Brainloop Cloud Security

Transcription

1 Whitepaper Brainloop Cloud Security Guide to secure collaboration in the cloud

2 Sharing information over the internet The internet is the ideal platform for sharing data globally and communicating worldwide. The internet is the ideal platform for sharing data globally and communicating worldwide. Originally developed by and for scientists, it is based on the idea of open communication. We send out s over data networks like we used to send postcards. We can view websites or upload and download data any time. Confidential communication over the internet is possible, but it requires its own set of security measures. These need to cover the communication channels as fully as possible in order to ensure real security. And they need to protect data from unauthorized access wherever it is stored and edited. Cloud solutions can be advantageous for small and midsized companies. They provide security standards that smaller firms may find difficult to achieve on their own. However, CIOs need to select and evaluate the right system based on state-of-theart technologies. Security weaknesses and vulnerabilities are still being identified, even in recognized standards. Security is a question of compliance For companies, information security is a matter of survival both from a legal and a business point of view. For companies, information security is a matter of survival both from a legal and a business point of view. CIOs have to ensure that their company complies with statutory, company-internal and contractual regulations. IT compliance includes national telecommunications laws, data protection requirements, and corporate control and transparency regulations as well as laws governing data access and the auditability of digital documents. Then there are European policies such as Basel II and the American Sarbanes-Oxley Act, which applies to companies listed on the US stock exchange, as well as E-Discovery for companies doing business in the US. Corporate liability issues make it important for companies to ensure that their systems, programs and data are protected from manipulation. Protection of trade secrets The business-related aspects of security include copyright protection. A company s competitive advantage often depends on its ability to safeguard trade and company secrets. In a survey of about 500 companies conducted by the European Commission, it emerged that one in five firms had been victims of attempted trade secret theft at least once in the last ten years.1 The Global Fraud Report has also reported an increase in the number of incidents Whitepaper - Cloud Security 2 9

3 Nevertheless, the protection of trade secrets is insufficiently regulated in the EU, at least as far as claims for damages are concerned.3 This makes it even more important for companies to use all technical means available to protect their confidential information. Alongside access control systems, they can use digital rights management to stipulate how protected content may be accessed. Information security depends on the systems A company s value chain stretches from the supplier through to the end customer. This is why it needs to control the flow of goods and information across its suppliers, producers, resellers and customers. After all, its communications do not stop at the company firewall. Sensitive data should be protected against attacks, fraud and manipulation by technical means. In order to avoid random errors due to the high level of automation, companies should implement rules in their information systems that stipulate the right way to handle data. Information security and data protection should be built into the systems from the outset. Sensitive data should therefore be protected against attacks, fraud and manipulation by technical means. This includes verifying the authenticity of business partners and ensuring the availability, integrity and confidentiality of data. Systems also need to be designed to allow flexible working from home offices and secure mobile data access when people are traveling. The human factor in security However, technical means alone are not enough. Organizational measures are also necessary in order to take the human factor into account, as this plays the biggest role in information loss. The Industrial Espionage 2012 study by the management consultant firm Corporate Trust, which surveyed 600 companies, found that 58 percent of staff were responsible for deliberate or accidental information loss.4 Spying generates annual losses of around 4.2 billion euros in Germany alone. Another recent survey by the Ponemon Institute found that only 16 per cent of data loss incidents were due to system problems The human factor plays the biggest role in information loss. Whitepaper - Cloud Security 3 9

4 Data can be compromised by application, identification and authentication errors. Data can be compromised by application, identification and authentication errors. Semantic or logical errors may arise during transmission and can lead to data losses if they are not corrected by hardware mechanisms, like repetition. And restoring information may fail if, for example, an SSL certificate is verified on servers running different software versions.5 The survey also shows that up to 36 percent of all data losses in Germany are due to negligence on the part of staff.6 Malicious attacks on data may come from employees who then give or sell the information to competitors. But threats can also come from external attackers. They may infect systems with malware, launch phishing attacks or use targeted social engineering to pretend they are employees and request confidential information. Networked collaboration in the cloud IT silos can be removed from many company departments. They often lead to inconsistent data storage practices. Many companies are currently investing in virtual servers and virtualized applications. Their goals are to optimize resources, work more efficiently, and improve IT security. Virtualization enables them to provide networked IT services such as storage, computing power, platforms and software and bill them according to usage. The network may be the organization s internal intranet or the public internet. In addition, virtual environments allow staff to collaborate and communicate more easily and efficiently throughout the company s entire value chain. As a result, IT silos can be removed from many company departments. They often lead to inconsistent data storage practices as well as inefficiencies due to interfaces between systems. Collaboration tools and environments, on the other hand, tend to support a more decentralized approach to collecting and distributing information. As a result, innovation is more likely in areas with a lot of interaction, such as supply chains, marketing, sales and customer sites.7 Improved collaboration facilitates end-to-end workflows, which in turn can improve customer service Whitepaper - Cloud Security 4 9

5 Cloud computing becoming a standard In Germany, 40 percent of companies already use cloud services and the number is increasing. In Germany, 40 percent of companies already use cloud services and the number is increasing. In larger companies with more than 2000 employees, cloud computing has almost become standard practice with 70 percent using virtualization and 29 percent planning to implement it. These figures come from the German IT trade association Bitkom, whose recentlypublished Cloud Monitor 2014 study surveyed about 400 companies.8 There are four usual cloud service models. The first is a private cloud, which is only provided for one organization. It can be operated internally or by a third party. The second is the public cloud, where a provider delivers the service to the general public or a large group of users. The third, the community cloud involves several communities sharing the infrastructure, which can be run by them or by a third party. Lastly, the hybrid cloud comprises several cloud infrastructures that provide services across standard interfaces.9 These can be both public and private clouds. Most companies choose to implement a private cloud, although demand for the public cloud is growing faster. However, growth is slowing. In the wake of the revelations about the extensive spying activities of the NSA, the US secret service, 13 percent of companies have postponed their planned cloud projects and 11 percent have even closed down their existing clouds. The reason is clear: worries about information security, especially unauthorized access to sensitive data. Is it possible to work securely in the cloud? Information security is possible in the cloud, but it requires the implementation of a range of technical and organizational measures. Information security is possible in the cloud, but it requires the implementation of a range of technical and organizational measures. First and foremost, cloud customers need to be aware of how much protection their data and applications require. This will define whether and how they can move to the cloud. A fundamental requirement is protection for the places sensitive data are stored and worked on, as well as for transmission channels. This applies whether the data are on local media, on corporate disk drives, in production systems like SAP or in existing cloud services. Channels for transmission include , FTP and web browsers Whitepaper - Cloud Security 5 9

6 Cloud computing protection goals A list of protection goals forms the basis of the security requirements for cloud computing systems. Key protection goals include the following: Availability: The cloud computing system must allow authorized utilization of its resources at all times. Availability should remain unaffected by the level of cloud service demand and even by targeted attacks on public networks, such as distributed denial of service. System configuration and hardware errors should not noticeably affect availability. Data must be protected from manipulation by third parties in order to guarantee their completeness, currency, authenticity and trustworthiness. Integrity: Data must be protected from manipulation by third parties in order to guarantee their completeness, currency, authenticity and trustworthiness. Checksums and file signatures can show up any changes. Cloud administration interfaces must also be secured. Confidentiality: Users should not be given access to information without authorization. This requires the implementation of a permissions system that limits access to data to authorized users. Access controls enforce compliance with these permissions and cryptographic techniques safeguard confidentiality. Companies should be able to delete data without leaving any traces. Authenticity: Information is considered authentic if it can be attributed to the sender or writer, and if proof is available that the information was not changed after it was created and sent. This requires the secure identification and authentication of cloud users and of the cloud service itself, by means of passwords, security tokens or digital signatures. Accountability: Actions must be clearly attributable to those performing them. The system should log the person s identity and the action itself should be time-stamped. This is an important pre requisite for legally binding electronic transactions and to protect against tampering. Legitimacy: Accountability can be set up using cryptographic methods to ascertain its legitimacy. A legitimacy protocol can specify how legitimacy is to be proven, such as with the use of digital signatures. Privacy: A system should only collect, store and process user data if they are necessary to the provision of the service. These data should only be accessible to authorized individuals. In addition, the system should provide complete, up-to-date and traceable documentation of all personal data. A system should only gather, store and process user data if they are necessary to the provision of the service. Whitepaper - Cloud Security 6 9

7 Requirements for a secure cloud Data in the cloud should be fully shielded and encrypted. The following provides an overview of some of the most essential security requirements for a cloud platform. Secure communication: Every communication between the cloud and the user and between the cloud and the administrator or service provider, as well as between individual cloud servers and locations must be encrypted (SSH, IPSec, TLS/SSL, VPN). Companies should ensure they comply with current cryptographic standards. Encryption: All documents should be stored securely on file servers using recognized encryption techniques. The security properties (passwords, permission system etc.) should also be stored in encrypted form. This also goes for backups. Data shielding: Data in the cloud should be fully shielded and only made available to authorized users. Cloud service providers, software providers and administrators should never have any access to sensitive data. Providers may analyze encrypted data transmissions to check for spam or viruses, but the provider should always be inform the customer of this fact and protect this potential vulnerability from unauthorized access using both technical and organizational means. Two-factor authentication, digital rights management and a tamperproof audit trail are important parts of cloud security. Access control: On both the customer and administrator sides, access control should completely block access by unauthorized third parties. It can include time limits for accessing certain types of content, as well as two-factor authentication that uses two different communication channels. For example, users may receive an containing a link to a protected document but they can only access it once they have entered an additional one time code texted to their cell phone. A two-person control process should be implemented for critical administrator activities. However, administrators should only be allocated the permissions they need to do their job. Rights management: Document-based digital rights management enables users to define what can be done with their content. For example, they may restrict a document to read-only mode that prevents the recipient from altering it. Audit trail: Another important measure for companies is a tamper- proof audit trail that logs all the changes made to a document, as well as who made them and when. This audit trail should only be available to authorized users. Data protection: The cloud service provider should provide documentation of data protection management, including both IT security and incident management. The provider can complement this with clear auditing based on compliance criteria, to be conducted by an independent organization. Usability: The cloud platform should facilitate collaboration in a company by being easy to use and easy to integrate into the existing infrastructure. Whitepaper - Cloud Security 7 9

8 Server security: The operating systems used on the servers must include protection against attacks. Technical means, such as host firewalls and integrity checks, ensure the protection of the host. Companies should also ensure they are using certified hypervisors. The operating systems used on the servers must include protection against attacks. Network security: Network attacks should be blocked with security tools such as firewalls, while malware protection is available with antivirus, antispam and Trojan detection solutions. The network should also include resilience against external attacks like distributed denial of service, particularly if the company requires a high level of availability. All cloud architecture components should be configured for security and the management network separated from the data network. Datacenter security: Datacenters are the technical foundation of cloud services and must ensure security is based on state-of-the- art technologies. These include redundancy for all important components, access controls on doorways, a robust infrastructure and fire protection. If the company requires failsafe operation, it should set up a redundant datacenter too. Datacenters are the technical foundation of cloud services and must ensure security is based on state-of-the-art technologies. Server location: The service provider should inform the customer of the location of the server. This will determine which state authorities can access it, if they are required to by a court order or similar ruling. Security level: Customers benefit from the implementation of a recognized management system for information security and proof of adequate protection for confidential data, such as with certifications. Organizational measures can also be used, giving the customer a dedicated contact person to answer security questions. Multi-device access: The cloud service provider must support access to the data in the cloud using a variety of different user devices. If users can work flexibly with a secure platform, they will not be tempted to share data by moving them to a non-secure environment. This means that they should be able to access intranet data from their desktop in the office as well as from their home office over the internet. They should also be provided with secure access from their tablets or smartphones via mobile networks. If users can work flexibly with a secure platform, they will not be tempted to share data by moving them to a non-secure environment. Whitepaper - Cloud Security 8 9

9 Secure cloud computing is a reality Information security and cloud computing are no longer a contradiction in terms as long as the cloud service provider meets the customer s security goals. To do this, the provider must comply with a range of concrete requirements. Current security certifications and data protection audits can give customers valuable information on whether their provider is really implementing the required security measures throughout to ensure compliance. The audits can also help customers decide whether they would be able to achieve the same level of security and data protection using their own resources. Security certifications and data protection audits reinforce completeness and legal compliance. Brainloop.simply secure. Thousands of users on six continents rely on Brainloop s Boston, London, Munich, Vienna and Zurich offices and a network of international partners for exceptional service and support. If you re facing the challenge of keeping confidential files safe, meeting corporate confidentiality policies or collaborating with partners, board members and other valued stakeholders outside your corporate network, Brainloop - the secure enterprise information company - is here to help. info@brainloop.com Copyright 2014 Brainloop WP Whitepaper - Cloud Security 9 9