Cloud IaaS: Security Considerations



Similar documents
Understanding Vulnerability Management Life Cycle Functions

Cloud IaaS: Service-Level Agreements

Key Issues for Identity and Access Management, 2008

Organizations Should Implement Web Application Security Scanning

Managing IT Risks During Cost-Cutting Periods

Research. Key Issues for Software as a Service, 2009

Cloud Decision-Making Criteria for Educational Organizations

CDOs Should Use IT Governance and Risk Compliance Management to Advance Compliance

The Value of Integrating Configuration Management Databases With Enterprise Architecture Tools

Organizations Must Employ Effective Data Security Strategies

Clients That Don't Segment Their Network Infrastructure Will Have Higher Costs and Increased Vendor Lock-in

When to Use Custom, Proprietary, Open-Source or Community Source Software in the Cloud

Addressing the Most Common Security Risks in Data Center Virtualization Projects

Now Is the Time for Security at the Application Level

Establishing a Strategy for Database Security Is No Longer Optional

From Secure Virtualization to Secure Private Clouds

Responsible Vulnerability Disclosure: Guidance for Researchers, Vendors and End Users

Solution Path: Threats and Vulnerabilities

Cost Optimization: Three Steps to Saving Money on Maintenance and Support for Network Security Products

For cloud services to deliver their promised value, they must be underpinned by effective and efficient processes.

IAM can utilize SIEM event data to drive user and role life cycle management and automate remediation of exception conditions.

Emerging PC Life Cycle Configuration Management Vendors

Best Practices for Confirming Software Inventories in Software Asset Management

Q&A: The Many Aspects of Private Cloud Computing

Modify Your Storage Backup Plan to Improve Data Management and Reduce Cost

NGFWs will be most effective when working in conjunction with other layers of security controls.

Security and Identity Management Auditing Converge

X.509 Certificate Management: Avoiding Downtime and Brand Damage

Critical Privacy Questions to Ask an HCM/CRM SaaS Provider

Eight Critical Forces Shape Enterprise Data Center Strategies

Backup and Disaster Recovery Modernization Is No Longer a Luxury, but a Business Necessity

Case Study: A K-12 Portal Project at the Miami-Dade County Public Schools

Toolkit: Reduce Dependence on Desk-Side Support Technicians

Vendor Focus for IBM Global Services: Consulting Services for Cloud Computing

Private Cloud Computing: An Essential Overview

Microsoft's Cloud Vision Reaches for the Stars but Is Grounded in Reality

Case Study: New South Wales State Department of Education Adopts Gmail for 1.2 Million Students

Research Agenda and Key Issues for Converged Infrastructure, 2006

2010 FEI Technology Study: CPM and BI Show Improvement From 2009

Is a Commodity and Other Fairy Tales

Use Heterogeneous Storage Virtualization as a Bridge to the Cloud

Choosing a Replacement for Incumbent One-Time Password Tokens

NAC Strategies for Supporting BYOD Environments

Data in the Cloud: The Changing Nature of Managing Data Delivery

IT asset management (ITAM) will proliferate in midsize and large companies.

Cloud, SaaS, Hosting and Other Off-Premises Computing Models

Integrated Marketing Management Aligns Executional, Operational and Analytical Processes in a Closed-Loop Process

IT Architecture Is Not Enterprise Architecture

Consider Identity and Access Management as a Process, Not a Technology

The IT Service Desk Market Is Ready for SaaS

In the North American E-Signature Market, SaaS Offerings Are Increasingly in Demand

The Six Triggers for Using Data Center Infrastructure Management Tools

Iron Mountain's acquisition of Mimosa Systems addresses concerns from prospective customers who had questions about Mimosa's long-term viability.

Deliver Process-Driven Business Intelligence With a Balanced BI Platform

Assessing the Security Risks of Cloud Computing

Q&A: How Can ERP Recurring Costs Be Contained?

Tactical Guideline: Minimizing Risk in Hosting Relationships

The Current State of Agile Method Adoption

Agenda for Supply Chain Strategy and Enablers, 2012

How to Develop an Effective Vulnerability Management Process

Make Optimizing Security Protection in Virtualized Environments a Priority

What to Consider When Designing Next-Generation Data Centers

Knowledge Management and Enterprise Information Management Are Both Disciplines for Exploiting Information Assets

The Lack of a CRM Strategy Will Hinder Health Insurer Growth

Governance Is an Essential Building Block for Enterprise Information Management

Business Intelligence Platform Usage and Quality Dynamics, 2008

Overcoming the Gap Between Business Intelligence and Decision Support

Invest in an analysis of current metrics and those missing, and develop a plan for continuous management and improvement.

Key Issues for Data Management and Integration, 2006

The Five Competencies of MRM 'Re-' Defined

Gartner Defines Enterprise Information Architecture

The What, Why and When of Cloud Computing

Strategic Road Map for Network Access Control

Gartner's View on 'Bring Your Own' in Client Computing

Research. Mastering Master Data Management

Five Business Drivers of Identity and Access Management

Containers and Modules: Is This the Future of the Data Center?

How To Create A Cloud Computing System

Predicts 2008: The Market for Servers and Operating Systems Continues to Evolve

BEA Customers Should Seek Contractual Protections Before Acquisition by Oracle

The Next Generation of Functionality for Marketing Resource Management

Additional Tools for a World-Class ERP Infrastructure

Case Study: Mohawk Fine Papers Uses a CSB to Ease Adoption of Cloud Computing

Discovering the Value of Unified Communications

Data Center Redesign Yields an 80%-Plus Reduction in Energy Usage

Research. Identity and Access Management Defined

The Hype Around an Integrated Talent Management Suite Outpaces Customer Adoption

Roundup of Business Intelligence and Information Management Research, 1Q08

Data Center Consolidation Projects: Benefits and Pitfalls

2009 FEI Technology Study: CPM and BI Pose Challenges and Opportunities

Case Study: Innovation Squared: The Department for Work and Pensions Turns Innovation Into a Game

How Eneco's Enterprisewide BI and Performance Management Initiative Delivered Significant Business Benefits

Key Issues for Business Intelligence and Performance Management Initiatives, 2008

IT Operational Considerations for Cloud Computing

Cost-Cutting IT: Should You Cut Back Your Disaster Recovery Exercise Spending?

What Is the Role of Quality Assurance in a SaaS Environment?

Microsoft and Google Jostle Over Cloud-Based and Collaboration

EHR Advantages and Disadvantages

Business Intelligence Focus Shifts From Tactical to Strategic

2010 Gartner FEI Technology Study: Planned Shared Services and Outsourcing to Increase

Transcription:

G00210095 Cloud IaaS: Security Considerations Published: 7 March 2011 Analyst(s): Lydia Leong, Neil MacDonald Ensuring adherence to your organization's security and compliance requirements is one of the most significant challenges to overcome when sourcing a cloud infrastructure-as-a-service (IaaS) solution. The security capabilities of service providers vary greatly. IT managers must understand the reality of what's available in the cloud. Diligence is required in the procurement process, along with independent confirmation of service provider claims. Key Findings Cloud IaaS can be sufficiently secure for enterprise needs, but different IaaS offerings have very different levels of security. A Statement on Auditing Standards No. 70: Service Organizations (SAS 70) audit is not proof of security or regulatory compliance. Security certifications may still be useful but do not, by themselves, constitute proof of adequate security. Emerging industry efforts to define cloud compliance and maturity standards, such as the Cloud Security Alliance (CSA) and the Common Assurance Maturity Model (CAMM), hold promise and should be used as input to define the enterprise's own standards. Recommendations Determine your actual security requirements; don't overestimate your needs, particularly compared with your own internal data center. Develop guidelines for evaluating the security of IaaS and other cloud-based services. When evaluating cloud offerings, discuss operational and security requirements early on, just as you would if the service were being developed internally. Examine the details of a provider's IaaS implementation to assess the quality of its security. Consider using cloud computing only when the vendor is sufficiently transparent to ensure it meets your business's needs for security and compliance. Perform a risk assessment to understand the proper trade-off between security and cost.

Table of Contents Analysis...2 Security and Compliance...2 Don't Rely Solely on Audits...3 Security Architecture and Services...4 Identity and Access Management...6 Staffing...6 You Are Responsible...7 Recommended Reading...7 List of Figures Figure 1. Key Concerns When Implementing Cloud Computing...3 Analysis As described in "Evaluating Cloud Infrastructure as a Service," all cloud IaaS offerings are not created equal, despite superficial similarities in the way the offerings are described. There is considerable variance in service provider design goals, the quality of the technical implementations, and the cost-effectiveness and the value for money of those implementations. This is part of a series of reports detailing the differences in the technical architectures and business models of IaaS offerings. This document is focused on security and compliance considerations. Security and Compliance Gartner's surveys and polls consistently show that security, privacy and compliance are the greatest concerns of organizations considering cloud computing solutions. These include IaaS solutions, whether the organization is implementing IaaS within its own data center, outsourcing private IaaS or using public IaaS. (See "Survey Analysis: Global Adoption of Cloud Computing, a View From Above" for more details on Figure 1, which shows the percentage of respondents who ranked each concern in their top three.) Page 2 of 8 Gartner, Inc. G00210095

Figure 1. Key Concerns When Implementing Cloud Computing Security of service Data location, privacy or access concerns Cost uncertainty or variability Inadequate service levels (e.g., availability, performance or reliability) Increased business risk Perceived loss of control or choice of technology Lack of industry standards for cloud computing Lack of awareness of, or confidence in, model Dealing with compliance or regulatory controls Lack of suppliers with satisfactory credentials or reputation Inadequate contract terms or termination arrangements Other Existing Planned 0 10 20 30 40 50 60 Percentage of Respondents Source: Gartner (March 2011) There are no easy generalizations when it comes to the security measures implemented by IaaS providers; every service provider has different administrative, physical and logical security controls. For more general guidance on security and compliance in the cloud, consult "What You Need to Know About Cloud Computing Security and Compliance." Don't Rely Solely on Audits Some IaaS providers use SAS 70 Type II audits as "proof" of their security. Unfortunately, SAS 70 does not review a provider's security controls for usefulness; it merely verifies that a provider carries out documented procedures, without any judgment as to whether its controls are good ones. The results of such an examination are unlikely to provide adequate information, as it is a process-only Gartner, Inc. G00210095 Page 3 of 8

review that is explicitly not intended to be a technical review. (See "SAS 70 is Not Proof of Security, Continuity or Privacy Compliance.") Security certifications may be more useful, but be cautious. For instance, International Organization for Standardization (ISO) 27001, which is a security certification standard, is often used to evaluate efficacy against ISO 27002's defined security control framework, but it is possible to obtain an ISO 27001 certification without using ISO 27002. Ensure both are used in the certification process. Certifications are by no means a comprehensive evaluation of a provider's security posture, nor is a lack of certifications an indication that a provider does not have excellent security controls. Because audits and certifications are expensive and time consuming, providers often elect not to pursue them, or use them only in a very limited way. Most service providers that claim SAS 70, for instance, extend their audit only to their physical data centers, not to the actual infrastructure service. While you may be interested in a provider's SAS 70 and other third-party audits and security certifications, do not use these as a substitute for doing your own security evaluation. (See "What You Need to Know About Cloud Computing Security and Compliance.") Similarly, while the provider may claim that it can comply with various requirements (for example, the Sarbanes-Oxley Act [SOX], Federal Information Security Management Act [FISMA], Health Insurance Portability and Accountability Act [HIPAA] and Payment Card Industry Data Security Standard [PCI DSS]), the burden is on you to ensure that it does. In many cases, it might be able to meet part of a standard, in certain circumstances, but those circumstances might not apply to you; in particular, many IaaS providers meet PCI standards for customers that do not store cardholder data, but cannot meet the standards for customers that directly process credit cards. Also, be aware that your auditor does not have to accept the cloud provider's audit. For instance, several cloud IaaS providers have obtained PCI certifications where the audit specifically excludes certain clauses of PCI DSS most importantly, the clause that does not permit multitenancy of servers. Your auditor may or may not agree that the strength of separation provided for workloads meets the PCI requirements. Your organization should set mandatory security requirements during the procurement process for any cloud-based service. Standards for assessing cloud provider security capabilities are emerging from organizations such as the CSA, the CAMM and the U.S. Federal Risk and Authorization Management Program (FedRAMP). These standards should be used as the foundation for your own organization's cloud security requirements. Security Architecture and Services Most IaaS providers have rigorous administrative and physical security controls for their data centers. Such data centers are typically anonymous, hardened structures, with security guards, security cameras, and layered access with multiple authentication mechanisms (including biometrics) and access logging. IaaS providers usually offer network security with defense in depth. The service provider may have automatic mitigation of threats such as distributed denial-of-service (DDoS) attacks, and may also Page 4 of 8 Gartner, Inc. G00210095

automatically halt activity against its infrastructure that it deems malicious, such as automatic blocking of port scanning attempts, whether originating externally or internally. Most IaaS offerings come with a basic firewall service included, allowing the customer to filter specific ports and Internet Protocol (IP) address ranges, with the default configuration offering minimal access. Preferably, the default configuration should use a default deny approach, where the customer must explicitly define access to be granted. More complex intrusion detection system (IDS) and intrusion prevention system (IPS) functionality may also be offered; this may be included and mandatory for all customers, or an optional service for an extra fee. Customers can always install additional software-based appliances, typically in the form of a virtual machine (VM), for additional security controls. Some providers may also allow the deployment of security-related hardware in front of the customer's IaaS environment, even if that environment is shared. Most IaaS providers take measures to provide some virtual network isolation to customers, through offering individual virtual LANs (VLANs), virtual routers and virtual switches to each customer. Providers also usually take steps to secure their network traffic, with protection from network sniffing, spoofing and local denial-of-service attacks. As most IaaS offerings are built on virtualized infrastructure, providers may also provide some security from within the virtualization layer itself for stronger separation of VMs on the same physical host. For instance, providers with VMware-based infrastructures may support the vshield line of firewalls, as well as the VMsafe API, which allows security products to take advantage of the hypervisor's view of the VMs in order to detect and protect against threats; for example, this allows antivirus scanning to be performed without requiring agents in each VM. (See "VMware Pushes Further Into the Security Market With Its vshield Offerings" for details.) IaaS providers also take measures to provide security in their storage offerings, and may offer options such as data encryption. Storage security is detailed as part of "Cloud IaaS: Adding Storage to Compute." IaaS providers may offer antivirus services as part of their core offering; indeed, some IaaS providers mandate antivirus for all customers. They may also offer host-based IDS and IPS, configuration auditing (usually based on software such as Tripwire), and a Web application firewall. These services may be included with the base compute service, or may be extra-fee options. Note that most IaaS contracts explicitly prohibit the use of network-based vulnerability scanning tools, so host-based approaches may be the only ones viable for configuration auditing. Many IaaS providers offer other security services as well, including managed and professional services. The most common additional service is security information and event management (SIEM), or more basic log monitoring and management. This is most frequently implemented using an appliance from a vendor such as LogLogic, or via a third-party partner service such as Alert Logic. (See "Security Monitoring and Assessment for Cloud Environments" for more.) Some IaaS providers are able to generate compliance reports as part of their service, consolidating provisioning reports, scanning reports, logs and the like into a single set of documents readily accessed via their customer portal. As a future market differentiator, we expect that this information Gartner, Inc. G00210095 Page 5 of 8

will be able to be integrated into and accessible from an enterprise's own security information and risk management consoles. Identity and Access Management There are two areas of concern with identity and access management (IAM) access by the IaaS provider's own staff (discussed in the "Staffing" section) and access by its customers. IAM is a foundational component of an IaaS offering. Historically, IaaS providers have kept their own identity databases, and authenticated against those databases. However, customers are increasingly demanding integration with other sources of identity data, such as Microsoft Active Directory, or support for identity federation standards such as OpenID and Security Assertion Markup Language (SAML), and providers are responding accordingly. IaaS providers normally have to secure three forms of customer access to their infrastructure interactive access to the customer portal, API access and access to the VMs themselves. Many providers now offer an option for multifactor authentication for interactive access, which typically uses a device such as RSA's SecurID. Most providers encrypt browser access to the customer portal via Secure Sockets Layer (SSL). API access is typically gained using an API key, but providers may also support other options, such as the use of X.509 certificates. Finally, access to the VMs may be accomplished either through console access or remote access (such as via Secure Shell [SSH] or secure terminal services); this typically uses the authentication scheme of the guest OS. Providers might or might not log accesses to their customer portal and API; even if they do log accesses, these logs might not be available to the customer. They usually do not log accesses to VMs, although the customer might be able to do so; most guest OSs will do so by default. One special case of access management is the control mechanism used for initial access to a newly provisioned VM. Some providers are able to preprovision a secure form of access, such as installing SSH keys when a VM is provisioned. Others generate an administrative password and make it available to the user in some way, such as via their portal, or, less securely, out of band using cleartext via e-mail or SMS. Staffing IaaS providers may subject their Operations personnel to background investigations. Some IaaS providers can also support more specialized needs, such as ensuring that operations are performed only by personnel who hold security clearances. In most cases, different personnel are responsible for managing the physical infrastructure (such as replacing failed equipment) and the logical infrastructure (such as maintaining the underlying virtualization platform). Providers generally subscribe to the principle of least privilege. They typically log all infrastructure accesses by their personnel. For self-managed IaaS, the provider's staff generally does not have access to customer VMs. If this is a managed service, however, the provider's staff generally has access and responsibility for the VMs; in this case, the provider might or might not create auditable records of staff access and activities. Page 6 of 8 Gartner, Inc. G00210095

Many IaaS providers keep a security staff that is trained in forensic security and dealing with law enforcement. Many providers also maintain active ties with the security operations staff at other service providers, particularly network service providers, cooperating to deal with threats such as DDoS attacks. You Are Responsible Ultimately, you are responsible for the security of the workloads and data placed into IaaS. More than with any other layer of cloud-based computing services, organizations have flexibility of security controls with IaaS offerings, as the security and compliance of data and workloads is a combination of the service provider's capabilities and the security controls placed within the workloads themselves, such as a local firewall and host-based IPS. Using input from the CSA, CAMM and other emerging cloud security standards, ensure your organization has defined its own evaluation criteria for evaluating the security of cloud-based services including: WAN and LAN communications; physical data center; physical network and hosts; virtualization platform; storage and guest VMs. Make sure that any cloud-based provider that you consider is transparent in its security processes and controls. While the provider may have third-party audits and claim certifications, these must be investigated further. You must evaluate the provider's claims against your specific security and compliance needs. Because the customer is responsible for the contents of its workloads, the responsibility for resilience of the IaaS service is shared between the provider and the customer. The IaaS provider is responsible for resiliency in the data center and the hardware; availability options for the computing infrastructure are discussed in "Cloud IaaS: How Compute Resources Are Delivered." However, the customer is responsible for architecting resiliency into its application, and into its networking choices. Not all workloads and data will be suitable for cloud IaaS deployment. Some are best kept on premises. However, given the availability of private cloud IaaS, as well as of providers that focus on meeting demanding security and compliance requirements, cloud IaaS can potentially meet a wide range of needs. Recommended Reading "Cloud IaaS: Networking Options" "Cloud IaaS: Service-Level Agreements" "Cloud IaaS: Service and Support Models" Gartner, Inc. G00210095 Page 7 of 8

Regional Headquarters Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 USA +1 203 964 0096 European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM +44 1784 431611 Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo 153-0042 JAPAN +81 3 3481 3670 Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, 12551 9 andar World Trade Center 04578-903 São Paulo SP BRAZIL +55 11 3443 1509 Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA +61 2 9459 4600 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner s prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity on its website, http://www.gartner.com/technology/about/ ombudsman/omb_guide2.jsp. Page 8 of 8 Gartner, Inc. G00210095

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information