Reaching for the Cloud: A Contemporary Infosec Perspective

Wednesday, March 21, 2012

Hani Banayoti


Reaching for the Cloud: A Contemporary Information Security Perspective


Whether we like it or not Cloud technology will significantly touch every aspect of business and personal information technology over the next 5 years.

A study conducted by IBM Institute for Business Value predicts that Cloud adoption shall double between 2012 and 2015 (ref: “The power of cloud” ). The question is no longer about if but when.

Accordingly all businesses or organisations that crucially rely on information technology and processing would be well advised if they begun their forward reformation of their security mission sooner rather than later.

Cloud computing brings many advantages to users and vendors. One of its biggest advantages is that a user may no longer have to be tethered to a traditional computer to use an application, or have to buy a version of an application that is specifically configured for a phone, personal digital assistant (PDA) or other device. It is likely that, at some point, any device that can access the Internet will be able to run a cloud-based application.

Application services are available independent of the user’s devices and network interfaces. Regardless of the device being used, users also face fewer maintenance issues. Users will not have to worry about storage capacity, compatibility or other similar concerns.

From a technical standpoint, these benefits are the result of the distributed nature of the web, which necessitates a clear separation between application and interaction logic. This is because application logic and user data reside mostly on the web cloud and manifest themselves in the form of tangible user interfaces at the point of interaction, e.g., within a web browser or mobile web client.

The commoditisation of the overall infrastructure and related services allows organisations to focus time and resources on mission critical tasks. More importantly, cloud computing provides flexible sourcing; should business environments change, organisations can adapt their infrastructure accordingly. This flexibility can also be used for testing new services or running low priority business applications such as collaboration applications for employees, consultants and suppliers.

Whilst one of the significant challenges facing cloud computing is security, the cloud computing paradigm provides positive advantages in offering security services that hold the prospect of improving the overall security of some organizations. The biggest beneficiaries are likely to be organizations that have limited numbers of information technology and security specialists, and ones where the key business focus is not directly related to technology or cultivating technology expertise.

Also, data maintained and processed in the cloud can present less of a risk to an organization with a mobile workforce than having that data dispersed on portable computers or removable media out in the field, where theft and loss of devices routinely occur. Many organizations have already made the transition to support access to organizational data from mobile devices to improve workflow management and gain other operational efficiencies.

Bite-size pointers about a modern security approach for surviving the Cloud transformation.

  1. Know your information assets landscape; This will help you with optimising the investment the information architecture technology as well as apply balanced security controls.

  2. Profile your information assets; Depending on the business culture you are dealing with, you should categorise information assets according to their sensitivity and value. Don't follow complex, unworkable, manual approaches often witnessed in govermental agencies. That does not work for everyone nor is it a pragmatic way of managing information through its lifecycle. The ability to consistently classify information at all points in its life cycle and across the entire IT infrastructure is critical. If the information cannot be classified correctly then it will not be able to be managed appropriately. Static classification of information by the information owner is not workable in today’s global environment and so consistent automation is also required.

  3. Navigate through the legal and regulatory challenges; Identify the legal requirements/challenges that may constrain cloud adoption. For example, in some cases certain jurisidctions will have specific legal requirements about the transfer and exchange of personal information which may preclude some information being ported onto certain Cloud providers, ie ones that do not allow you to determine the physical and logical locations of their data hosting facilities.

  4. Have a sober and balanced view of security risks; Identify the business risks associated with information security breaches. Not in itself a new concept but you should review it in the new light of a Cloud hosting model. The threat landscape is bound to be quite different.

  5. Start with the right foundations; Do any spring cleaning necessary before embarking on any IT transformation endeavour. e.g. consolidate identity directories, review and augment relevant IT aspects where required, such as help-desk, support, user management porcesses, access-control-policies/models, etc.

  6. Plan for success; Lay a security approach that invokes the engagement and support of key stake holders and takes account of:

  • Business objectives and Business-Decision-Makers;

  • Business risk appetite;

  • Security culture;

  • Enterprise technology architecture;

  • IT service management processes.

You won't succeed without closely integrating with all the above business aspects/functions.

  1. Set a lasting and strategic security architecture; Develop a technical security architecture that will serve the business and security objectives. Consider the following:

  2. "Use universal open technical standards wherever possible to avoid, product/vendor lock-in and dependability."
  3. "Get the technical framework as flexible and as forward looking as possible."
  4. "Perhpas contrary to traditional thinking, it is advisable to innovate and develop your own simple point solutions where necessary. It is important to be able to fill in any gaps, in the overall solution, in situations where there are no commercial products. It will be cheaper and far more effective. Enterprise technology product vendors will continue to play catch up for some time still until they are able to come up with new products that are “Cloud ready”."
  5. "Get the Identity and Access Management (IAM) and provisioning solution as appropriate as possible for your organisation. It will serve you well later, save you money and enable better scalability, security and interoperability later on."
    • "At the centre of this, is the need to establish and formalise an appropriate access control model. Start at the conceptual level by understanding your current access requirements and business objectives and then build a conceptual skeleton access model before beginning to consider the underlying technical infrastructure and detail."
    • "All current indicators would suggest that a classic, simple and static access control model will no longer be sufficient. Requirements are rapidly changing where existing Identity and Access Management (IAM) technologies and procedures focus on abilities to restrict access, organisations are more challenged with the need to share information and to collaborate across organisational borders in a secure manner. Where existing IAM infrastructures offer a static and coarse-grained set of access configurations, business processes demand a more dynamic and fine-grained approach. Organisations need to adopt dynamic atribute-based-access-control models which take account of the user context, the end-point context and the information sensitivity context. Access should be provided dynamically dependent on those three parameters and not just be a static policy. This will ultimately enable a far more powerful capability to share and collaborate internally as well as business partners and 3rd parties."
  6. "Conduct some prior testing and proof-of-concept studies with technology vendors and service providers to ascertain technical capabilities that meet the requirements. This is important because many products are emerging in this field with little track record or proof of interoperability. Not only will it save you money and pain it will enable you to understand the limits of the current technology, potential future trends, and enable forward planning and well placed investments."
  7. Harmonise with the business; Forget the old formulas about following specific 'best practice' or security old school which dictates blocking everything and show-stopping the business aspirations.

    • "Operate much closer with the Business Decision Makers, IT Leads and Enterprise Architects and share their vision and aspirations to drive and innovate things in a positive directions - otherwise you have no hope in fulfilling the security promise."
  8. Be mindful of technology consumerisation concepts; Take account of Bring-Your-Own-Device considerations from a personal privacy, legal jurisdiction, robust acceptable-use-policies as well as operational service management.

  9. Take human factors into account; Engage Human-Factors studies to analyse and forecast how the transformation may affect the business and the user experience in order to identify any security weaknesses that may arise due to unexpected user behaviours.

  10. Move at a comfortable and calculated pace; Begin the transformation with small chunks and avoid big bang change where possible. This will enable gradual and manageable change projects as well as user acclimatization and lesson learning along the journey.

  11. Be innovative with security awareness; Find new approaches to delivering ongoing security awareness. Relying on internal overstreched and in-experienced staff may not be the best way. It may be more effective to adopt awareness capability from external, open and credible sources via the web. The aim is not to suffocate and cram the end-user with information and then assume they will retain the knowledge going forwards. They have to be constantly reminded with simple messages and topical issues which they can relate to without being patronised. External credible sources of security awareness can deliver just that with hugely informative and relevant material that is constantly being updated and refreshed. You want your user communities to autonomously reach out for security awareness because of their own sense of responsibility.

Final Thoughts

Insight, creativity and ability to positively interact with a broad cross-section of the business are the new precious tools required in the modern security professionals' tool box. No more one-size fits all and dated “best-practice”.

Much needed also is a re-education of the legal and regulatory bodies to help them meaningfully adjust and update their standards and good practice frameworks to match the modern IT landscape.

Go as far as challenge existing legal and regulatory precepts if they seem nonsensical or short-sighted. It is likely that legal and regulatory landscape out of pace with the latest technology landscape.

Security based on an inspector mentality is no longer useful nor value adding to any business or organisation. Each environment is likely to have its own idiosyncrasies and it is not useful to measure or found each one with the same security stick.

We need to entrust organisational information security to professionals who not only know about the fundamental security principles and technologies but to those that are able to understand, empathise and support the business vision and goals in order to influence and contribute positively to the business and its ongoing information security challenge.

Table 1: Summary of the changing perspective

  • Limiting and restricting access according to dated policing and need-to-know principles
  • Fostering collaboration and sharing to drive better agility, innovation, economics and efficiencies in business activities.
  • Tactical data/information management; Or totally unmanaged.
  • Coherent enterprise-wide strategy to data management based on simple workable models incorporating more automation techniques.
  • Localised attention to legal/regulatory, risk and governance of information-life-cycle.
  • Continually evolving Global perspective on legal/regulatory, risk and governance of information life-cycle with direct influence on the information management strategy and underlying technology choices.
  • Information Security as a silo discipline out of synergy with the business.
  • Information Security as a discipline that is predominantly driven by innovative professionals engaged across the enterprise with an insightful and vibrant business spirit; Less policy and compliance mentality.
  • One-dimensional, static Identity & Access Management models
  • Multi-dimensional Identity & Access Management models with control dynamically based on resource and user context and multiplicity of attributes.
  • Corporate controlled and provisioned end-user devices.
  • Bring-your-own-device that can be subjected to adequate control without violating personal privacy.
  • Technology-centric security design
  • Human/Technology-centric security design
  • Teacher/student security awareness approach.
  • Motivating the end-user to embrace secure practices.
  • Perception that information security is best provided within the organisation's perimeter or through restricted information exchange channels.
  • Realisation that an external IT landscape that is profoundly interconnected and founded on robust open standards can still afford adequate security to information and foster secure information sharing without moving or losing control of data.

Author: Hani Banayoti

Possibly Related Articles:
Cloud Security
Service Provider
Cloud Security Risk Management Web Application Security Cloud Computing Outsourcing Vendor Management Managed Services Information Security Risk Appetite
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.