Report ID: S7431013

Next

Monitoring Security In Cloud EnvironmentsThe use of cloud technology is booming, often offering the only way to

meet customers’, employees’ and partners’ rapidly rising requirements.

But IT pros are rightly nervous about a lack of visibility into the security of

data in the cloud. In this Dark Reading report, we put the risk in context

and offer recommendations for products and practices that can increase

insight — and enterprise security.

By Michael Cobb

R e p o r t s . I n f o r m a t i o nWe e k . c om M a r c h 2 0 1 5 $ 9 9

reports

Sponsored by:

Previous Next

reports.informationweek.com March 2015 2

CONT

ENTS

TABLE OF

3 Author’s Bio

4 Executive Summary

5 Monitoring Security in Cloud Environments

5 Figure 1: Biggest Cloud Concern: Security

6 Regaining Insight

6 Figure 2: Security Responsibilities in Cloud

Computing Environments

7 Monitoring a Dynamic Cloud Environment

8 Figure 3 : Data Security Life Cycle

9 Maximum Visibility, Maximum Security

9 Figure 4: Most Important Cloud Service

Capabilities

10 The Privilege Is All Mine

11 Cloud Data Will Be Unavailable

11 Don’t Lose Your Data in the Small Print

12 A Hybrid Cloud Strategy

12 Bring Your Own Cloud

13 A More Secure Environment

M o n i t o r i n g S e c u r i t y i n C l o u d E n v i r o n m e n t s

reports.informationweek.com

Visit Dark Reading's website atdarkreading.com.

Find all of our reports at

reports

March 2015 3

Previous Next

© 2013 InformationWeek, Reproduction Prohibitedreports.informationweek.com

M o n i t o r i n g S e c u r i t y i n C l o u d E n v i r o n m e n t s

Michael Cobb, CISSP-ISSAP, is 20-year veteran of IT security with a passion for making industry best practices easier to understand and implement. As an advisor on security controls and information-handling practices to companies and government agencies largeand small, Cobb has helped numerous organizations achieve ISO 27001 certification andsuccessfully migrate data and services to the cloud. Cobb has also worked with CESG, the information security arm of the United Kingdom’s GCHQ (Government CommunicationsHeadquarters), to promote security best practices in government. A renowned author and presenter, Cobb has written numerous technical articles and webcasts for leading ITpublications, as well as a book on IIS security. He also has been a Microsoft Certified Database Manager and a registered consultant with the CESG Listed Advisor Scheme (CLAS).

Michael CobbInformationWeek Reports

Table of Contents

FollowFollowFollowFollow

Want More?

Never Miss a Report!

reports

Follow

March 2015 4

Previous Next

One of the major reasons enterprises have been hesitant to embrace cloud computingtechnologies is a lack of visibility. Enterprises need ways to track their data as it travelsback and forth to the cloud, as well as a way to ensure that their data is safe in a sharedinfrastructure.

To benefit from cloud computing and minimize risks to your organization’s data, severalkey components are required: visibility across infrastructures and applications, isolationof critical services, and regularly audited automated processes for threat detection andmitigation. Working closely with cloud providers, administrators can deliver accountabil-ity and audit trails for data events in and out of the cloud so enterprises know exactlywhat is happening with their data. Cloud providers will have their own monitoring toolsto track the performance, continuity and security of all of the components that supportservice delivery, but organizations must invest in their own systems to monitor physical,virtual and cloud environments. Responsibility for security and monitoring of data criticalto daily business operations is ultimately your responsibility, not the provider’s.

In this Dark Reading report, we examine tools and practices that enterprises can use tomonitor the security of cloud environments and receive notifications when their datamight be at risk.

reports.informationweek.com

M o n i t o r i n g S e c u r i t y i n C l o u d E n v i r o n m e n t s

EXECUTIVE

SUM

MAR

Y

Table of Contents

reports

March 2015 5

The cloud is no longer outlying technology.Indeed, any organization that isn’t using cloudcomputing technology is probably consider-ing it. The benefits can be enormous: flexible,on-demand access to superior resources —but only when and where needed — usuallywith lower unit costs and reduced complexity.But concerns over the security of data held inthe cloud remain a barrier to adoption.

According to research firm Forrester, recentrevelations about the National SecurityAgency’s PRISM surveillance program have in-creased cloud paranoia and fears about dataprivacy. An Insight Enterprises’ study of IT lead-ers carried out at the end of 2014 revealed thatmany businesses and organizations want toleverage the cloud, but most still lack trust incloud security. In addition, 53% of respondentsto KPMG’s 2014 Cloud Survey Report cited dataloss and privacy risk as the cloud’s most signifi-cant challenge (see Figure 1).

Security has lagged behind advances in othercloud features, even though numerous lawsand industry standards mandate the safeguard-

ing of information. Issues such as reliability, up-time and disaster recovery have seen significantimprovement, but initiatives to address moni-toring, auditing and corporate governance

have been less noticeable. For example, securitymonitoring is far less developed than opera-tional performance monitoring.

The perceived loss of visibility into events is

Previous Next

Data loss and privacy risks are the most challenging areas when adopting cloud.Biggest Cloud Concern: Security

Data loss and privacy risks

Risk of intellectual property theft

Impact on IT organization

Measuring on ROI

High cost of implementation

Legal and regulatory compliance

Integration with existing architecture

Lack of clarity of total cost of ownership

Data: 2014 KPMG Cloud Survey Report

S

53%

50%

49%

48%

48%

46%

46%

46%

reports.informationweek.com

Monitoring Security in Cloud Environments

M o n i t o r i n g S e c u r i t y i n C l o u d E n v i r o n m e n t s Table of Contents

Figure 1

reports

a resistance point for many administrators be-cause they can’t see what’s happening orwhether safeguards are working. Understand-ably, many administrators question how theycan achieve an adequate level of securitymonitoring for data in the cloud comparableto that of data stored on-premises when athird party owns the hardware and network.

Regaining InsightDespite these reservations, the pressure to

adopt some form of cloud computing tech-nology often becomes overwhelming. Giventhe exponential increase in data and thenumber and variety of connected users anddevices in use today, often the only way tomeet customers’, employees’ and partners’ ex-pectations of personalization and access toreal-time information is by harnessing cloudservices. A first step is to decide which type ofcloud environment best suits the organiza-tion’s security requirements and capabilities.To ensure that data is correctly protected incloud environments, organizations need tounderstand what data is going to be cloud-

based, how access to it can be monitored,what types of vulnerabilities exist and how todemonstrate that controls are in place tomeet regulatory obligations (see Figure 2).

Cloud computing can ease certain security is-sues while increasing others, but it will nevereliminate the need to follow traditional securityprinciples — data in the cloud still needs thesame treatment as that located on-premises(see Figure 3).

Classifying data assets is essential to know-

ing what level of security is required in thecloud, so it’s worth revisiting and updating se-curity policies so that they reflect changesmade to the existing infrastructure to incor-porate cloud technologies. For example, poli-cies that cover the following ISO 27001clauses should all be reviewed:

>> A.6.2.1: Identification of risks relatedto external parties

>> A.6.2.3: Addressing security inthird-party agreements

Previous Next

Security Responsibilities in Cloud Computing EnvironmentsMoving applications and data to a cloud environment can move some day-to-day security activities to the cloud vendor, but this requires a robust third-party management policy to define who is responsible for what.

Software-as-a-service (SaaS) Managed application/service where customers consume Basic security provided by cloud vendor. application resources as needed.

Platform-as-a-service (PaaS) Organization builds and manages its own custom Application and data security managed by applications on top of a platform provided by the cloud cloud customer. vendor.

Infrastructure-as-a-service (IaaS) Cloud vendor provides storage, network and other basic Cloud vendor protects infrastructure, but computing resources, while customers can deploy and operating system, applications and data are run software and the operating system of their choice. managed and secured by cloud customer.

Data: InformationWeek Reports S7431013/2

reports.informationweek.com

M o n i t o r i n g S e c u r i t y i n C l o u d E n v i r o n m e n t s Table of Contents

Figure 2

March 2015 6

reports

March 2015 7

Previous Next

>> A.7.2.1: Classification guidelines>> A.7.2.2: Information labeling and

handling>> A.8.1.1: Roles and responsibilities>> A.8.1.2: Screening>> A.8.3.3: Removal of access rights>> A.9.2.6: Secure disposal or reuse

of equipment>> A.10.1.3: Segregation of duties>> A.10.2.1: Service delivery>> A.10.2.2: Monitoring and review

of third-party services>> A.10.2.3: Managing changes to

third-party services>> A.10.10.1: Audit logging>> A.10.10.2: Monitoring system use>> A.10.10.3: Protection of log information>> A.10.10.4: Administrator and

operator logs>> A.10.10.5: Fault logging>> A.12.3.2: Key management>> A.14.1.13: Developing and

implementing continuity plans

Security fundamentals may not change

when data is moved to the cloud, but visibilityinto the network does. Monitoring will prob-ably represent the biggest challenge: adjust-ing to the changes in the boundaries of con-trol and the need to modify existing practices.The lack of security monitoring of assets thatthe enterprise has placed in the cloud iswhere most problems arise. Many organiza-tions believe that the loss of control that oc-curs when moving data assets to the cloudjust has to be accepted — that the benefitsand security provided by on-premises intru-sion-prevention systems, data loss prevention(DLP) tools, and security information andevent management (SIEM) tools have to stopat the corporate perimeter.

Monitoring a Dynamic CloudEnvironment

The outsourced nature of the cloud and theinherent loss of control that goes along withit means that extra efforts have to be made tocontinuously monitor access to both struc-tured and unstructured data to ensure pri-vacy and integrity. By security monitoring we

mean collecting and analyzing logs, as well assending alerts about security-related systemand application events so administratorsknow when something unexpected has hap-pened and can look back at past events — inshort, forensics. So how do you achieve thiswhen a server’s underlying hardware canchange over the course of the day?

Software-as-a-service (SaaS) vendors usuallyoffer monitoring as a fully managed serviceoption. FireHost, for example, provides real-time action-oriented reports every time a vul-nerability is detected. The service provideralso offers certified cloud infrastructure pack-ages that meet specific compliance require-ments, such as the Health Insurance Portabil-ity and Accountability Act (HIPAA) andPayment Card Industry Data Security Stan-dard (PCI DSS). Some cloud service providersmake SIEM data available for self-analysis.With Amazon Web Services, for example, it’spossible to collect logs and copy them backto an on-premises SIEM. This can provide aunified view of both cloud and on-premisesenvironments using tools familiar to network

Building a SecurityAnalytics Initiative

To identify sophisticated attacks,infosec teams must correlate ahuge range of data — from internal systems, threat intelli-gence services, cloud and net-work service providers, digitalforensics and attribution services, and others. One way to cope: big data tools and practices.

DownloadDownload

reports.informationweek.com

M o n i t o r i n g S e c u r i t y i n C l o u d E n v i r o n m e n t s Table of Contents

reports

administrators. Check first that your SIEM sys-tem is cloud-ready and can handle data thatmay be in different formats.

Some SIEM tools are able to make use of spe-cific SaaS APIs to collect logs from public cloudservices. Tools from IBM and HP ArcSight, for ex-ample, can collect and monitor logs and datafrom a wide range of sources to provide univer-sal log management. Events across multipleplatforms can be correlated to produce dash-board views and audit reports that combine in-ternal and cloud-based applications.

In platform-as-a-service (PaaS) environ-ments, customers have the option of in-stalling monitoring agents locally to pushtraffic and logs to an in-house server for pro-cessing. Be aware that in a multitenant envi-ronment, it may not be possible to rebootwhenever agents need installing or updating,and that there may be limitations on the in-stallation of software requiring certain privi-leges. In either case, network bandwidth, la-tency and data transfer costs can makesending every transaction to a remote serverfor analysis inefficient and may prevent timely

interruption of malicious activity. With thatsaid, performance can be improved using var-ious compression techniques.

An option for security monitoring assets in an

infrastructure-as-a-service (IaaS) environmentis to load a SIEM tool directly into the IaaS usinga distributed monitoring system where each in-stance in the cloud has a sensor or agent run-

Previous Next

When evaluating data security in the context of the cloud, the problems are far more similar to those with on-premises systems than they are different. There are differences, though, which necessitates a review of data security practices.

Data Security Life Cycle

Data: InformationWeek Reports S7431013/3

S

M o n i t o r i n g S e c u r i t y i n C l o u d E n v i r o n m e n t s Table of Contents

Figure 3

March 2015 8

reports

reports.informationweek.com

ning locally. There’s no high-bandwidth require-ment, and tools of choice can be deployed.However, the log storage costs in the cloud maybe substantial, and there’s no unified view ofon-premises and on-IaaS monitoring.

This type of system must have the ability tobe provisioned automatically on new serverswithout requiring time-consuming adminis-trator involvement. It should encrypt all trafficbetween the management console and sen-sors to limit exposure of sensitive data. Offer-ings such as CloudPassage’s Halo can providecontinuous security monitoring for any cloudenvironment using an agent that attaches tovirtual machines in a cloud or virtual infra-structure. Automated provisioning ensuresthat critical security controls are deployedacross all environments, while a REST API en-ables integration with tools such as vCloud.

Maximum Visibility, Maximum SecurityUnderstandably, business owners are as

concerned about the performance of theircloud-based applications as they are abouttheir security.

To assess and monitor pre- and post-cloudmigration business transaction service levels,the AppDynamics Cloud Application Manage-ment product graphs application dependen-cies to aid in planning communication and ar-

chitecture for cloud migration. Comprehensivetransaction volume, service level and through-put monitoring can pinpoint bottlenecks astransactions progress across distributed tiersand services. Code diagnostics can identify

Previous Next

Data security and privacy top the list of sought-after attributes when it comes to cloud adoption.Most Important Cloud Service Capabilities

Security

Data privacy

Cost/price

Functionality

Cost of ownership

Ease of integration into existing environment

Configurability

Additional services offered by provider

Data: 2014 KPMG Cloud Survey Report

82%

81%

78%

76%

74%

74%

74%

67%

M o n i t o r i n g S e c u r i t y i n C l o u d E n v i r o n m e n t s Table of Contents

Figure 4

March 2015 9

reports

reports.informationweek.com

March 2015 10

holdups in code execution, and the Agile Re-lease Comparison feature helps developers un-derstand the business impact of each release.

To optimize visibility, look for a monitoringsystem that centrally logs all activity and flagssuspicious events across all servers whereverthey reside. Also look for a product that hasthe ability to keep track of business transac-tions as they’re happening. A transaction in avirtualized environment can span multiple

physical servers as vir-tual machines spin upand down, so individ-ual server metrics aren’tas relevant as those fora transaction when itcomes to security. Busi-nesses developing theirown applications that

are to be hosted in the cloud should ensurethat their developers code key events to gen-erate log entries, particularly data-relatedevents, as required by auditors.

For organizations using third-party onlineservices, CipherCloud offers various informa-

tion-protection products tailored for particularindustries and cloud-based services, includingSalesforce, Chatter, Amazon Web Services,Gmail and Office 365. Security can be set on afield-by-field basis for structured and unstruc-tured data, and encryption keys always remainon-premises. This offers some protection fromunauthorized users trying to access data oncein the cloud or government agencies obtain-ing keys without the knowledge of the dataowners. Another so-called cloud-access secu-rity broker is Perspecsys. Its AppProtex CloudData Protection Gateway Server secures datain SaaS and PaaS provider applications by in-tercepting sensitive data while it is still on-premises and replacing it with a random tok-enized or encrypted value. This renders thedata meaningless should anyone outside ofthe company access it while it is beingprocessed or stored in the cloud.

Enterprises running big data environmentssuch as Hadoop or other hybrid variants ofphysical, virtual and cloud infrastructures willneed tools such as IBM’s Info Sphere Guardiumor Solutionary’s cloud-based ActiveGuard Se-

curity and Compliance platform. Both systemscan collect logs from virtually any device or ap-plication capable of producing log files in IaaS,PaaS and SaaS environments. Solutionary’sclients can also choose from service levels rang-ing from self-service to SIEM in the cloud, tofull-service, depending on individual customerneeds. Guardium not only provides virtualizeddatabase activity-monitoring capabilities, butalso database vulnerability assessments, dataredaction and data encryption. It also featuresautomatic discovery and classification of datain the cloud, an essential tool for ensuring thatany data that makes its way into the cloud iskept within compliance requirements.

The Privilege Is All MineMonitoring the activities of database and sys-

tem administrators is crucial in any environmentgiven the high-level privileges they’re grantedto carry out their duties. In a cloud environment,role-based monitoring takes on greater impor-tance because unknown personnel at unknownsites will have privileged access rights. Ensurethat your own staff monitors third-party activi-

Previous Next

M o n i t o r i n g S e c u r i t y i n C l o u d E n v i r o n m e n t s Table of Contents

Monitoring the activities of database

and system administrators is crucial

in any environment given the high-

level privileges they’re granted to

carry out their duties.

reports

reports.informationweek.com

March 2015 11

ties, particularly attempts to access high-valuedata assets such as credit card tables. Triggersthat can detect inappropriate database accesswithout relying solely on query analytics shouldbe in place. This is important because privilegedusers can create new views or insert stored pro-cedures that compromise information withoutthe SQL command necessarily looking suspi-cious. Separation of duties is another crucialcontrol that needs to be in place to preventabuse of privileges.

Vendors like Okta offer identity-and-access-management-as-a-service (IDaaS) solutionsthat can make authenticating and managingusers in the cloud a lot simpler and less proneto oversight by integrating with existing HRsystems. Look for services that offer identitygovernance and administration, single sign-on and authorization enforcement, with goodaudit capabilities.

Cloud Data Will Be UnavailableSooner or later, your cloud provider’s system

will go down. This is true when it comes tosmall cloud providers, and it’s true when

you’re dealing with big guys such as Google,Amazon and Microsoft. Data and applicationswon’t be accessible, and in some instancesdata may disappear for good. In 2014, high-profile services like Adobe’s Creative Cloudand Google’s Talk, Hangouts and Voice all suf-fered outages or slowed to a crawl as did Mi-crosoft’s Azure, Amazon Web Services andAOL’s email service.

Business continuity planning is always bestdone prior to a security event occurring. Stalepolicies and unprepared staff will undoubt-edly increase the severity of any securityevent. Check that the cloud provider’s owndisaster recovery and business continuityplans meet your requirements, and take intoaccount how its plans may affect your owncontinuity of operations and access to data.

Don’t Lose Your Data in the Small PrintConfusion over roles and responsibilities,

particularly if a crisis hits, will only make mat-ters worse. This is why a provider’s service-level agreement (SLA) needs to be examinedclosely. Roles and responsibility matrices are

an important part of your relationship. Lookto contractually specify which party is respon-sible for ensuring compliance with any rele-vant policies or standards so there are no sur-prises or misunderstandings about what’scovered. Post-contract monitoring and aright-to-audit clause are also important.

Don’t make the mistake of having the legalor procurement teams carry out pre-contractdue diligence without guidance from the ITteam, which will better appreciate the impli-cations of certain conditions and provisos. Inaddition to checking the business continuityand disaster recovery plans of any provideryou will be working with, examine and assessthe provider’s supply chain relationships anddependencies. Check also its security prac-tices and procedures, such as encryption ofdata at rest and in motion.

In addition, to avoid running afoul of dataprotection laws, you must know where yourdata will be located geographically. It may benecessary to segment data geographically byusing providers with a choice of internationalhosting facilities to keep sensitive data within

Previous Next

M o n i t o r i n g S e c u r i t y i n C l o u d E n v i r o n m e n t s Table of Contents

LikeLike TweetTweetTweet

ShareShare

Like This Report?

Share it!

reports

reports.informationweek.com

March 2015 12

specific jurisdictions and then move process-ing functions to the data (and not the otherway around).

Reviewing the provider’s security controls isas important as understanding the securitypackages that are available for your own pro-tection and monitoring. Many cloud vendorsrely on tools and systems from third-party part-ners to deliver best-of-breed security capabili-ties. Certainly check that clients and servers areconfigured to use cipher suites that providePerfect Forward Secrecy (PFS) so if a server’s pri-vate key is compromised, it can’t be used to de-crypt past communications.

The Cloud Security Alliance Security, Trust &Assurance Registry is a free, publicly accessi-ble registry of self-assessment reports submit-ted by various cloud providers that documentcompliance with CSA-published best prac-tices. Providers should be compliant withother important certifications, assessmentsand security frameworks, such as ISO 27001,Statement on Standards for Attestation En-gagements 16 (SSAE 16) and HITRUST.

Finally, your SLA should address what levels

of support are available. You need to makesure that the provider offers not only supportfor tackling critical issues, but also accessibleadvice you can tap into when building, man-aging and monitoring your infrastructure. Agood relationship with a provider that under-stands your data is invaluable.

A Hybrid Cloud StrategyEnterprises that aren’t yet ready to move all

their applications and data to a public cloudshould consider establishing a hybrid cloudstrategy. This will enable them to take advan-tage of cloud benefits where possible. Data se-curity requirements will determine where spe-cific processes and data types are best located:

>> Public cloud for maximum flexibility andefficiency

>> Private cloud for maximum control>> On-premises for compliance and privacy

Data in each environment can be syncedand monitored using tools such as Informat-ica’s Cloud, which features prebuilt connec-tors to on-premises and cloud-based applica-

tions, databases, flat files, file feeds and socialnetworks. Compliant with SSAE 16, ISO 27001,PCI DSS and Salesforce.com AppExchangecertifications, Informatica Cloud gives admin-istrators fine-grained access controls to deter-mine user and group-level permissions.RightScale provides a dashboard to manageaccess to and usage of public, private and hy-brid cloud resources, and server logs can bepushed to your own compliance systems if re-quired. Companies such as Software AG andMuleSoft also offer integration and connec-tion systems for hybrid infrastructures.

Bring Your Own CloudEnterprises aren’t the only ones making use

of cloud services, of course. Project teams willoften share documents using Google Docs,and many employees have their own Drop-box or Google Drive accounts and will happilyuse them to shift work files and documents tohome PCs or mobile devices. While mostly setup and used with good intentions, these per-sonal clouds represent a real threat to datacontrol and security, not to mention the

Previous Next

M o n i t o r i n g S e c u r i t y i n C l o u d E n v i r o n m e n t s Table of Contents

reports

reports.informationweek.com

March 2015 13

added risk of third-party monitoring and ac-cess. Although services like Google CloudStorage, SkyDrive, Dropbox and WindowsAzure have introduced or plan to introduceautomatic encryption for all data at rest andin transit, they still hold the encryption keys,so it's still possible that they can access dataor provide the keys to government agencieswho request them.

Acceptable-use policies for social media andother cloud services have to be in place, list-ing banned or restricted services and proce-dures for using those that are approved. Com-panies must ensure that such policies areactually being adhered to — monitoring em-ployee access and activity, with disciplinaryaction for noncompliance, is essential. DLPsystems will also be required to catch unin-tentional lapses. But beyond looking for andpunishing lapses, companies can deal withthe issue of personal clouds by offering em-ployees secure in-house alternatives. The ex-posure of PRISM teaches us that in-house en-cryption is far more preferable than usingunauthorized third-party services located

outside the company firewall.

A More Secure EnvironmentCloud computing does have the potential

to be more secure than traditional environ-ments, since delivering resilience and security24/7 is a provider’s main business. For exam-ple, most cloud providers are better placed tokeep services online while mitigating anddealing with denial-of-service attacks thatwould take out most enterprise defenses. Bestpractices for delivering reliability, accounta-bility, transparency and confidentiality incloud computing are still a work in progress,but progress is being made.

About the SponsorCloudPassage Halo is an agile security andcompliance platform that works in any cloudinfrastructure: public, private, hybrid or virtual-ized data center. We’re unique because theplatform moves comprehensive security to theworkload itself and is delivered as a service, soit’s on-demand, fast to deploy, fully automatedand works at any scale.

Previous

M o n i t o r i n g S e c u r i t y i n C l o u d E n v i r o n m e n t s Table of Contents

reports

reports.informationweek.com