Cloud- Based Security Is Here to Stay

Transcription

1 ANALYST BRIEF Cloud- Based Security Is Here to Stay HOSTED SECURITY IS BECOMING A PART OF THE SECURITY INFRASTRUCTURE Author Rob Ayoub Overview As the popularity of cloud- based services has grown, so too have concerns surrounding the security of the data that resides in these cloud- based deployments. These concerns have driven traditional security vendors and start- ups to develop and adapt security solutions that address cloud- based security. Many traditional security vendors have created virtual versions of their products that are designed to run in public cloud infrastructures such as Amazon Web Services (AWS) and Microsoft Azure. Within the AWS Marketplace, customers can find virtual security appliances from established vendors such as Barracuda, Check Point, Fortinet, and Qualys. Other security- as- a- service (SaaS) vendors have emerged that offer services designed to protect organizational data as it moves to cloud- based applications such as Salesforce and DropBox. These new vendors (for example, Bitglass, CipherCloud, Elastica, and Perspecsys) offer an intriguing proposition allow an organization to control its data just as if it were on- premises, while allowing it to safely populate cloud- based applications such as Salesforce. Both approaches offer innovative solutions for organizations desiring to protect data that does not reside on- premises; however, introducing these solutions into an organization has serious implications for its overall security architecture and for compliance. And while the interest in cloud security solutions grows, the complexity of these solutions, and in some cases their lack of interoperability with enterprise applications, is causing many organizations to question their deployment. The decision to rely on virtual security appliances or SaaS products for the protection of enterprise data presents a dilemma for organizations. While there is interest in leveraging cloud services, if security components cannot be seamlessly integrated to the cloud, organizations will experience gaps in their security architecture that could increase risk and expose sensitive data. Vendors must go beyond merely offering cloud- based services; they must prove that they can extend existing on- premises security controls to the cloud while maintaining regulatory compliance and controls. This brief discusses the emerging SaaS solutions designed to manipulate data between the organization and other cloud- based applications. While virtual security appliances are likely to emerge as critical components of cloud- based architectures, the promise of SaaS solutions that can establish control of data before it leaves an organization is intriguing for a number of reasons, including controlling costs, avoiding vendor lock- in, and reducing capital expenditure (capex).

2 NSS Labs Findings A new breed of cloud- based security offerings has emerged that is designed to overlay other cloud solutions (such as Salesforce) or existing infrastructures within organizations. Many of these overlay product offerings are from new vendors rather than established vendors, which significantly complicates integration. Most approaches to cloud security involve the manipulation of data before it is moved to the cloud, but this can require the deployment of new critical assets in the organization, such as servers and databases. Regardless of the technology being implemented, SaaS introduces new processes and potential expenses for the organization. Bridging the gap between security on- premises and security in the cloud is nontrivial, and organizations and vendors alike have yet to deliver an integrated solution. NSS Labs Recommendations Conduct thorough testing of all SaaS tools, either in- house or through a trusted third party, and include mobile platforms in that testing Perform total cost of ownership (TCO) analysis on any SaaS solution, and take into account the cost required to change vendors. Map legacy applications to existing security functions in order to understand dependencies. Do not outsource security related to mission- critical applications or business functions. 2

3 Table of Contents Overview... 1 NSS Labs Findings... 2 NSS Labs Recommendations... 2 Analysis... 4 The Basics of SaaS... 4 Proxy- Based Delivery... 4 Cloud- on- Cloud Delivery... 5 Hybrid Delivery... 5 Cloud Challenges and the Opportunity for SaaS... 5 Market Drivers for SaaS Vendors... 6 Opportunities to Reduce Capital Costs... 6 The Need to Reduce the Complexity of Security... 7 The Ability to Focus on Building Security into Core Competencies... 7 On- Demand Provisioning of Computing Resources... 7 Ability to Quickly Align Information Technology with Business Needs... 7 Regulatory Compliance Requirements... 7 Market Inhibitors for SaaS Vendors... 7 Increased Complexity When Adding External Components... 8 Difficulty in Supporting Legacy Applications and Mobile Users... 8 Concerns Over Uptime and Service Level Agreements... 8 Inconsistent End User Policy Enforcement... 8 Integrating SaaS Within an Organization s Security Infrastructure... 8 The Emerging Cloud SaaS Vendor Landscape... 9 Bitglass... 9 CipherCloud... 9 Elastica... 9 Perspecsys... 9 SkyHigh Networks Reading List Contact Information

4 Analysis A number of new SaaS vendors are offering innovative solutions for organizations looking to move data to the cloud. These new providers range from start- up vendors to established security vendors and managed security service providers (MSSPs). However, introducing any managed solution into an organization has significant implications for the overall security posture of the organization. Aside from the concerns associated with forensics (which are addressed in the Analyst Brief Is Cloud Security Best Fit for Your Organization?), 1 organizations must address a number of challenges when considering SaaS vendors. From integration with existing security products to the realities of backup and disaster recovery, there are many factors to consider beyond the specification sheet when reviewing hosted solutions. Some solutions add critical infrastructure components to the organization through proxies, databases, and other services, which may require extra care or may add additional latency. In spite of these potential challenges, there are benefits to cloud- based security that are not easily achieved with the traditional hardware and software solutions. The Basics of SaaS The SaaS model is a managed services model that leverages the cloud for delivery of services. As with other cloud- based services, there has been considerable growth in the market as customers have come to understand and appreciate its benefits. Less equipment is required for SaaS deployment than for the customer premises equipment (CPE) model. In theory, a customer using a SaaS solution often does not require hardware on- site: security controls are managed and enforced in the cloud, and clean data is provided to the end user. Such transparency makes this model particularly attractive to highly distributed environments. There are additional deployment models through which security services are provided to other cloud- based services (for example, services that are designed to protect data residing in public clouds such as Amazon), and there is the hybrid model whereby a device resides on- premises but relies on cloud- based services to provide back- end processing and intelligence. Proxy- Based Delivery Security delivery traditionally has been proxy- based, whereby there is a gateway in place to manage outbound traffic. For some security technologies, including the majority of and web security products on the market today, hosting security services is not a new method of deployment. In many cases, these products operate directly in the cloud or in a hybrid cloud deployment, which helps to reduce the amount of resources and infrastructure required at the end- user site. However, proxy- based systems typically require time and resources because the client must point the appropriate traffic to the proxy; ensure that all features work properly; and ensure that users cannot bypass the proxy. Depending on the service, these challenges can increase the expense to the customer and, in some cases, can break applications. Proxy- based security solutions typically require additional in- depth testing and tuning to ensure that operations are not interrupted. 1 See Reading List 4

5 Cloud- on- Cloud Delivery The cloud- on- cloud method of delivering security uses a single hosted security product to deliver services to a cloud- based service, or to deliver services within the cloud itself. While some solutions also rely on proxy technology for implementation, there are services (Dome9 and Secure Passage, for example) that reside in the cloud and deliver services to providers such as Amazon, Google, and Microsoft. The advantage to the customer is that these services address specific problems associated with the use of cloud services, without adding client- side infrastructure. Unfortunately, security management for the organization must include these new services, which are not always easily integrated into an organization s existing backup and recovery scheme. Hybrid Delivery The popular hybrid approach for delivery of services bridges the gap between on- premises and cloud- based services. As the name implies, part of the solution resides on- premises (dedicated hardware, server, or even virtualized server), and part of the solution resides in the cloud. Hybrid solutions allow organizations to maintain data locally while leveraging the cloud for additional intelligence and processing, thereby addressing concerns over data location and local storage. Cloud Challenges and the Opportunity for SaaS Security has continued to be a challenge with the cloud. The 2011 (ISC) 2 Global Information Security Workforce Study, 2 which is depicted in figure 1, illustrates the concerns that information security professionals have regarding cloud- based services. 85% 85% 68% 67% 65% 55% 47% Exposure of confidenial or sensiive informaion to unauthorized systems or personnel Confidenial or sensiive data loss or leakage Weak system or applicaion access controls Suscepibility to Disrupions in the cyber ajacks coninuous operaion of the data center (i.e., uninterrupted availability) Inability to support compliance audits Inability to support forensic invesigaions Figure 1 Areas of Concern Regarding Cloud- Based Services 2 5

6 Figure 2 depicts the 2013 version of the same study, 3 which expanded on the concerns cited in figure 1, and which demonstrates the areas where further education on cloud computing is required. Despite industry concerns, the move to the cloud and cloud- based services continues to grow at a staggering rate. Additionally, a surge in data leaks and an increased availability of SaaS products from vendors has heightened interest in securing cloud- based deployments, prompting customers to evaluate security components that can protect data as it moves to and from the cloud, or to move components of their security infrastructures off- site. 89% 78% 71% 62% 61% 47% 36% 33% How security applies to the cloud An enhanced understanding of architectures Knowledge of compliance issues Enhanced technical knowledge Specifying contractual obligaions and requirements related to security Enhanced data management skills Business stakeholder management and educaion Contract negoiaion skills Figure 2 Areas Where Further Education Is Required on Cloud- Based Services Market Drivers for SaaS Vendors In many cases, the drivers motivating an organization to select a SaaS vendor are the same as the drivers motivating them to select a cloud- based product. The key themes of lower costs and the ability to quickly scale services are universal to any hosted service, not just SaaS. However, there are recurring challenges in security that make the SaaS model particularly attractive, including the model s abilities to reduce the complexity of security and to address regulatory requirements. The following drivers likely will hold true for the foreseeable future. Opportunities to Reduce Capital Costs Information technology (IT) capital costs are a challenge for any organization, particularly IT security investments. Small organizations must abide by the same compliance and regulatory requirements as larger organizations, but they usually do not have the resources to commit to providing the ideal level of security. SaaS allows organizations to offload capital costs by paying a single monthly fee to providers instead of purchasing expensive appliances or software packages. 3 b% pdf 6

7 The Need to Reduce the Complexity of Security Security is complex. Organizations struggle to keep pace with an ever- changing threat landscape, and the bring your own device (BYOD) trend prevents organizations from installing software at the mobile endpoint. SaaS products that focus on security cloud applications can provide some protection of corporate data that flows to mobile devices by encrypting the data before it reaches personal cloud accounts. SaaS offers organizations the ability to leverage a team of security specialists rather than attempting to assemble their own. The Ability to Focus on Building Security into Core Competencies For most organizations, IT security is not an area of expertise. SaaS allows an organization to move non- mission- critical security components to a third party, which permits the organization to focus on security functions directly related to the core components of the business. Nevertheless, it is critical that organizations do not simply hand over control of security to a third party. Given today s rapidly changing security landscape and the many facets of risk for the modern organization, it is important for organizations to maintain control of security functions related to mission- critical business components. An organization may, however, require time to develop such expertise, and in this case, leveraging a SaaS provider could be the best strategy. Moving security to a SaaS provider should always be weighed in the overall context of an organization s long- term security strategy. On- Demand Provisioning of Computing Resources When building out the IT infrastructure components of an organization, accommodation must be made for growth. It is, however, challenging to plan for the range of business scenarios that will drive IT growth changes in an industry could have significant effects on the IT needs of a business. If planning is inaccurate, the organization may overinvest or underinvest in its IT infrastructure, which could diminish its competitive edge or waste resources. Cloud- based services give an organization the agility to quickly add or remove infrastructure (servers and storage) and other software services, depending on its needs. Ability to Quickly Align Information Technology with Business Needs Another challenge associated with building out an IT infrastructure is to ensure that it is aligned with rapidly changing business strategies and needs. However, the prevalence of mission- critical systems built on legacy technology has forced corporate culture to build its processes around these expensive systems instead of incorporating systems into the modern workflow. Cloud- based services allow for more fluid testing and deployment of new services. Regulatory Compliance Requirements Regulatory requirements have driven security for a number of years now. Industries and countries continue to add their own security requirements for businesses, making compliance a key challenge for organizations. Hosted solutions offer assistance to smaller companies with smaller staff or budget resources in the form of tools they require to be compliant. Market Inhibitors for SaaS Vendors The market for cloud- based services is expanding rapidly with many new and traditional security vendors increasing their offerings; however, SaaS vendors still face challenges. As previously noted, there are significant security challenges surrounding cloud- based services, and services that are designed to deliver security to and 7

8 from the cloud will likely come under even greater scrutiny. These challenges should be understood by any organization considering services designed to address security in or from the cloud. Increased Complexity When Adding External Components As previously discussed, SaaS is delivered through proxies or cloud- on- cloud deployments. Unfortunately, deployment of these technologies can unintentionally increase complexity for end users. Proxy- based deployments can increase latency, require significant changes to routing, and even break hard- coded applications. Difficulty in Supporting Legacy Applications and Mobile Users As with many other applications and services deployed in the past few years, those not specifically written for mobile environments generally are not entirely compatible with the traditional enterprise infrastructure and existing security controls. The programmatic challenges presented by the different mobile operating systems make it challenging for organizations to directly port applications to mobile devices. Even though a number of vendors offer application wrapping in order to make applications mobile- ready, organizations have limited ability to secure their own legacy applications, and many vendors have struggled to provide equivalent functionality and controls between client- or web- based applications and mobile applications. A related challenge exists for SaaS vendors attempting to secure enterprise data as it moves outside the enterprise networks. Often, these applications operate by manipulating the data between the end user and another cloud- based service (particularly in the case of encryption, for example). Not every application will have the built- in mechanisms necessary to support changes to the data; thus, SaaS vendors will be required to enter into partnerships and integrate with specific application vendors. Concerns Over Uptime and Service Level Agreements While many organizations perform due diligence on their cloud providers, no provider has perfect uptime. As discussed in the Analyst Brief They Call It Stormy Monday, 4 even cloud providers that appear financially secure can unexpectedly go out of business. Given the sensitive nature of security, many organizations are hesitant to trust any third party, particularly a hosted provider. Inconsistent End User Policy Enforcement A long- standing challenge for proxy- based enforcement is to ensure that all traffic flows through the proxy. Content- filtering products have struggled to ensure that users cannot circumvent security controls by redirecting traffic. The same challenge applies to any SaaS. As users move beyond the perimeter of their network, it becomes more difficult to ensure that their traffic is subject to the proper security controls. Integrating SaaS Within an Organization s Security Infrastructure Given the speed with which cloud- based services have been adopted, it was inevitable that security be offered as a cloud- based service too. Concerns are growing over the security of data as it flows to and from the cloud, and governments are investigating cloud services and enacting legislation on data within their jurisdictions. IT 4 See Reading List 8

9 departments are under pressure to identify and protect data, including cloud and cloud- based services within their portfolios. It is not only corporate- owned data that is moving to the cloud, more and more security tools are leveraging the cloud to combat threats and deliver clean traffic, which is increasing the complexity of security. As vendors offer new services to deliver security from the cloud, IT departments must evaluate the security of these services in the same manner that they evaluate internal security tools. Some organizations, such as the Cloud Security Alliance (CSA), are working toward this goal the CSA offers a matrix of security controls for evaluating security services, for example. While this list is not definitive, it should be considered when organizations are evaluating cloud- based services. Whether an organization employs a SaaS provider or another cloud- based service to deliver its security, these services must be incorporated into the same workflow as traditional controls. The services must be audited and tested against the same metrics as any other security product. Support for confidentiality, integrity, and availability (CIA) remains critical, regardless of the location of the service. No enterprise can absolve itself from responsibility for it own security process; diligence and ultimately the governance of risk remain the responsibility of the enterprise. The Emerging Cloud SaaS Vendor Landscape New SaaS vendors have emerged to address the challenges brought on by migrating data to the cloud. While their solutions have differing strengths and weaknesses, at their core they all provide some level of management, monitoring, and manipulation (encryption or tokenization) of an organization s data as it moves to the cloud. Emerging vendors in the market include: Bitglass Based in Campbell, CA, Bitglass is a SaaS reverse proxy that targets mobile devices and cloud- based applications. Touting itself as MDM without the agent, Bitglass allows organizations to set policy around data that migrates from cloud- based applications to mobile devices. A unique differentiator of the Bitglass solution is the ability to watermark data and files so that wiping can be performed in the event of device loss or employee separation. CipherCloud Headquartered in San Jose, CA, CipherCloud provides products designed to secure common cloud applications such as Salesforce and Office365. Some of the available controls include encryption, tokenization, cloud data loss prevention, cloud malware detection, and activity monitoring. CipherCloud s technology protects sensitive information in real time before it is sent to the cloud, while preserving application usability and functionality. Elastica Based in San Jose, CA, Elastica provides cloud application and services risk analysis for organizations. The company provides a number of connectors covering many different cloud applications. Users can set policies and monitor data as it flows to a variety of cloud- based applications, and alerts can also be set for suspicious behavior. Perspecsys Headquartered in Tysons Corner, VA, Perspecsys provides a platform that allows organizations to identify and monitor cloud usage and then encrypt or tokenize data based on compliance needs or organizational policy. Cloud 9

10 end users retain application functionality, such as the ability to search and sort data, send s, and generate reports, while the enterprise ensures its data is secure and it remains compliant. SkyHigh Networks SkyHigh Networks is designed to provide a comprehensive view into cloud services in use across an organization and then assign risk values to those services. It searches for anomalous activities and can identify data loss and breach. Additionally, organizations can establish security policies on cloud- based activities, including mobile device access. 10

11 Reading List Is Cloud Security Best Fit for the Organization? NSS Labs security- best- fit- your- organization They Call It Stormy Monday. NSS Labs call- it- stormy- monday 11

12 Contact Information NSS Labs, Inc. 206 Wild Basin Rd Building A, Suite 200 Austin, TX USA This analyst brief was produced as part of NSS Labs independent testing information services. Leading products were tested at no cost to the vendor, and NSS Labs received no vendor funding to produce this analyst brief NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, copied/scanned, stored on a retrieval system, e- mailed or otherwise disseminated or transmitted without the express written consent of NSS Labs, Inc. ( us or we ). Please read the disclaimer in this box because it contains important information that binds you. If you do not agree to these conditions, you should not read the rest of this report but should instead return the report immediately to us. You or your means the person who accesses this report and any entity on whose behalf he/she has obtained this report. 1. The information in this report is subject to change by us without notice, and we disclaim any obligation to update it. 2. The information in this report is believed by us to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at your sole risk. We are not liable or responsible for any damages, losses, or expenses of any nature whatsoever arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY US. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON- INFRINGEMENT, ARE HEREBY DISCLAIMED AND EXCLUDED BY US. IN NO EVENT SHALL WE BE LIABLE FOR ANY DIRECT, CONSEQUENTIAL, INCIDENTAL, PUNITIVE, EXEMPLARY, OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and/or software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet your expectations, requirements, needs, or specifications, or that they will operate without interruption. 5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. 6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners. 12