There’s lots of confusion about the security of using public cloud computing. I hear questions about data security at rest, security in transit, and how secret a provider must keep stored data whenever I speak at a conference or teach a class.
The US government also hears these questions, both from inside and outside the government. The National Institute of Standards and Technology (NIST), part of the US Department of Commerce, is typically responsible for issuing security guidance and has helped to create and publish guidelines on operating system hardening and secure data processing.
NIST answers many of the public cloud security questions with Special Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing. Published in December 2011, this 80 page report is comprehensive in both defining cloud computing and providing guidelines for using it in a secure and private manner.
80 pages is a bit of a long read. What you need to know about SP 800-144 is best thought of in five areas of general concern. I summarize those areas as policies and practices, weak security technologies, weak availability technologies, different security expectations, and my personal favorite, attenuation of expertise. These topics will each be the focus of future articles, but an initial summary shows you where NIST’s concerns are.
As you read these, you might notice that NIST has broken the concerns down into my three favorite categories for security topics: people, process, and technology. This is intentional, as you can use the same categories for virtually any security analysis or countermeasure plan.
As any IT professional who has been through an audit can tell you, process documentation and adherence are often the weak point of IT. Most IT organizations are at least moderately weak in this area. Public cloud providers are, at their core, IT organizations who should document and conform to policies and practices. When these policies fail to meet or exceed your existing IT policies, they become the weak point in your security infrastructure.
As an example, your IT group probably has a policy that administrators use a non-administrator login credential when checking email and surfing the web. (Note: If you don’t have this policy, stop reading and create it!) If the public cloud provider doesn’t have such a policy, or has it but does not conform to it, the provider is introducing an exploitable weakness to your assets.
The use of insufficient technical security controls (NIST uses the term sureties) by public cloud providers is another concern. This includes security technologies in every aspect of cloud computing, including networking, data storage, and data processing. Poor encryption algorithms used to secure VPN access and low-strength cryptographic keys used to secure SSL communications are good examples – both technologies provide great security when properly implemented, but are very easy to implement improperly. Because most public cloud service providers are not security-centric companies, the likelihood of this happening is high enough to warrant concern.
An attack that blocks your access to data and services can be devastating. Public cloud service providers are generally good about core availability services such as regular backups and redundant drive arrays. But many cannot prevent unexpected downtime due to denial of service attacks or natural disasters.
Many public cloud providers state that their services are secure. They claim their data centers meet various standards for physical security, that their operating systems and services are regularly updated, etc. Those are great things, but only if they meet your minimum security requirements. For example, your group might apply critical security patches within 48 hours, but the public cloud provider restricts all patches to the monthly maintenance window.
It may seem obvious that your IT staff no longer needs to have expertise in services and technologies that are outsourced to cloud service providers. That results in a huge personnel cost saving for the organization. It also results in a less skilled IT staff. Fewer skills required for jobs and less training means you must place more trust on the expertise of the cloud service provider. And, with few exceptions, the provider is not required to maintain expertise. So they may also reduce expert-level staff over time. This “race to the bottom” eventually results in the inability to understand and implement new security technologies, to respond to zero-day threats, and other vulnerabilities.
Not all of these are concerns for every cloud computing deployment, and some overlap depending on the service and technology. But you should remain aware that these areas of concern exist and are common across organizations, and consider each whenever examining a public cloud service provider.
To view the complete 80 page Guidelines on Security and Privacy in Public Cloud Computing, click here: http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf
If you have comments on this article please join Mike on twitter @mikedancissp.