-level responsiveness and reduce costs by delivering services through a flexible and self-configurable cloud infrastructure owned and managed by the defined tools. Provide multiple levels of isolation and 99.9 per cent availability, which means that he can deploy critical workloads with more confidence.
Joshi needs to be specific about his business demands and the dynamics of the business expectations, to fix the industry-leading expertise and to grant more options to have better security processes, procedures and policies which will suit his environment and quality-proven deliverables from the vendor.
The service provider should have global network of experts and have necessary expertise, premium and add-on support solution services which can help and guide Joshi to enhance the availability of information and security of the virtual environment.
Complimentary technical support for all the business solutions and technical services should be made available through the cloud web portal besides having effective online cloud monitoring and management of the cloud infrastructure tools.
The premium support services must extend to complimentary support solutions with round-the-clock telephone support and a web-based ticketing system online to submit and review the service requests on a defined timeframe basis.
Mukund Sathe, VP - Technology, Core Education & Technologies Ltd
It would be difficult for Joshi to have physical control over sensitive data related to human resources, production processes, client information and financials and applications, and the chances of the data being compromised by the cloud vendor are high.
The infrastructure being used by the vendor may be vulnerable to virus or malware attacks. The attacker may take control of the virtualisation layer making all hosted workloads accessible.
Sensitive data could remain on a private cloud and the rest of the data could be moved to a public cloud. With the private cloud, he could rely on the various security features provided by the virtualisation environment.
Joshi also needs to define the vendor selection criteria based on various parameters, to ascertain the cloud service providers credentials. These parameters include access governance, data encryption, customer list, certifications, external audit process, DR implementations, among others.
The improvement in cloud security technologies is ongoing. Security vendors have established standards and APIs to effectively integrate with the cloud and provide better security services than in the physical environment. The solutions around policy management, monitoring and reporting are specifically built around the cloud services. Technologies such as vMotion also help create a backup of specific VM images at the desired frequency and at a much faster rate. The size of hypervisors is reduced from GBs to MBs over a period, which helps manage security easily.
Joshi should break down the security aspects into three categoriesdata in the database at any given time, data in transit and network security. Many cloud providers have SAS 70 certified data centres showing that they have been through stringent audits. Joshi should verify if similar certifications are obtained by the service provider. He should look into the HR policies of the service provider in terms of recruitment standards, background checks, working environment and controls implemented.
Harsha E, IT Consultant, HK Group
First establish a point-to-point encrypted tunnel link from the service provider to Joshis office. Also adopt cryptographic solutions, IP security policies, strong data encryption methodology, the vendors security token system for two-way authentication and tool searches to destroy malicious code in the cloud.
Strong DLP policies and automated notification need to be in place. All applications should be audited for weak coding and open ports. It is critical to have super admin control of the cloud-based server and Joshis team need to login to every activity. Security updates and patches must be done on a daily basis with a regular security audit, while educating the users for security vulnerabilities.
Background checks of all, especially those who handle back-up and restoration of data is crucial. Also vital is a right to pursue permissible legal action for any supplier employee/contractor wrong-doing, if found by the cloud supplier or Joshis audit team. Send a notification, within the context of applicable law from the companys legal department for any confirmed breach into your data. The supplier must maintain security monitoring logs of all access to your data and documents as routine, random or suspicious audit, leveraging their prescribed scripts and operational procedures as the basis for all audits, for no less than seven years. Offsite back-up for disaster recovery and/or business continuity must be encrypted and all vendors must subscribe to these security measures, without exception.