Cloud Security - Megamind Training Institute

Cloud Security

Well, it’s been a while since I’ve posted… Security work is always in demand! I will cover Android and PCI Assessments in future blogs, but I would like to start a short series on a hot [and hyped] topic: Cloud Computing Security…

First, lets define the terms: Cloud Computing is a SERVICE provided by an internal IT shop [private cloud] or outsourced to a provide [public cloud.] Occasionally organizations, line non government organizations (NGO) or Universities work together to create a like cloud they can share among themselves and that is called a “community cloud.” If you mix any of the three types of clouds, you get a hybrid cloud! So far so good?

Alright, let’s go a little deeper… remember, all we are trying to do is for our client computer to connect to a remote server to perform some work… As I mentioned earlier, cloud computing is a service and it comes in 3 flavors:

Infrastructure – just like you have been able to rent rack space or gigabytes galore in the past, Infrastructure as a service (IaaS) is the service of providing infrastructure on demand. You provide the OS and things you need… as close to bare metal as you can get. You also have good control of the security of the remote infrastructure.

Platform – sometimes you just don’t have the IT resources and you just need another database or application server for testing or when you know demand will be high. You may need debugging or programming tools as well, whether is Java, .Net or PHP. Many software vendors are a pain in dealing with software licenses. Well, that’s where the Platform as a Service (PaaS) comes in. You rely on the vendor to maintain and secure the platform, you provide the data and the applications.

Software as a Service or SaaS is a perfect fit for a small company [but not limited by size] that does not even have an IT department and the need an email service, a content management server (CMS) or a customer relationship management (CRM,) basically: on-demand software.

So the companies get to save money… and the former hosting companies sell more “space and bandwidth.” Wait! What about security? I’m glad you asked! We’ll cover that exact topic tomorrow!

=====

What about Cloud Security?

Let’s think of the process for a second: you used to have servers in house (if you had an IT department) then you moved them to a hosting environment under tight control, and now you finally moved your main servers to a another layer on the internet where your trusted employees and partners can get access… any security issues here?

When an organization goes to the cloud, it gains a number of advantages (especially cost savings) at the cost of losing at least some degree of control over its computing and networking environment. If an organization contracts for Software-as-a-Service (Saas), its users will obtain access to a variety of applications and databases that support the applications. The cloud applications will run somewhere outside of the organization’s network, so the hop count for traffic from users’ workstations to servers on which the applications run will grow, causing increased latency in interactions with applications.

Another important integration consideration is authentication and authorization. In some ways, the worst possible cloud integration scenario is when an organization that has designed and implemented an identity management solution based on certain services and protocols migrates to cloud services that perform authentication and authorization in a different way. Suppose, for example, that an organization uses an identity management system with LDAP-based authentication and authorization. Suppose, too, that a large proportion of internal applications interface with the identity management system through LDAP. If this organization signs on for SaaS with a cloud provider that does not use LDAP-based authentication and authorization, the organization’s transition is likely to be very difficult.

Still another integration issue is auditability. When an organization’s IT functions are entirely in-house, it is easy to obtain log output from servers, workstations and devices to obtain a thorough picture of what kinds of events and conditions are occurring. Additionally, IT staff can launch vulnerability scans at will. When the organization moves its IT functions to the cloud, however, it is generally more difficult to obtain the same amount of information. Some CSPs allow customers to query at will for information such as the status of patches in critical hosts, but many do not. Organizations that are making the transition between in-house and cloud services need to determine how to keep getting the log and status condition output they need in the interim, while at the same time exploring long-term solutions.

Next we’ll get really technical: Encryption!

=============================