SafeNet

Home » The Art of Data Protection » Securing Private Clouds: Security Controls for Each Stage of the Cloud Evolution

As discussed before, private clouds do offer better control over your data, but there are still security risks that need to be addressed. Depending on which stage or type of private cloud you are using, these security controls can look a lot like public cloud controls, or more like a traditional datacenter. The following are some thoughts on making some incremental security changes along the cloud evolutionary path.

New Security Issues Incremental Security Controls Comments
Virtualized Data Center Beyond the issues of scalability and consistency of host security, patch management, and configuration management, hypervisor security should be considered and is often overlooked. The integrity and security of the hypervisor itself and the possible use of it as a breach vector need to be considered. Most organizations are probably using the security APIs built in VMware for host security. Organizations should ensure there is a patch management process for the hypervisor. Hypervisor’s should be configured with best practices and with guidance coming out of standards bodies like NIST. While not completely solved, most organizations are well down the path of doing this well. Larger organizations will deploy some of the security controls of the next models to mitigate their larger risks.
On-Site Private Clouds The amount of automation requires that cloud management platforms be secured. These deployments tend to be larger in the first place, and hypervisor security must be considered more critically given the larger scope of a potential breach. Internal hypervisor administrator control with respect to rogue/disgruntled employees and admin spearphishing as a results of APT attacks should be considered. Organizations should segment their networks and hypervisors according to PCI Virtualization Guidelines (V.G.). It’s easier to do it at this stage and is a simple way to mitigate risk when everything around the hypervisor is being automated. Organizations should implementvirtual instance encryptionconsistent with PCI V.G. to prevent risk of dormant images.Multi-Factor Authenticationshould be added for cloud administrators to reduce risks posed by rogue administrators and spearphishing. Most of the security concerns revolve around shoring up your hypervisors and reducing risks should they be breached. There are additional monitoring you may want to consider giving the amount of automation that happens here and should be built into the cloud management platform you’re building.
Virtual Private Cloud Hypervisors will typically be deployed by the cloud provider and stringent controls should be in place to ensure security. Organizations should look for the cloud provider to deploy controls consistent with those listed in the model above. Additional data isolation techniques should be deployed in case your “private container” within the cloud provider should be breached. Contracts with cloud providers should include definition of controls, some liability responsibility to keep the provider motivated, and security and process certifications to ensure proper handling of your data. Virtual storage encryption should be added with instance encryption to secure stored cloud data.Data encryption at the workflow level (application, database, etc.) should be considered as a risk mitigation technique, consistent with PCI V.G. Data isolation and data leakage issues become more of a focus at this stage. Ensuring your cloud provider is doing the right thing and minimizing the impact if they don’t are of primary importance.
Public Cloud Everything is on the table here. Beyond what we’ve covered here, additional authentication requirements and monitor should be considered given the public nature of this deployment. Multi-Factor Authenticationat the end user level should be considered given the recent spearphishing incidents. To some degree this is easiest model as it is the worst case scenario and the one just about everyone is trying to solve. Stick with the pack- follow the guidelines as they emerge (CSA, PCI, NIST, etc.) and best practices of your peer organizations.

While this is not an exhaustive list, it at least gives some food for thought about some decisions you can make along the way to securing a public cloud via the private cloud.

This entry was posted in Cloud and tagged , , , by SafeNet. Bookmark the permalink.

Recent Tweets