The Notorious 9: Is Your Data Secure in the Cloud?

Editor's Notes

• #2: Course Synopsis:
• #3: In a moment, I’m going to ask you to introduce yourself and I’m going to ask you to tell me what you are hoping to get from attending this meeting. Before we get in to Security in the cloud, I thought it would be useful to do a little review of some of the terms associated with Cloud Computing today. Next we’ll talk about the “Notorious Nine” security issues and what you SHOULD be worried aboutDon’t panic! There is hope and once we understand the concerns, we’ll discuss how top publishers are addressing these security issuesOnce you understand the good and the bad of cloud computing, we’ll provide you with some tools to decide who you can trust to partner with in the cloudFinally, we’ll end this session with Q&ABefore we begin, let’s do a bit of housekeepingThis is a “No Spin Zone.” There isn’t any blue or red in the room which means that I’m going to present the facts without a slant one way or the other – and you’ll decide how you feel about the cloud. RestroomsTime CheckQuestions before we begin?
• #4: Ha! I was doing this presentation a few days ago in San Antonio and one of the attendees stopped me and said, “What decade was THAT picture taken in!” And I had to admit, it wasn’t even taken in this CENTURY! We all have different visions of ourselves and the people around us. This is how my kids see meAnd this is how my wife sees meAnd this is how our staff sees meAnd, well, this is how I see me.
• #5: As the founder of BCS ProSoft, I where many hats and fill different roles – and I always STRIVE to be the best at what I do, which is help businesses meet their potential through the intelligent use of technology. I’m here before you today because I believe the Cloud offers you as business owners and managers a set of tools that has the potential to revolutionize your business. My job today is to help you understand what is possible in the cloud and you to give you confidence that your business can be run securely and efficiently in the cloud. So enough about me….now it’s your turn…
• #6: Please provide your name, company, and what you’re HOPING to get from your time here today.
• #7: BCS ProSoft is a leading ERP software reseller with offices in Texas, Colorado, and Hawaii. We have well over 1,500 clients throughout the US and Canada and we’ve been successful through the last 27+ years because we work hard for our customers and while we may make a mistake or two along the way, we do what we say we’re going to do – we deliver as promised. Our customers are the reason for our success. We represent several different accounting/business management products – some are in the cloud and others are not. We believe there is no one single product that is perfect for all.
• #8: So let’s take a few minutes to define some of the terms that are thrown around today with regard to the internet. Cloud Computing – Metaphor for “The Internet” , but it’s really more than that. Think of Cloud Computing as a process of outsourcing IT services on a subscription (rental) basis.
• #9: When you move applications to the “Cloud,” they are technically available from any device that has access to the internet, via Wifi or Wireless – tablet, smart phone, PC, or Laptop. I say “Technically Available” because usability issues with some legacy products may preclude them from being accessible on today’s mobile devices. Applications have to be smart enough to understand what device is accessing it and tailor the output for that device.
• #10: We really need to better define what is pushed to the Cloud and how that correlates to what you are currently doing today. We classify the outsourcing to the cloud three ways: IaaS – Infrastructure as a ServicePaaS – Platform as a ServiceSaaS – Software as a ServiceLet’s talk about each of these in a bit more detail
• #11: Most likely, you are currently accessing your critical business systems in an “On Premise” model. In other words, you have a server(s) located at your office that store all your programs and data. This(these) servers are networked to your PC’s in the office so that everyone has access. You are totally responsible for the care & maintenance of the server(s) as well as securing and backing up your data. In most organizations, this is the most vulnerable method of business systems delivery.
• #12: Infrastructure as a Service is the most basic of services. Think of this as having your server hosted by a 3rd party service. Vendors gain ECONOMIES OF SCALE by employing Virtualization to lower costs of maintaining multiple servers. In San Antonio, we have Rack Space
• #13: Platform as a Service takes on more responsibility for the infrastructure in that the database is also managed by the vendor. Think of this as a set of building blocks provided by a 3rd party and you are responsible for building what you want IN THEIR SANDBOX. MS Ajure, Google App Engine, etc.
• #14: So finally we come to Software as a Service, in which the vendor manages all aspects of your business management systems. Servers, data, backup, and applications are all managed by the vendor.
• #15: This brings us to how the data is stored in the cloud. You have probably heard the term, “Multi-Tenant” when talking about SaaS software. Multi-Tenant is a single database that serves multiple organizations. Single Tenant is when a vendor sets up a Physical or Virtual machine for every client. The results are generally the same, but the Multi-Tenant solution is much less expensive for the vendor to maintain because: Updates only have to be performed once on the single databaseMaintenance is performed on a single databaseMulti-Tenant offers a potential security issue, however, because data from multiple companies reside in a single, large database. Database design and security are critical factors in providing highly secure systems.
• #16: I’m going to spend the next 30 minutes or so scaring the cloud out of you – but don’t worry, I’ll bring you back off the ledge before we’re done today, I promise! Any time you expose your business or personal data via a cloud application, you are potentially opening yourself up to loss of data or loss of access to your data. It is wise for you to understand your areas of vulnerability so that you can plan to overcome them.
• #17: According to the Cloud Security Alliance, a recent study (February 2013) indicates that the unprecedented pace of cloud computing adoption in business and government has created new security challenges. Recognizing both the promise of cloud computing and the risks associated with it is good business. Ultimately, you are still responsible for the security of your systems and data – whether on premise or in the cloud.
• #18: To identify top threats, the Cloud Security Alliance has conducted a survey of industry experts to compile professional opinion on the greatest vulnerabilities within cloud computing. According to the survey, the top security threats are: Data Breaches, Data Loss, Account Hijacking, Insecure APIs, Denial of Service, Malicious Insiders, Abuse of Cloud Services, Insufficient Due Diligence, and Shared Technology Issues. It is important to remember that this list is compiled from the responses to a 2013 CSA survey and does not represent every possible vulnerability. (Lawyer disclaimer…)
• #19: Data falling in to the wrong hands has been an executive nightmare since the beginning of commerce. The advent of networked computers has amplified the danger. There are multiple ways for data breaches to occur, including the extraction of private cryptographic keys and in a poorly designed multitenant cloud service database, if one account is breached, all accounts are vulnerable. Today, data breaches are achieved through sophisticated operations and depending on the nature of the data, certain organizations may be targeted directly by foreign governments and/or nefarious organizations. Sound familiar????
• #20: For both consumers and businesses, the prospect of permanently losing one’s data is terrifying. Malicious attack is a real threat in which someone gains access to your data and performs a data wipe. Malicious attackers are not the only cause of data loss. Accidental deletion by your cloud service provider or catastrophic loss by tornado, flood, etc. are real possibilities.
• #21: Account or Service hijacking is not new. Attack methods such as phishing, fraud, and exploitation of software vulnerabilities still achieve results. The most common causes of hijacking: (1) using the same password across multiple systems, (2) using too simple of passwords (eg: 1234 or password), and responding to phishing emails that look like “official” requests for information. Cloud solutions add a new threat to the landscape. If an attacker gains access to your credentials, they can eavesdrop on your activities/transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites.
• #22: In order to provide good integration between multiple, disparate systems, cloud developers provide access to their data using a set of software interfaces, generally called APIs. From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy. But it gets worse. Many cloud publishers rely heavily on multiple third party vendors to fill the gaps in the base software by providing add-on applications that interface via these APIs. This policy introduces a new level of complexity in a layered API. As more vendors become involved, risk increases because the cloud publisher must relinquish control of their credentials to multiple third party vendors.
• #23: Denial of Service is like being caught in rush-hour traffic with no way to get to your destination and nothing you can do about except sit and wait. Most of us have dealt with slow network connections from time to time but, Denial of Service (DOS) is caused by malicious programs that force the victim cloud service to consume system resources beyond the bandwidth of the services.
• #24: A malicious insider, such as a system administrator, in an improperly designed cloud scenario can have access to potentially sensitive data and a disgruntled employee with mal intent can wreak havoc on a companies business system before anyone even realizes it. In the old Unix days, we used to kid about performing a command line function, “rm –r” which, if executed, wipes the disk of all files and folders, including the boot sector of the drive. 5 key strokes and you’re down for the count!!BTW, this is an even greater risk in an on-premise implementation because the system is more easily accessed and most firms don’t have multi-day backups.
• #25: It might take an attacker years to crack an encryption key using his own limited hardware, but using an array of cloud servers, he might be able to crack it in minutes. Alternately, he might use that array of cloud servers to stage a DDOS (distributed denial of services) attack, serve malware, or distribute pirated software. This is really more of an issue for cloud service providers than cloud consumers, but it does raise a number of serious implications for those providers. How will you detect people abusing your service? How will you define abuse? How will you prevent them from doing it again?
• #26: An organization that rushes to adopt cloud technologies subjects itself to a number of issues. Contractual issues arise over obligations of liability, response, or transparency by creating mismatched expectations between the cloud provider and the customer. In addition, pushing applications that are dependent on “internal” network level security controls to the cloud is dangerous when those controls disappear or do not match the customer’s expectation. Finally, unknown operational and architectural issues arise when designers and architects unfamiliar with cloud technologies are designing applications being pushed to the cloud.
• #27: Improperly designed applications (whether in IaaS, PaaS, or SaaS models) can expose customers to possible data loss or data breaches. This vulnerability is dangerous because it potentially can affect an entire cloud at once, taking everyone down with it.
• #28: - Some organizations probably have the resources to build out and maintain a security plan that covers all contingencies, but I doubt most small businesses have the expertise or money to provide the level of security provided by the established cloud software providers. Your employees pose the largest threat to your data: Betty clicks on a Cat Video and brings your network to a crawl. Todd is a disgruntled employee and when he’s leaving he wipes out your ERP data. Samantha brings a thumb drive to the office with pictures of her grandbaby and you end up with a crippling virus that brings you down for days while a hired expert works to remove the virus from your servers and workstationsMost companies don’t have adequate backups of their programs and data. At least once each year we get a call from a customer that needs to restore data, only to discover that their backup software hasn’t been working for months. And what about natural disasters? Last year, we had a customer in NJ that lost their data, even though they thought they were being smart. They had multiple, off-site backups – but the office where the server was located AND the homes where the backup tapes were stored all flooded. They lost everything!
• #29: The Notorious 9 is not a new concept. It is well known to the most prominent cloud publishers and they have designed their software, built server farms, and implemented security procedures to overcome these and dozens of other potential security risks. Does it mean that your data is secure in the cloud? Not really, but in almost all cases, your data would be more secure in the cloud than sitting on your servers in your office.
• #30: There is no LAW that requires that a cloud publisher meet any specific standard when it comes to security and infrastructure, but the players want to make sure they are following the best practices set out by various independent organizations like the AICPA, IFAC, and the US Department of Commerce. These organizations provide auditing services and certification designed to help publishers insure they are doing everything they possibly can in order to secure your data. SSAE 16 insures that the service provider meets a set of standards that insures the ability to fully audit their capabilities – It DOES NOT set any standards of compliance for security – it just insures that they have the controls in place to perform a full audit. ISAE 3402 Type 1 – the auditor will express an opinion on whether the service organizations description of controls are suitably designed to achieve control objectivesISAE 3402 Type 2 – the auditor has performed tests and the controls were found to be operating with sufficient effectiveness to reasonably assure that control objectives were achieved. PCI DSS – Security related to credit card security via computer based information systems. Vendors that have passed PCI DSS scrutiny have allowed their software to be tested by a third party participant. US-EU Safe Harbor – Privacy standard set by EU for non-EU countries. Self regulation/enforcement with backing of rules/regulations provided by Dept. of Commerce.
• #31: 24/7-365 – You would think this would go without saying, but we had a client recently that needed to restore a file and the cloud vendor didn’t have anyone available to assist. The employees were all at a company retreat (the bar?)!Intrusion Detection Monitoring is a science in to itself. A cloud provider must continuously monitor for malicious attempts to access data and/or inappropriately use system resources. The folks that are managing the servers shouldn’t be the same people that are monitoring the security systems. They must be independent of each other and answer to different authorities. This precludes any one person from having full access to the system. Management of the physical facilities is critical as well. A strong security policy includes a hardened facility with strict rules for entry to the facility. For example, using sophisticated bio-security systems, single-person portals, perimeter monitoring by armed guards and cameras, etc. Continuous performance auditing is imperative. A cloud vendor should be able to provide current industry certifications and describe how they continuously monitor for compliance.
• #32: When someone tells you they are a tier 1 data center, it is important to understand what they’re talking about. The difference between a Tier 1 and Tier 4 data center is the amount of redundancy that is built in to the physical systems. Tier 1 may be adequate, but it’s certainly not the best! A tier 4 data center will be the most secure and provide the best up-time guarantee.
• #33: You may think that anything over 99% is plenty good – and that may be true. Redundancy also means your data is less likely to be damaged or lost.
• #35: There are some great reasons that business is moving to the cloud. Reliability, Security, Scalability
• #37: But there’s another more sinister cost associated with On-Premise implementations. It’s called “Version Lock.”91% of all IT Budgets are focused on maintaining the status quo and only 9% is allocated towards innovation. The result? 66% of all customers running on-premise business management systems are on OLD VERSIONS of the software. Why is this important? Because companies that don’t stay current on their software will get locked in to the “OLD WAY” of doing business and won’t innovate. But it gets worse – After 4-6 years of being locked in to an old version of the software, the cost of upgrading is as much or more than the cost of changing systems entirely, so many business owners/managers opt to change entire systems. Businesses running on Cloud products are automatically updated as new version become available – it’s part of the fee. Plus, since vendors need to keep you on the current version, they have to make available training so that you’ll know what’s new in the software.
• #38: Here are the top 5 reasons business owners are turning to the cloud to solve their business issuesImproved Business Agility – Create, deploy, and manage business critical applications – quickly. Let’s say, for example that you get a new contract that requires you to hire an additional 20 employees. If your business systems are deployed on premise, you will have to upgrade or possibly replace your current hardware/software systems. This is time consuming and expensive. If you are implemented in the cloud, it is a simple phone call to add the additional users. Plus, when the project is over the costs sunk in to upgrading the on premise systems are sunk costs that cannot be recovered or reduced.Generate an attractive ROI – When comparing the cost of on premise vs. cloud, you have to consider the cost of purchasing, maintaining, and upgrading hardware over time. You must also calculate the potential cost of down time due to various hardware failures (virus, drive failures, natural disasters, etc.). There are also various labor costs that must be included in the analysis, such as cost of managing upgrades, backups, etc. Accelerate Time to Value – Time is money and putting your business systems on the cloud is FAST. On premise implementations require the creation of infrastructure and that takes time and money. Jump Start Innovation Programs – Once your business systems are implemented in the cloud, it is easy to provision a “Sandbox” to test new processes before going live. Elasticity and Scale – One of the key promises of cloud computing is limitless capacity. This elasticity and scalability are key factors in allowing small businesses to compete against the big boys. As your business expands, you don’t have to rely on IT staff and DBA’s to give you the tools you need to grow.
• #40: There are a host of security and licensing issues to think about when considering a partnership with a Cloud provider. As a lay user, you may not understand the significance of each of these questions and you may not be able to determine if the answer provided is totally adequate, but if they CAN’T answer these questions, or WON’T answer your questions, you know you have a problem.
• #42: In most cases, a vendor should be willing/able to provide copies of Security Certifications – and those certs deal with most of the questions on the previous slide, however, you need to ask a couple of questions, specifically: What happens to data when you “Delete” it? Is it actually wiped out? – It should be gone and non-retrievable within a backup cycle. You don’t want your data living out there to be discovered and misused in the future. Who Owns the Rights to Your Data? – You own your data and should you choose to quit working with a cloud vendor, you should be allowed to take your data – in a form that can be imported elsewhere – with you. If they cannot provide you with that, then you shouldn’t be considering the vendor as a possible partner.
• #43: Service Summary or DescriptionThe service summary section usually appears in the introductory section of the SLA. It should always state the name of the provider and the name of the customer. This summary will enumerate the obligations that you, the customer, must fulfill in order to satisfy the SLA. For example, you may be asked to provide up-to-date contacts, network topologies and customer escalation paths. This section will usually list the support level (e.g., gold or platinum) you have purchased. The support level determines how fast the service provider will respond to your service requests, how many service requests you’re allowed per week or month, how often you will be notified during emergencies, and most important, what your general service availability guarantee is. HardwareService providers host security services in a variety of ways. Some will install dedicated hardware at your site. Some will provide you with dedicated hardware, but it will sit in the provider’s own network operations center. And others will provide the security service through virtual domains that share, with other customers, the same physical hardware located (again) at the service provider's site. Regardless of the method used, the service provider should state clearly in the SLA how the service is to be provided. Once you’re sure of the hardware in use, you will be able to ask intelligent questions about hardware specification, performance, throughput, size, upgrades and so forth. SoftwareMost service providers use products from name-brand companies such as Check Point, ISS, Cisco, and others. Other service providers will use open-source software such as Snort for IDS. It’s important to know what software will be used for the service you have purchased. Your company may have specific requirements, such as avoiding unsupported open-source software on any of your IT infrastructure. In that case, software such as Snort may be out and the service provider must use vendor-supported products. Knowing what software is used also allows you to better understand the relationship between the service provider and the software vendor. For instance, if your service provider is using Cisco PIX as the firewall software but there’s no CCIE on staff, that would certainly be a cause for concern. Service AvailabilityThe service availability section may be the section you're most familiar with. This section describes exactly what service level guarantee you will receive. One of the most critical service-level guarantees is uptime percentage. For example, 99.5% uptime means that your site can potentially be down for 216 minutes per month without any penalty for the service provider. If the service is down more than the guaranteed level, the service provider will compensate you for that period of time. It is critical to understand what the service provider considers to be downtime. For example, most service providers will not consider upgrades to constitute service downtime; therefore, you will not be compensated for those periods of unavailability. Other service-level guarantees the agreement may specify include how fast the service provider will respond to your service requests, how long upgrades will take, how fast service providers will detect and report problems, and so forth. Another critical consideration is how the service provider will be penalized if the service-level guarantee is not met. In most cases it simply means the service provider won’t bill you for that period of time. Service RequestsSLAs generally provide for a number of standard service requests per month and a number of emergency service requests per month. Understanding when the service call will be considered an emergency request will allow you to properly plan for changes. For example, if the service provider considers any requests you want performed outside of standard business hours (8 a.m. to 5 p.m., Monday through Friday) to be emergency, and most of the changes you want fall outside of that time frame, you may have a problem. There are other things to consider when negotiating your service-request needs. Some service providers may limit the number of IT personnel from your company allowed to open service requests. Others may consider certain service requests to count as two requests. Some service providers may charge extra for certain service requests. Naturally, the list goes on. Monitoring and ReportingNetwork administrators can find it extremely frustrating if they’re unable to quickly perform troubleshooting when the network is unexpectedly down, or if they don't have the resources to quickly do forensic analysis when an incident is detected. These days, service providers are doing a much better job of providing reports to customers on bandwidth utilization, uptime analysis and log management. However, there’s still quite a bit of difference among service providers, and you'll need to ask a number of questions. For example, does your service provider offer the most up-to-date configuration online for your review? Will you receive daily, weekly or monthly reports based on your firewall, IDS or VPN logs? What about ad hoc or custom reports so you can perform troubleshooting or forensic analysis? And will you be assured of backups of all configurations? Availability, responsiveness, quality and communication are important elements to consider for any service provider SLA. In the next four articles in this series, we will discuss each of the above sections in detail, including the specific considerations for each topic, why it matters, what you should expect and the norms are among service providers.