In their report, “CISO Playbook: How to Retain the Right Kinds of Control in the Cloud,”* Gartner addresses the need for security and risk management leaders to embrace a new mindset when moving to the cloud. In the playbook, Gartner highlights a number of main recommendations across identity and access management, encryption, demonstrating governance and compliance and measuring cloud service provider SLAs. I’ll cover how iland helps customers address each of these areas in this blog.
With over a decade of experience helping customers adopt cloud computing across IaaS, DRaaS and cloud backup use cases, we have witnessed the evolution of customer concerns about cloud security first-hand. In response, we’ve adapted our cloud platform and services to meet these everchanging customer priorities.
Who takes responsibility for cloud security?
IT teams are all too familiar with managing the resources that make up their IT infrastructures, from the buildings they are housed in, to the electricity and cooling supply, through to the server, all the way down to the storage and networking infrastructure. Gartner makes the analogy that moving to the cloud is a bit like driving your own car on a journey, compared to being flown somewhere in a plane. You are relinquishing control of the maintenance and driving of the car to the flight crew of a plane. Whereas you might check the oil, tires and windshield washer fluid on your car once in a blue moon, the plane will be checked rigorously, every flight.
Much like the flight crew on a plane, iland has included all the security features that on-premises environments have built up over time in our cloud console – this includes best-of-breed edge firewalling, load balancing and VPN capabilities, as well as ant-virus/anti-malware, intrusion detection, vulnerability scanning, log inspection, file integrity monitoring and suggested remediation for security issues.
Another observation Gartner makes in the report is that, with the advent of distributed systems networking we are no longer responsible for (or concerned with) the physical aspects of wide-area networking. We believe this is where the first concept of a ‘cloud’ came from, in the field of networking. You are no longer concerned with how traffic gets from A to B from a physical networking and cabling perspective, you are just concerned about the fact that it does, and in a suitable period of time.
This idea extends nicely to cloud computing, where you no longer have to worry about physical infrastructure lifecycles: servers, storage, local area networking, power, UPS, cooling, rack space – you are just consuming resources.
This then brings us onto the concepts of the shared responsibility model of cloud computing. Where is the demarcation line between different layers of cloud infrastructure? In the on-premises world, IT departments are responsible for the entire IT stack. In the ‘as a service’ world, service providers become responsible for different aspects of the stack as you move from IaaS, to PaaS, to SaaS – leaving the customers with SLAs covering the various service offerings.
Identity and Access Management
With the new shared responsibilities in the cloud, it is extremely important, as Gartner recommends in the report, to instill an effective Identity and Access Management (IAM) strategy. The iland experience is that, in cloud environments, it is so easy for people to simply all log in as ‘root’ or ‘administrator’ and have access to all aspects of the platform. We’ve found that this can be dangerous for a number of reasons:
- While everyone can create stuff, they can also change or delete it
- There is no real audit capability when everything is done by the same user name
- If the password falls into the wrong hands, bad things will happen
It is fine if someone wants to do some short-term testing of a cloud platform and needs to be unhindered in their capabilities. However, it is far better (and safer) to start with a ‘least privilege’ methodology. In this way, individual users are created with just enough privileges or capabilities appropriate for their role. If they need additional capabilities, these can be added for a short time, and then removed again, unless it can be shown that they need to keep those additional privileges. Everything they do will be audited with their user name. Clearly, this strategy will apply to the different capabilities or functionality provided by the cloud platform.
It is also important to apply the IAM strategy not only on the cloud platform but also the applications and services that the cloud platform is presenting to the outside world. A simple example might be email.
- The email server might be running within a virtual machine on the cloud platform, its storage and its networking might be administered by a cloud platform administrator with a particular set of permissions. Additionally, the email application might be accessed over the Internet, so the edge firewall settings to allow access to the email application will also need to be administered.
- The email application itself, running inside the virtual machine, will be managed using another set of permissions. This might also include a database.
- At the highest level, users will be accessing the email server from their email client on desktop or phone using their own credentials.
Aside from identity and access management, the topic of encryption of data at rest and in transit is often seen as yet another way to secure, segregate and isolate data on a public cloud platform. It is highly unlikely that anyone would be able to break into a public cloud data center and physically steal a disk drive containing your data, even if they could find the actual drives that your data resides on.
However, it is highly recommended to consider using encryption in the following areas:
- Data at rest – is the storage encrypted at rest to mitigate against physical data theft?
- If using virtual machines, can the virtual disks be encrypted? Who holds the private keys?
- Encrypt data in transit between application and user at a minimum, perhaps using HTTPS/TLS.
- Site-to-site VPNs should use strong encryption.
- Consider the use of encryption in database applications.
Monitoring and Instrumentation
As discussed earlier, as well as implementing a strong IAM strategy, it is equally important to enable logging for auditing purposes. Who did what to what, and when?
In a global cloud strategy, the question of location can also come in. Particular users might only be allowed access to certain locations for data sovereignty control purposes.
Monitoring of the cloud infrastructure is also important to quickly alert and be able to diagnose issues including:
- Monitoring performance statistics within the VMs or PaaS applications running
- Monitoring of network components such as firewalls, routers and load balancers
- Logging of user logins, failed attempts, firewall issues, intrusion detection
To enable this, iland has taken advantage of the rich APIs offered by our technology partners including VMware, TrendMicro, Tenable, Zerto and Veeam, to surface relevant monitoring information into the iland console, via a market-leading Cassandra database. Not only is real-time information available, but data can be retrieved and viewed for up to a year. A higher level API makes this information available to authenticated and authorized external users.
Adherence to Compliance Regulations:
Here at iland, we have always focused on delivering secure and compliant cloud services to our customers. As well as providing all the security features that businesses have been used to in their on-premises environments, we have also led the way in terms of compliance and certification to relevant industry best practices and emerging standards, which include:
Additionally, as customers continue to face an increasingly regulated environment, iland has established an in-house certified compliance team to work with customers to provide documentation and expert compliance assistance to fulfill audit requirements across the US, EMEA and APAC.
Contracts and Service Level Agreements (SLAs)
The final impact and recommendation is around cloud service provider contracts and SLAs. As with any commercial agreement, there will be contracts, master service agreements and the SLAs within them to understand and contract to.
Many CSPs, especially the hyperscale providers, can be extremely rigid with their SLAs, and can be very inflexible when asked to change them. Where do they stand on different aspects of compliance? Are they able to share their certifications and attestations? How flexible are they with their SLAs on subjects such as availability? Will they pay out service credits if service if not available according to the SLA?
In a previous blog article, we’ve discussed how iland delivers a 100 percent availability guarantee backed by service credits, and how we use the features of a VMware-based cloud platform to achieve this, with cloud-to-cloud DR for additional resiliency.
To summarize, with security risks and compliance regulations only increasing, along with the adoption of cloud services, it’s important to understand shared responsibility with regards to cloud security. Striking the right balance between relinquishing and maintaining control in the cloud will enable your business to securely leverage the many benefits of cloud services.
*Gartner, “CISO Playbook: How to Retain the Right Kinds of Control in the Cloud,” Steve Riley, 21 March 2017.