Cloud IaaS: Security Considerations

Transcription

1 G Cloud IaaS: Security Considerations Published: 7 March 2011 Analyst(s): Lydia Leong, Neil MacDonald Ensuring adherence to your organization's security and compliance requirements is one of the most significant challenges to overcome when sourcing a cloud infrastructure-as-a-service (IaaS) solution. The security capabilities of service providers vary greatly. IT managers must understand the reality of what's available in the cloud. Diligence is required in the procurement process, along with independent confirmation of service provider claims. Key Findings Cloud IaaS can be sufficiently secure for enterprise needs, but different IaaS offerings have very different levels of security. A Statement on Auditing Standards No. 70: Service Organizations (SAS 70) audit is not proof of security or regulatory compliance. Security certifications may still be useful but do not, by themselves, constitute proof of adequate security. Emerging industry efforts to define cloud compliance and maturity standards, such as the Cloud Security Alliance (CSA) and the Common Assurance Maturity Model (CAMM), hold promise and should be used as input to define the enterprise's own standards. Recommendations Determine your actual security requirements; don't overestimate your needs, particularly compared with your own internal data center. Develop guidelines for evaluating the security of IaaS and other cloud-based services. When evaluating cloud offerings, discuss operational and security requirements early on, just as you would if the service were being developed internally. Examine the details of a provider's IaaS implementation to assess the quality of its security. Consider using cloud computing only when the vendor is sufficiently transparent to ensure it meets your business's needs for security and compliance. Perform a risk assessment to understand the proper trade-off between security and cost.

2 Table of Contents Analysis...2 Security and Compliance...2 Don't Rely Solely on Audits...3 Security Architecture and Services...4 Identity and Access Management...6 Staffing...6 You Are Responsible...7 Recommended Reading...7 List of Figures Figure 1. Key Concerns When Implementing Cloud Computing...3 Analysis As described in "Evaluating Cloud Infrastructure as a Service," all cloud IaaS offerings are not created equal, despite superficial similarities in the way the offerings are described. There is considerable variance in service provider design goals, the quality of the technical implementations, and the cost-effectiveness and the value for money of those implementations. This is part of a series of reports detailing the differences in the technical architectures and business models of IaaS offerings. This document is focused on security and compliance considerations. Security and Compliance Gartner's surveys and polls consistently show that security, privacy and compliance are the greatest concerns of organizations considering cloud computing solutions. These include IaaS solutions, whether the organization is implementing IaaS within its own data center, outsourcing private IaaS or using public IaaS. (See "Survey Analysis: Global Adoption of Cloud Computing, a View From Above" for more details on Figure 1, which shows the percentage of respondents who ranked each concern in their top three.) Page 2 of 8 Gartner, Inc. G

3 Figure 1. Key Concerns When Implementing Cloud Computing Security of service Data location, privacy or access concerns Cost uncertainty or variability Inadequate service levels (e.g., availability, performance or reliability) Increased business risk Perceived loss of control or choice of technology Lack of industry standards for cloud computing Lack of awareness of, or confidence in, model Dealing with compliance or regulatory controls Lack of suppliers with satisfactory credentials or reputation Inadequate contract terms or termination arrangements Other Existing Planned Percentage of Respondents Source: Gartner (March 2011) There are no easy generalizations when it comes to the security measures implemented by IaaS providers; every service provider has different administrative, physical and logical security controls. For more general guidance on security and compliance in the cloud, consult "What You Need to Know About Cloud Computing Security and Compliance." Don't Rely Solely on Audits Some IaaS providers use SAS 70 Type II audits as "proof" of their security. Unfortunately, SAS 70 does not review a provider's security controls for usefulness; it merely verifies that a provider carries out documented procedures, without any judgment as to whether its controls are good ones. The results of such an examination are unlikely to provide adequate information, as it is a process-only Gartner, Inc. G Page 3 of 8

4 review that is explicitly not intended to be a technical review. (See "SAS 70 is Not Proof of Security, Continuity or Privacy Compliance.") Security certifications may be more useful, but be cautious. For instance, International Organization for Standardization (ISO) 27001, which is a security certification standard, is often used to evaluate efficacy against ISO 27002's defined security control framework, but it is possible to obtain an ISO certification without using ISO Ensure both are used in the certification process. Certifications are by no means a comprehensive evaluation of a provider's security posture, nor is a lack of certifications an indication that a provider does not have excellent security controls. Because audits and certifications are expensive and time consuming, providers often elect not to pursue them, or use them only in a very limited way. Most service providers that claim SAS 70, for instance, extend their audit only to their physical data centers, not to the actual infrastructure service. While you may be interested in a provider's SAS 70 and other third-party audits and security certifications, do not use these as a substitute for doing your own security evaluation. (See "What You Need to Know About Cloud Computing Security and Compliance.") Similarly, while the provider may claim that it can comply with various requirements (for example, the Sarbanes-Oxley Act [SOX], Federal Information Security Management Act [FISMA], Health Insurance Portability and Accountability Act [HIPAA] and Payment Card Industry Data Security Standard [PCI DSS]), the burden is on you to ensure that it does. In many cases, it might be able to meet part of a standard, in certain circumstances, but those circumstances might not apply to you; in particular, many IaaS providers meet PCI standards for customers that do not store cardholder data, but cannot meet the standards for customers that directly process credit cards. Also, be aware that your auditor does not have to accept the cloud provider's audit. For instance, several cloud IaaS providers have obtained PCI certifications where the audit specifically excludes certain clauses of PCI DSS most importantly, the clause that does not permit multitenancy of servers. Your auditor may or may not agree that the strength of separation provided for workloads meets the PCI requirements. Your organization should set mandatory security requirements during the procurement process for any cloud-based service. Standards for assessing cloud provider security capabilities are emerging from organizations such as the CSA, the CAMM and the U.S. Federal Risk and Authorization Management Program (FedRAMP). These standards should be used as the foundation for your own organization's cloud security requirements. Security Architecture and Services Most IaaS providers have rigorous administrative and physical security controls for their data centers. Such data centers are typically anonymous, hardened structures, with security guards, security cameras, and layered access with multiple authentication mechanisms (including biometrics) and access logging. IaaS providers usually offer network security with defense in depth. The service provider may have automatic mitigation of threats such as distributed denial-of-service (DDoS) attacks, and may also Page 4 of 8 Gartner, Inc. G

5 automatically halt activity against its infrastructure that it deems malicious, such as automatic blocking of port scanning attempts, whether originating externally or internally. Most IaaS offerings come with a basic firewall service included, allowing the customer to filter specific ports and Internet Protocol (IP) address ranges, with the default configuration offering minimal access. Preferably, the default configuration should use a default deny approach, where the customer must explicitly define access to be granted. More complex intrusion detection system (IDS) and intrusion prevention system (IPS) functionality may also be offered; this may be included and mandatory for all customers, or an optional service for an extra fee. Customers can always install additional software-based appliances, typically in the form of a virtual machine (VM), for additional security controls. Some providers may also allow the deployment of security-related hardware in front of the customer's IaaS environment, even if that environment is shared. Most IaaS providers take measures to provide some virtual network isolation to customers, through offering individual virtual LANs (VLANs), virtual routers and virtual switches to each customer. Providers also usually take steps to secure their network traffic, with protection from network sniffing, spoofing and local denial-of-service attacks. As most IaaS offerings are built on virtualized infrastructure, providers may also provide some security from within the virtualization layer itself for stronger separation of VMs on the same physical host. For instance, providers with VMware-based infrastructures may support the vshield line of firewalls, as well as the VMsafe API, which allows security products to take advantage of the hypervisor's view of the VMs in order to detect and protect against threats; for example, this allows antivirus scanning to be performed without requiring agents in each VM. (See "VMware Pushes Further Into the Security Market With Its vshield Offerings" for details.) IaaS providers also take measures to provide security in their storage offerings, and may offer options such as data encryption. Storage security is detailed as part of "Cloud IaaS: Adding Storage to Compute." IaaS providers may offer antivirus services as part of their core offering; indeed, some IaaS providers mandate antivirus for all customers. They may also offer host-based IDS and IPS, configuration auditing (usually based on software such as Tripwire), and a Web application firewall. These services may be included with the base compute service, or may be extra-fee options. Note that most IaaS contracts explicitly prohibit the use of network-based vulnerability scanning tools, so host-based approaches may be the only ones viable for configuration auditing. Many IaaS providers offer other security services as well, including managed and professional services. The most common additional service is security information and event management (SIEM), or more basic log monitoring and management. This is most frequently implemented using an appliance from a vendor such as LogLogic, or via a third-party partner service such as Alert Logic. (See "Security Monitoring and Assessment for Cloud Environments" for more.) Some IaaS providers are able to generate compliance reports as part of their service, consolidating provisioning reports, scanning reports, logs and the like into a single set of documents readily accessed via their customer portal. As a future market differentiator, we expect that this information Gartner, Inc. G Page 5 of 8

6 will be able to be integrated into and accessible from an enterprise's own security information and risk management consoles. Identity and Access Management There are two areas of concern with identity and access management (IAM) access by the IaaS provider's own staff (discussed in the "Staffing" section) and access by its customers. IAM is a foundational component of an IaaS offering. Historically, IaaS providers have kept their own identity databases, and authenticated against those databases. However, customers are increasingly demanding integration with other sources of identity data, such as Microsoft Active Directory, or support for identity federation standards such as OpenID and Security Assertion Markup Language (SAML), and providers are responding accordingly. IaaS providers normally have to secure three forms of customer access to their infrastructure interactive access to the customer portal, API access and access to the VMs themselves. Many providers now offer an option for multifactor authentication for interactive access, which typically uses a device such as RSA's SecurID. Most providers encrypt browser access to the customer portal via Secure Sockets Layer (SSL). API access is typically gained using an API key, but providers may also support other options, such as the use of X.509 certificates. Finally, access to the VMs may be accomplished either through console access or remote access (such as via Secure Shell [SSH] or secure terminal services); this typically uses the authentication scheme of the guest OS. Providers might or might not log accesses to their customer portal and API; even if they do log accesses, these logs might not be available to the customer. They usually do not log accesses to VMs, although the customer might be able to do so; most guest OSs will do so by default. One special case of access management is the control mechanism used for initial access to a newly provisioned VM. Some providers are able to preprovision a secure form of access, such as installing SSH keys when a VM is provisioned. Others generate an administrative password and make it available to the user in some way, such as via their portal, or, less securely, out of band using cleartext via or SMS. Staffing IaaS providers may subject their Operations personnel to background investigations. Some IaaS providers can also support more specialized needs, such as ensuring that operations are performed only by personnel who hold security clearances. In most cases, different personnel are responsible for managing the physical infrastructure (such as replacing failed equipment) and the logical infrastructure (such as maintaining the underlying virtualization platform). Providers generally subscribe to the principle of least privilege. They typically log all infrastructure accesses by their personnel. For self-managed IaaS, the provider's staff generally does not have access to customer VMs. If this is a managed service, however, the provider's staff generally has access and responsibility for the VMs; in this case, the provider might or might not create auditable records of staff access and activities. Page 6 of 8 Gartner, Inc. G

7 Many IaaS providers keep a security staff that is trained in forensic security and dealing with law enforcement. Many providers also maintain active ties with the security operations staff at other service providers, particularly network service providers, cooperating to deal with threats such as DDoS attacks. You Are Responsible Ultimately, you are responsible for the security of the workloads and data placed into IaaS. More than with any other layer of cloud-based computing services, organizations have flexibility of security controls with IaaS offerings, as the security and compliance of data and workloads is a combination of the service provider's capabilities and the security controls placed within the workloads themselves, such as a local firewall and host-based IPS. Using input from the CSA, CAMM and other emerging cloud security standards, ensure your organization has defined its own evaluation criteria for evaluating the security of cloud-based services including: WAN and LAN communications; physical data center; physical network and hosts; virtualization platform; storage and guest VMs. Make sure that any cloud-based provider that you consider is transparent in its security processes and controls. While the provider may have third-party audits and claim certifications, these must be investigated further. You must evaluate the provider's claims against your specific security and compliance needs. Because the customer is responsible for the contents of its workloads, the responsibility for resilience of the IaaS service is shared between the provider and the customer. The IaaS provider is responsible for resiliency in the data center and the hardware; availability options for the computing infrastructure are discussed in "Cloud IaaS: How Compute Resources Are Delivered." However, the customer is responsible for architecting resiliency into its application, and into its networking choices. Not all workloads and data will be suitable for cloud IaaS deployment. Some are best kept on premises. However, given the availability of private cloud IaaS, as well as of providers that focus on meeting demanding security and compliance requirements, cloud IaaS can potentially meet a wide range of needs. Recommended Reading "Cloud IaaS: Networking Options" "Cloud IaaS: Service-Level Agreements" "Cloud IaaS: Service and Support Models" Gartner, Inc. G Page 7 of 8

8 Regional Headquarters Corporate Headquarters 56 Top Gallant Road Stamford, CT USA European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo JAPAN Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, andar World Trade Center São Paulo SP BRAZIL Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner s prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity on its website, ombudsman/omb_guide2.jsp. Page 8 of 8 Gartner, Inc. G