Enabling Cloud Security with Trustworthy Systems

- Evelyn de Souza, Senior Data Center Security Strategist , CISCO SYSTEMS, INC, says:

The National Institute of Standards and Technology (NIST) has defined cloud computing as: “[a] model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (for example, networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

This shared pool of computing resources allows an organization to use cloud services on an as-needed basis. Rather than having internal servers capable of meeting peaks in demand, which then run at 20-30 percent capacity at other times, an organization can use cloud services at peak times and/or when it needs extra computing capacity.

Ultimately, economics will compel a company to turn to cloud services. At this point, however, many organizations share concerns about the security of the cloud.

Security Challenges of the Cloud

Society depends on a growing diversity of complex networks for its very existence. As our global society continues to evolve, we create complex, networked technologies – such as the cloud – to meet changing needs. Yet with the success of cloud technologies, network security is challenged by threats such as piracy, the malicious modification or substitution of technology, misuse of intellectual property, and counterfeiting.

In the face of these threats, some organizations have hesitated to move toward the cloud. By storing data in the cloud, key components of the IT infrastructure are moved beyond the reach of internal IT personnel. In addition, organizations with regulatory compliance issues, such as the Payment Card Industry, may lose needed oversight of regulated data.  Finally, many IT teams hold concerns that the cloud infrastructure, to the extent that it is not monitored or maintained by internal IT personnel, may be at greater risk of unavailability (e.g., downtime) and/or nefarious actors accessing and harming the infrastructure.

Building Trust into the Cloud

The very nature of cloud computing means that an IT department – and by extension, the organization and end users – must trust that the cloud service provider has secured the entire supply chain, from the organization’s own vendors to the finished product. Without that level of trust, IT administrators often fear that with computing systems no longer under their control, they can’t attest that the infrastructure is running within certain geographic bounds, or even that the hardware is running as it is expected to.

These concerns can be satisfied by having trustworthy systems in place. First, trustworthy systems can provide attestation or assurance that workloads, services, and servers are running within certain geographic bounds. Second, because malware is increasingly going into the hardware layer and tampering with routers, there is no way of assuring security if services are running in the cloud; trustworthy systems principles can be used to provide assurance, and not just a state-in-time assurance, but continual assurances or real-time attestation that services are operating securely.

The cloud development community must have comprehensive and secure design principles and an understanding of secure coding practices. It must perform vulnerability testing and threat modeling and ensure that extensive product security requirements are met. These requirements create a framework from which competing cloud developers can build trustworthy systems.

The Right Reputation

Trusting a system means trusting the technologies on which it is built and the people who build those technologies. Due to past practices, limited resources, government requirements, experience, or business philosophies, not all vendors are qualified, willing, or able to develop trustworthy systems.

Vendors with proven track records, innovative security development, and the structure to support in a transparent manner international security efforts are often the best qualified to build trustworthy systems. When we choose a vendor for security and critical infrastructure, we often buy based on its technical qualifications and reputation. Lately, the vendor’s process and evolving security approach has become an increasingly important factor.

Trustworthy Cloud Provider Considerations

An organization should carefully vet prospective cloud service providers to ensure that best security practices are being followed.  Elements to validate include:

• The cloud provider’s reputation regarding trustworthiness
• The degree of visibility and control
• The extent to which real-time assurance regarding security can be provided

Looking to the Future

Fundamentally, a lack of trust has been holding back organizations from moving operations to the cloud more broadly. Thus, going forward, cloud security must have a system to alleviate a potential customer’s concerns regarding the lack of control over infrastructure and data. Simply put, a customer needs the same level of trust in the cloud infrastructure as it has behind the firewalls in its own enterprise.

For many, cloud adoption offers far too many benefits to be put off forever.  An organization interested in the cost savings to be gained through cloud computing can employ the best practices outlined above to vet the trustworthiness of a potential cloud partner.