Cloud Security: An Oxymoron?

Written by Torsten George, Vice President of Worldwide Marketing at Agiliance


Cloud computing represents today’s big innovation trend in the information technology (IT) space. Because it allows organizations to deploy quickly, move swiftly, and share resources, cloud computing is rapidly replacing conventional in-house facilities at organizations of all sizes.


However, the 2012 Global State of Information Security Survey, which was conducted by PwC US in conjunction with CIO and CSO magazines among more than 9,600 security executives from 138 countries, reveals that uncertainty about the ability of cloud service providers’ security policies is still a major inhibitor to cloud computing. More than 30 percent of respondents identified their company’s uncertain ability to enforce their cloud providers’ security policies as the greatest security threat from cloud computing. With this in mind, is cloud security even achievable or just an oxymoron?


In their eagerness to adopt cloud platforms and applications, organizations are neglecting to recognize and address the compliance and security risks that come with implementation. Often the ease of getting a business into the cloud – a credit card and a few keystrokes is all that is required – combined with service level agreements provides a false sense of security.


However, shortcomings in the cloud providers’ security strategy can trickle down to the organizations that leverage their services. Damages can range from pure power outages impacting business performance, data loss, unauthorized disclosure, data destruction, copyright infringement, to brand reputational loss.


Cloud Computing Vs. Cloud Security


A naturally risk-adverse group, IT professionals are facing a strong executive push to harness the obvious advantages of the cloud (greater mobility, flexibility, and savings), while continuing to protect their organization against new threats that appear as a result.


For organizations planning to transition their IT environment to the cloud, it is imperative to be cognizant of often overlooked issues such as loss of control and lack of transparency. Cloud providers may have service level agreements in place, but security provisions, the physical location of data, and other vital details may not be well-defined. This leaves organizations in a bind, as they must also meet contractual agreements and regulatory requirements for securing data and comply with countless breach notification and data protection laws.


Whether organizations plan usage of public clouds, which promise an even higher return on investment, or private clouds, better security and compliance is needed. To address this challenge, organizations should institute policies and controls that match their pre-cloud requirements. At the end, why would you apply less stringent requirements to a third-party IT environment than your own – especially if it potentially impacts your performance and valuation?


Most recent cyber attacks and associated data breaches of Google and Epsilon (a leading marketing services firm) are prime examples of why organizations need to think about an advanced risk and compliance plan that includes their third-party managed cloud environment.


Enabling Cloud Security


With most organizations beyond debating whether or not to embrace the cloud model, IT professionals should now re-focus their resources on managing the move to the cloud so that the risks are mitigated appropriately.


When transitioning your IT infrastructure to a cloud environment you have to find ways to determine how to trust your cloud provider with your sensitive data. Practically speaking, you need the ability to assess security standards, trust security implementations, and prove infrastructure compliance to auditors.


As part of a Cloud Readiness Assessment, organizations should evaluate potential cloud service models and providers. Organizations should insist that the cloud service providers grant visibility into security processes and controls to ensure confidentiality, integrity, and availability of data. It is important not only to rely on certifications (e.g., SAS 70), but more importantly document security practices (e.g., assessment of threat and vulnerability management capabilities, continuous monitoring, business continuity plan), compliance posture, and ability to generate dynamic and detailed compliance reports that can be used by the provider, auditors, and an organization’s internal resources.


Considering that many organizations deal with a heterogeneous cloud eco-system, comprised of infrastructure service providers, cloud software providers (e.g., cloud management, data, compute, file storage, and virtualization), and platform services (e.g., business intelligence, integration, development and testing, as well as database), it is often challenging to gather the above mentioned information in a manual fashion. Thus, automation of the vendor risk assessment might be a viable option.


Following the guidelines developed by the Cloud Security Alliance, a non-profit organization formed to promote the use of best practices for providing security assurance within cloud computing, organizations should not stop with the initial Cloud Risk Assessment, but continuously monitor the cloud operations to evaluate the associated risks.


A portion of the cost savings obtained by moving to the cloud should be invested into increasing the scrutiny of the security qualifications of an organization’s cloud service provider, particularly as it relates to security controls, and ongoing detailed assessments and audits to ensure continuous compliance.


If at all possible and accepted by the cloud service provider, organizations should consider leveraging monitoring services or security risk management software that achieves


  • Continuous compliance monitoring.
  • Segregation and virtualization provisioning management.
  • Automation of CIS benchmarks and secure configuration management integrations with security tools such as VMware vShield, McAfee ePO, and NetIQ SCM.
  • Threat management with automated data feeds from zero-day vendors such as VeriSign and the National Vulnerability Database (NVD), as well as virtualized vulnerability integrations with companies such as eEye Retina and Tenable Nessus.


Automated technology, which allows a risk-based approach and continuous monitoring for compliance would be suitable for organizations seeking to protect and manage their data in the cloud.


Many cloud service providers might be opposed to such measures, but the increasing number of cyber security attacks and associated data breaches are offering great incentives to offer these capabilities to their clients not only as a sign of establishing trust, but also as a competitive advantage.

Cloud Security Considerations

Can a cloud be as secure as a traditional network?  In a word, yes!  I agree that some may find this statement surprising.  Depending on the network, that may be a low bar, but good security principles and approaches are just as applicable to cloud environments as they are to traditional network environments.  However, the key is to know how to extend a multi-layered defense into the cloud/virtualization layer.


One of the cloud security benefits frequently mentioned is standardization and hardening of VM images.  This can help reduce complexity and ensure that all systems start from a good security posture.  Also, it helps enable a rapid response to fix identified issues.  Some people claim that complexity, or the diversity, of different systems in a traditional network environment is a security benefit because a single vulnerability is not capable of compromising all systems. However, the reality is it is usually more difficult to manage the disparate systems because of the tools and expert resources required to maintain them.


Hardening is not only for VMs.  It has to be extended throughout the cloud environment to include the hypervisor, management interfaces, and all other virtual components, such as network devices.  This requires some time and expertise in understanding how to control functionality without losing productivity.  If you ask your service provider or internal team about hardening the virtualization layer and you get blank stares back, you may have a problem.  Also, you should not accept the default statement that “the hypervisor is essentially a hardened O/S” as a complete answer.  Securing the virtualization layer is one of the new and key areas to providing protection for cloud environments.


Strong authentication and authorization methods are critical to address, since this is an often neglected area in traditional networks.  It is important to do it right.  It is worth noting that the Verizon 2011 Data Breach Investigative Report cites “exploitation of default or guessable credentials” and “use of stolen login credentials” as some of the most used hacking attacks.  Whether a private or public cloud environment, there needs to be a solid layer of protection from unauthorized access.  Two-factor authentication is a must for remote and administrative access; it is a best practice to require two-factor authentication throughout the virtualized environment, wherever it is practicable.


Encryption should be utilized for both data in-transit, as well as data–at-rest.  In addition to providing confidentiality and integrity, encryption plays a critical role in protecting data that is in environment where it may not be able to be destroyed by normal methods.  Once encrypted data is no longer needed, the encryption key for that data set can be destroyed. However, this requires that the organization retain and manage the encryption keys and not the service provider.


Encryption is also being used in innovative ways to create an isolated environment within a cloud.  This can be used to extend security and compliance controls from an organization’s traditional network into a cloud.  This can help overcome barriers to cloud security by enabling enterprises to run selected applications and maintain data in the cloud with the same protection and control available internally.



Clouds, like a traditional network environments, require careful security planning, design, and operations.  The various types our clouds and delivery models will have varying degrees of security and flexibility, some with the ability to layer in additional levels of security controls.  This is why it is important to have a firm understanding of security and compliance requirements prior to moving to the cloud.


It is fortunate that good security practices are applicable to the cloud.  However, the virtualization layer is a new area – one that requires specialized attention understanding and proficient when it comes to implementing security controls.  Hardening, access control, and encryption are three primary areas of focus in building a multi-layered defense in cloud environments.  Clouds can meet security and compliance requirements, but only if essential security practices are applied throughout them.


About the Author

Ken Biery is a principal security consultant with Terremark, Verizon’s IT services subsidiary, focused on providing governance, risk, and compliance counsel to enterprises moving to the cloud. With extensive knowledge in the area of cloud computing, he enables companies around the globe to securely migrate to the cloud and crate more efficient IT operations.

Leveraging Managed Cloud Services to Meet Cloud Compliance Challenges

By Allen Allison


Regardless of your industry, customer base, or product, it is highly likely that you face regulatory compliance requirements.  If you handle Protected Health Information (PHI), the Health Insurance Portability and Accountability Act (HIPAA) – along with the HITECH enhancements – are a primary concern for your organization.  If you work with government agencies, you may need to be compliant with the Federal Information Security Management Act (FISMA) or National Institute of Science and Technology (NIST) requirements.  In addition, most states have privacy laws protecting Personally Identifiable Information for residents.

It is a common misunderstanding that these regulatory compliance requirements preclude many organizations from being able to leverage outsourced, managed cloud services.  Depending on the cloud services provider you choose, you may not only be able to meet your existing compliance concerns, but the cloud provider is likely to have controls and processes that improve your compliance program.

When HIPAA was enhanced by the Health Information Technology for Economic and Clinical Health (HITECH) Act, companies with PHI began to panic.  Not only were they expected to protect patient health information, but they had the added requirement of ensuring that third-party providers enabled the same stringent controls on the systems they support.  Furthermore, these organizations had the added responsibility of providing breach notification in the event of a loss of confidentiality.

If nothing else, HITECH gives us two things.  First, the heightened awareness of the sensitivity of each individual’s health information provides more enhanced security programs and assurance to the public that privacy is being protected.  Second, because no organization wants to be in the headlines for a security breach, HITECH spurs organizations to improve their information security, enhance their response services, and enable a platform to notify affected individuals if their information has been compromised.  I can, with all honesty, say that I do feel a bit more secure with my Protected Health Information.

I use HIPAA and HITECH as an example, not because it is the model information security regulation (it is not), but because it is a topic that everyone can relate to.  Similar security requirements stretch across most industries.  What HITECH has done for cloud service providers is enable them to build a common control platform, implement technologies that may be too expensive for some organizations to implement themselves, and leverage a world class security and compliance platform to ensure that the PHI, which is vital to the ongoing management of health care, remains secure, protected, and confidential.

When searching for a cloud provider, it is important to understand which controls the provider has built into the underlying platform are applicable to your compliance.  I recommend asking these three questions:

  1. How many customers in my industry do you have as a customer in your cloud platform?
  2. May I see your most recent SSAE 16 SOC report or other applicable audit?
  3. What is the development lifecycle process your team undergoes to build cloud services and the underlying platform?

With a complete understanding of how ingrained security is in a cloud service provider’s technology and processes, you can begin to understand how it will deal with your sensitive data.

I would like to point out one pitfall.  Not all compliance programs apply to a cloud service provider’s customers.  For example, the SSAE 16 program is of great benefit to customers of cloud service providers.  And customers to whom SSAE 16 extends can rely on the SOC report as part of their own internal controls and compliance.  On the other hand, a provider’s compliance with, for example, Safe Harbor does not extend to the customer; the customer must pursue Safe Harbor, separately.

You must remember, working with a reputable cloud service provider may be an excellent way to leverage expertise and processes you may not otherwise have in-house, and mitigate some risk by assigning responsibility to a 3rd party you can hold accountable to protect your data.  The cloud is rapidly becoming the hosting platform of choice for highly regulated industries because more organizations are leveraging the expertise of these pure information-centric service providers.


Allen Allison, Chief Security Officer at NaviSite (

During his 20+ year career in information security, Allen Allison has served in management and technical roles, including the development of NaviSite’s industry-leading cloud computing platform, chief engineer and developer for a market-leading managed security operations center; lead auditor and assessor for information security programs in the healthcare, government, e-commerce, and financial industries. With experience in systems programming, network infrastructure design/deployment, and information security, Allison has earned the highest industry certifications, including CCIE, CCSP, CISSP, MCSE, CCSE, and INFOSEC Professional. A graduate of the University of California, Irvine, Allison has lectured at universities and spoken at industry shows such as Interop, RSA Conference, Cloud Computing Expo, MIT Sloan CIO Symposium, and Citrix Synergy.


Cloud Security: Confident, Fearful, or Surprised

By Ken Biery


This two-part guest blog series explores the topic of cloud security.  Part one of the series focuses on the questions enterprise IT decision makers should ask when considering moving business applications to a cloud-based computing environment.



There is no shortage of information about cloud security. There are those that say cloud security is inherently more secure because of its ability to create and maintain a more hardened centralized environment.  Others claim, because of multi-tenancy, virtual systems and data will never be even modestly secure.


The big surprise about cloud security may be that there are not really any big surprises.  The good security practices that work in a traditional network also work for cloud-based IT.  The key is understanding how to apply security practices to a cloud environment and to develop a security strategy that uses known and sound security foundations to address various cloud environments.


A more secure cloud is the product of careful planning, design, and operations.  This begins with understanding the type of cloud (public, private, hybrid) that is being used and then its model, whether it be software-as-a-service (SaaS), platform-as-a-service (PaaS) or infrastructure-as-a-service (IaaS.) These two factors will determine the type and amount of security controls needed and who is responsible for them.


Public and Private Clouds

Public clouds typically tend to have a limited number of security measures, providing a more open and flexible computing environment.  These clouds usually have a lower cost since their security features are basic.  While this may be perfectly acceptable for some circumstances, such as non-critical or non-sensitive environments, it will not usually meet the requirements of most enterprise users.


Public clouds also generate the most concern about using a shared virtualized environment.  These are mainly centered on how to properly segment systems and isolate processing resources.  Segmentation and isolation can be challenging to accomplish and measure, especially for an auditor or assessor looking at these primary security control areas.  Another factor is that many public cloud providers do not, or cannot, sufficiently support the types of controls required by enterprises to meet security and compliance requirements.


When considering a public cloud, it is important to ask the provider about their security measures, such as segmentation, firewalls/intrusion protection systems, monitoring, logging, access controls, and encryption.  Their responses and transparency about the details of their environment’s security measures speak volumes of what to expect.  Also, you may want to do some searches on the provider as they may have a reputation for harboring “bad neighborhoods”, which tend to host botnets or malware sites.


Private clouds can be internally hosted or located at a service providers’ facility.  For internally hosted clouds, just like traditional environments, the security design and controls can be highly customized and controlled by the organization.  If hosted at a service provider, the number of controls can vary considerably depending on the model selected.  This is not to say that a service provider cannot provide a good set of default and optional security controls.  Obviously, this is why having a good understanding of the provider’s cloud design and its features, as well as your own requirements, is crucial.


Multi-tenancy, Segmentation, and Isolation

Multi-tenancy is one of the major issues when it comes to security and compliance in the cloud.  In some cases, multi-tenancy may require that an environment’s controls be set to the lowest level to support the broadest set of requirements for the largest number of potential users.  One of the main concerns around multi-tenancy is that, due to the use of a shared resource pool of computing resources, one entity’s virtual machine (VM) could compromise another entity’s VM.  A lack of proper segmentation between the two entities’ environments could make this possible.


This lack of separation can also create compliance challenges for multi-tenancy environments.  Assessors and auditors are looking for sufficient controls to help prevent information leakage between virtual environment components.  Improperly configured hypervisors, management interfaces, and VMs have the potential to become a leading cause for non compliance and risk exposure.  In a traditional network, if a system is misconfigured, it can be compromised.  If a virtual environment is misconfigured, it can compromise all of the systems within it.


It is important to note that there has not been any major publically disclosed compromise of hypervisors.  However, it is only a matter of time.  The virtualization layer is too tantalizing of a target for hackers not to pursue aggressively.


One of the cleanest ways to show separation within a virtualized environment is to have VMs with compliance or higher security requirements run on dedicated physical hardware.  Yes, this is contrary to one of the benefits of cloud computing until the effort and cost of compliance and robust security is considered.  This approach can be easier to establish and maintain since only a smaller number of systems may need to have advanced protection.


Isolation needs to be performed at the operating system (O/S) layer and no two VM operating systems should be shared. Specifically, the rapid-access memory (RAM), processor and storage area network (SAN) resources should be logically separated, with no visibility to other client instances. From a network perspective, each entity is separated from the next by use of a private virtual local area network (VLAN.)


The second part of this blog series will explore the cloud security best practices that can be employed to create a multi-layered defense for cloud-based computing environments.


About the Author

Ken Biery is a principal security consultant with Terremark, Verizon’s IT services subsidiary, focused on providing governance, risk, and compliance counsel to enterprises moving to the cloud. With extensive knowledge in the area of cloud computing, he enables companies around the globe to securely migrate to the cloud and crate more efficient IT operations.