Security considerations in a Hybrid Cloud environment
The past few years the use of cloud has taken a flight: not only do we use cloud backup for our personal phones and email accounts, but business applications are part of the atmosphere as well. And with great reason: users are now used to the model that you can have a fully fletched CRM or ERP system within the timespan of minutes after registering your credit card details (instead of a implementation process that involves system integrators and therefore takes months).
But the most heard argument against moving towards cloud models in the enterprise are security and privacy. The idea that another organization might be in control of information and computing power can be a big doomsday scenario for organizations. And those scary thoughts are often enough to kill cloud proposals altogether.
There are various considerations to take into account when it comes to security in a cloud environment. Let’s explore those.
Various models of clouds
Before we begin we must define the various models of clouds. Therefore we need to look at the Cloud Service and Cloud Deployment models that are most often used. In this article we will not look at how you deploy cloud, but we will introduce the semantics a bit.
Roughly said there are three Cloud Service Models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). For example: in the Oracle Public Cloud proposition (cloud.oracle.com) there are IaaS solutions for Storage and Computing, PaaS solutions for Database, Java and Big Data (amongst others) and SaaS solutions for Customer Experience, Human Capital Management and Enterprise Resource Planning (amongst others).
In general there are four types of Cloud Deployment models: Private, Public, Community and Hybrid. A Private Cloud is cloud infrastructure operated solely for a single organization. A cloud is considered ‘Public’ when the services can be used by multiple organizations (this does not have to mean that the services are free). A Community Cloud is when a specific community with common concerns shares the cloud infrastructure. And then there are all kinds of various combination of the above which we call the Hybrid Cloud.
All cloud models – being either SaaS, PaaS or IaaS and either Private, Public, Community or Hybrid – are built along the notion of multi-tenancy. Consider the cloud environment as an apartment building where multiple tenants reside. All of these tenants consider their own apartment as their own private home, yet they share essential parts of the building: the foundation, plumbing and electric wiring. There’s even a shared superintendent to do the maintenance. In this way the rent can stay low, while having all of the necessary services that you need for your home.
Most cloud models are also aligned with the ‘pay-per-use’ model: you only pay what you use. This, combined with the flexibility of the technology laying underneath, gives organizations the ability to expand (or scale down) the services that they need as they go.
- Parts of the business are supported by SaaS. For example: an organization is using a SaaS CRM application for Costumer Management and want to integrate this information with its on premise ERP systems.
- Parts of business applications are supported by PaaS. For example: an organization uses a Database as a Service for the information of its main back office system.
- Parts of a business’ deployment are supported in the cloud. For example: when starting a project, a PaaS environment is configured so the project can take a very quick start.
Security Challenges in a Multi-Tenant Environment
The multi-tenancy aspect of all cloud models creates some security challenges of its own. Let’s keep in the metaphor of the apartment building. When you are a tenant of an apartment, you share common front door and all keys of all tenants will fits the front door lock. Yet you won’t want that your neighbors key fits your apartment doors lock. That should be obvious. Of course this also counts for multi-tenancy in the cloud and therefore you will need some sort of key-management.
And when the other tenants, or their house guests, (intentionally or unintentionally) find their way into your home, you don’t want them to find anything they can benefit from. In the cloud you have to make sure your information is encrypted, so uninvited guests cannot use or misuse your information.
Another thing is (although maybe not so technical in nature) is that, as a tenant, you don’t want that your neighbors know exactly what you do: you want your privacy. There’s a threat in that: you don’t know what your neighbors are doing either. When they are bootlegging alcohol in their kitchen their might be a great risk of fire that will threat the entire building. So your home might be at risk. This is the same for multi-tenancy in the cloud; you want your privacy, but you don’t want another organization to jeopardize the continuance of your services.
Not knowing your neighbors and what they do in their apartment also implicates another challenge: think about the legal and marketing consequences if your Cloud Service Provider also (unintentionally) hosts various illegal activities. What if your cloud storage provider gets associated with illegal activities; what will your costumers think of your company?
The Top Cloud Security Threats
A 2013 study by the Cloud Security Alliance shows the Top 9 in Cloud Security Threads. The study (which can be found here) shows what threats are generally found to have the largest severity for organizations working (wholly or partly) in the cloud.
1. Data Breaches
Think about it: your organizations’ information falling into the hands of your competitors. Not knowing exactly who is managing the infrastructure of your cloud provider, and not knowing exactly who your co-tenants are, imposes a larger threat in the cloud than in usual infrastructures. If a multi-tenant cloud solution isn’t designed properly, an attack on one of your co-tenants not only threatens their data, but yours as well.
2. Data Loss
The complete loss of data is a terrifying idea. Think about it: you run a CRM application in the cloud, and from one moment to another all information on your customers, ongoing sales cycles and all invoices are lost. This can mean bankruptcy for your organization. When all your information is encrypted, so secure data breaches, and you lose your encryption key, all your data can be considered lost as well.
3. Account or Service Traffic Hijacking
Eavesdropping on your account in a SaaS application, or even on the traffic between your on-premise applications and a SaaS solution can be very profitable for criminals or professional competitors. If your IaaS environment credentials get compromised they can be used to run malicious software such as botnets. Compromising your information in the process, or simply do harm in your name.
4. Insecure Interfaces and API’s
In the past security of cloud interfaces and API’s wasn’t key. Either the Cloud Service Provider didn’t think about it, or customers of those services didn’t implement the security options as they were supposed to. Either way: not securing the interfaces between your on-premise landscape and your Cloud Services can have enormous consequences.
5. Denial of Service
When your organization is relying on Cloud Services for their critical business processes, the service has to be available. Therefore one of the most realistic ways to compromise your business is for ill intenders to attack the Cloud Services that you rely on. Distributed Denial of Service (DDoS) attacks are more and more common, but not the only way to create a Denial of Service attack. Even an attack on an attractive co-tenant can create a situation where your business goes into shutdown.
6. Malicious Insiders
While we know our own personnel, we don’t know the administrators (and others) working at our Cloud Service Providers. Getting to your information or making sure that the services that you rely on don’t work can be much easier trough personnel of the Cloud Service Provider.
7. Abuse of Cloud Services
In this article I mentioned it before: what if one of your co-tenants does something that doesn’t affect you directly, but does implicate wrongdoing on your behalf. IaaS services are more than once rented to carry out attacks. Relying on Cloud Services that are associated malicious activities can have a heavy impact on your image to the outside world and therefore your clientele. Cloud Services can become contagious in this way.
8. Insufficient Due Diligence
Jumping to the cloud to reduce costs and implementation time can be a very attractive sight for most managers. But don’t be too hasty: new risks occur and your organization cannot always scale these risks for the organization properly. Good insight can be provided using Risk Analyses and Auditing.
9. Shared Technology
One of the reasons for cost reduction and the scalability of Cloud Services, is shared technology. But this also imposes new threats: a single vulnerability or misconfiguration of one of those technological components immediately affects all tenants of the service
Security Considerations in a Cloud Environment
Within a Cloud Environment there are various controls to be considered. We grouped them in Organizational (or Procedural) Considerations and Architectural (or Technical) Considerations.
Organizational or Procedural Considerations can be seen as controls that you can take in agreements with your Cloud Service Provider. The basis is that you need to select the Cloud Service Provider that suits your needs, not just the cheapest.
How trivial this may sound, geographical locations can be essential to consider. And not (only) because of technical and performance requirements. Due to the great variety in legislation around the globe, you really need to look into this. For example: due to the (renewed) European privacy legislation it might not be a great idea to place privacy sensitive information with a Cloud Service Provider that places the information in an infrastructure outside the European Union. Especially for this purpose Oracle created an European datacenter in Amsterdam to host its European clientele.
2. Contractual agreements
When heavily depending on someone else’s services for the continuance of your own organization isn’t a small step. Therefore you need to define essentials in a contractual agreement. This is to legally bind your Cloud Service Provider to the requirements that you have. Think about two things in particular:
Who has which responsibility in a particular situation? In an agreement you can define the role of your organization and your Cloud Service Provider in case of emergencies and other situations.
Define who has ownership of the information and the services surrounding them. Especially with free or cheap Cloud Services this is often a debatable situation. Many of those Cloud Service Providers use the ownership of your information for marketing or sales purposes.
3. Security Certification
Make sure your Cloud Service Provider has the appropriate Security Certification. The provider must be able to show their tenants that they take security serious.
4. Independent Auditing & Risk Assessment
In addition to the security certification, make sure that auditing on these certifications is done by an independent auditing organization. Some cloud providers use their own consulting firm to do the auditing (NB: this is not the case with the Oracle Cloud). Also: make sure that you reserve the right to audit when relying heavily on a Cloud Service Provider. In this way you can always make sure the provider matches the requirements taken in the contractual agreements. You don’t necessarily have to plan these audits, but keep the possibility open when in doubt.
5. Screening of personnel
Make sure that screening of personnel is part of the security certification of the Cloud Service Provider. There are cases known where Cloud Service Providers outsourced parts of the maintenance to subcontractors. Not necessarily a bad thing, but it can be when they contract to mal intended personnel.
Architectural or Technological considerations are the technical controls that we can take in a Cloud Environment to create a safer and more controlled solution. Most professional Cloud Service Providers offer these architectural controls, but you need to utilize them yourself.
1. Identity Management : When living in an apartment building you want all tenants to be known and identified. Same is in a Cloud Environment. It is key that all tenants have their own identity and that the life cycle of those identities is well managed.
2. Authentication and Authorization: In addition to Identity Management Authentication and Authorization is key. Preferably in a more complex way that simply with a username and password. Especially system-to-system connections it is key that strong authentication is used.
3. Segmentation: All Cloud Services need some form of segmentation: a way to keep tenants apart from each other. Look into the ways this is done with your provider and make sure you follow these guidelines.
4. Encryption and Encryption Key Management: Your data is yours. So make sure it stays that way. Therefore you need to make sure the information that is stored with your Cloud Service Provider is encrypted properly. One of the most important aspects of this is the ownership and management of the Encryption Keys – when you live in an apartment building you don’t leave the keys to your apartment lying around.
5. Monitoring: Monitoring activity, traffic and usage can be done by your Cloud Service Provider. Make sure you have clear agreement on actions taken when noticing strange behavior; this can be added to the agreements you concur on. You want pro-active monitoring so the Cloud Service Provider can anticipate earlier on (foreseeable) events, not only react when things already go wrong.
6. Hardening: Make sure your Cloud Service Provider has a clear hardening process and explains what they need you to do. These processes are probably part of the information security certifications that your Cloud Service Provider has, but please make sure that it is.
The most used argument against moving towards a Cloud Environment, even (or especially) a hybrid cloud, is security. But when you understand the considerations that need to be taken into account, you can create a great environment with added flexibility for your organization.
The most important notion here is that you need to do Risk Analysis to know where the risks for your organization are. But there are definitely measures to be taken.
Cloud Service Providers are getting more and more mature. The Oracle Cloud is – at least in security considerations – a very mature and advanced proposition. Oracle has taken extremely deep measures to make sure they qualify on standardized information security certifications and industry specific guidelines. But how secure the Cloud environment is, is completely up to your own organization. You still have to utilize all the possibilities the proposition offers.
** The original article was posted by Oracle Ace Douwe Pieter Van Den Bos in one of his blog. All views expressed in above article are Douwe person opinion.
BrightStar is an Oracle Consulting house specializing in Oracle Fusion Apps, Oracle EBS R12 & EPM/BI. Kindly visit http://www.bslion.in to know more about us.