Andrew Wild, CSO at Qualys, discusses how security postures and attitudes need to change as more and more IT functionality moves to the cloud
It’s clear there are many compelling reasons, both financial and productivity-related, for enterprises to move IT functionality into the cloud, so it’s not surprising that they’re moving quickly to adopt popular collaboration services like Box.net, Yammer, Jive, and the like. According to a recent study by business technology service provider Avanade, 74 percent of enterprises are using cloud computing, a 25 percent increase over results for the same survey in September 2009. Of those organizations yet to adopt cloud services, three-quarters say cloud is in their future plans. The migration of IT functionality into the cloud magnifies the importance of ensuring users understand how to use these services most productively and securely, especially since security for cloud services is typically implemented by the cloud service provider and the enterprise has limited control over that security while retaining legal responsibility for regulatory compliance.
The use of cloud services brings many advantages to the enterprise, but it’s vital that everyone involved understand how the differences between cloud and traditional enterprise IT services impact information security. Most organizations have defined security policies that provide administrative guidance for users about how to use IT services securely, as well as the responsibility of all users to safeguard privileged information. In addition to these administrative security controls, enterprises typically implement technical controls that detect, or in some cases prevent violations of those policies. Examples of these technical security controls include data loss prevention (DLP) technologies, firewalls, and email security appliances among others. These technical controls are often used to prevent disclosure (both malicious and unintentional) of sensitive information.
The effectiveness of these controls is generally acceptable for on-premise security, but for cloud-based IT, they bring little or no benefit, because they’re designed to function inside the enterprise IT infrastructure. Technical security controls for cloud IT services are designed, implemented and managed by the cloud provider. The specific technical security controls implemented by cloud vendors vary by provider, but in general, enterprise IT and Security staff have significantly less visibility into or control over them than a comparable in-house deployment.
Embracing Constant Change without Sacrificing Security
Cloud-based IT services typically provide a feature-rich, highly interactive experience for end users. Because of the deployment model, cloud service providers can introduce new functionality and service enhancements frequently and rapidly, usually with no involvement from the organization’s IT or security team. This dynamic and rapidly evolving environment is challenging for both end users and organizational IT and security staff. End users may find it difficult to keep up with all of the new functionality, and may not be able to make full use of the features, leading to less than optimal productivity, while IT and security staff will not usually have sufficient time to assess the possible impact of the new functionality on the security of the organization.
Security Awareness and End User Training: More Important than Ever
These factors combined require an altered approach to end-user education across the enterprise. Now more than ever, every person who accesses company information must play an active role in ensuring the security of an organization’s information. Enterprises must fully educate their employees about those responsibilities to ensure the security of organization’s information, as well as how to use the cloud IT services securely. This is particularly true now that many employees are accessing corporate networks from personal devices such as smartphones and tablet computers; a recent study by Cisco Systems found that a majority of individuals believe they are not responsible for protecting information accessed through devices
Here are some ideas to begin implementing security awareness and IT training programs that ensure security in the face of the disruptive nature of cloud-based IT:
- Establish clear IT objectives for each cloud-based IT service that you select.
Understanding how you expect the particular cloud based IT service to be used is essential in order to evaluate the possible risks the service may pose to your organization. You can’t always avoid the risk, but by educating your end users as to the security risks and appropriate use of the service will go a long way towards minimizing that risk.
- Ensure end users understand their responsibilities.
Make sure that end users fully understand their role in securing the organization’s information. Far too often, employees believe that security is solely the purview of the IT security team, rather than a responsibility of every employee. Your organization’s culture should reflect that global responsibility, so all employees understand the critical role they play, and IT security staff are seen as shepherds and helpers rather than guards and enforcers.
- Ensure that your information security program encourages end user participation.
In the rapidly changing world of cloud-based IT services, it is very likely that end users will learn of new features and capabilities before your IT and security staff does. You can take advantage of this – involved end users are more likely to provide feedback to the organization about how new features may introduce risk. This kind of feedback from end users is critical to the participatory process, enabling IT security staff to adapt awareness training and security controls as appropriate to minimize the risks.
A Plea to Cloud IT Service Providers
Enterprise IT security staff understands the differences between cloud and on-premise IT services. So it’s very clear to them that most cloud IT service providers do not provide the enterprise sufficient transparency in the implementation and ongoing management of security controls.
Cloud service providers must continue to work to improve the visibility they provide to their enterprise customers to ensure the proper implementation of technical security controls. While the responsibility for implementing the technical security controls shifts to the cloud provider in a cloud-based IT service model, the responsibility for securing the enterprise’s data still belongs to the enterprise security team. Cloud providers must enable the enterprise to integrate the security of cloud-based IT services with enterprise managed IT services. The ability to integrate with existing enterprise processes is critical for the enterprise to meet compliance requirements by leveraging existing security resources while adopting cloud-based IT services.
A few examples of the ways in which transparency can be improved include:
- Federated identity services, allowing the enterprise to own the management of its user identities. Giving the Enterprise the ability to manage its own identities allows the enterprise to leverage the existing user account provisioning and de-provisioning processes and controls.
- Access to event logging for the purpose of auditing user activity. Providing the enterprise with detailed event logging information, especially in regard to user activity, allows the enterprise to leverage existing event management processes and controls.
- Configurable options at the organization level to manage the sharing of information. Allowing the enterprise to configure how information is shared on the cloud based IT service enables the enterprise to ensure consistency with its enterprise information classification and handling processes.
Enterprise security professionals understand that cloud-based IT services are still maturing; cloud IT service providers should not forget that a lack of progress towards improved transparency will eventually impede the adoption of their services.
 Second Annual Cisco Connected World Technology Report: http://www.cisco.com/en/US/solutions/ns341/ns525/ns537/ns705/ns1120/2011-CCWTR-Chapter-3-Media-Deck.pdf