Ensuring security the last barrier to Cloud adoption



Similar documents
Dispelling the vapor around Cloud Security

Managing Cloud Computing Risk

Vodafone Private Cloud

Vodafone Total Managed Mobility

Digital Pathways. Harlow Enterprise Hub, Edinburgh Way, Harlow CM20 2NQ

CloudDesk - Security in the Cloud INFORMATION

MAXIMUM PROTECTION, MINIMUM DOWNTIME

Unlock the full potential of data centre virtualisation with micro-segmentation. Making software-defined security (SDS) work for your data centre

Strategies for assessing cloud security

Cloud Computing in a Regulated Environment

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Top Five Ways to Protect Your Network. A MainNerve Whitepaper

Step into the Cloud.

Five keys to a more secure data environment

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

10 Hidden IT Risks That Threaten Your Financial Services Firm

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Cloud Computing Governance & Security. Security Risks in the Cloud

How To Audit Health And Care Professions Council Security Arrangements

How To Protect Your Cloud From Attack

Network Segmentation

Buyer s Guide. Buyer s Guide to Secure Cloud. thebunker.net Phone: Fax: info@thebunker.net

Securing the Service Desk in the Cloud

How To Decide If You Should Move To The Cloud

John Essner, CISO Office of Information Technology State of New Jersey

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Public or Private Cloud: The Choice is Yours

security in the cloud White Paper Series

Service Definition Document

Defining the Enterprise Cloud

HOSTING. Managed Security Solutions. Managed Security. ECSC Solutions

Capita Productivity Hub Combining secure private cloud with familiar Microsoft tools

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services

Data Protection Act Guidance on the use of cloud computing

Cloud Security: An Independent Assessent

Unified Threat Management, Managed Security, and the Cloud Services Model

Securing Your Journey to the Cloud. Managing security across platforms today and for the future. Table of Contents

Achieve the Five Holy Grails of Business with the Cloud

Why Plan B DR? Benefits of Plan B Disaster Recovery Service:

Guardian365. Managed IT Support Services Suite

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

Your complete guide to Cloud Computing

Hosted SharePoint. OneDrive for Business. OneDrive for Business with Hosted SharePoint. Secure UK Cloud Document Management from Your Office Anywhere

AVAILABILITY SERVICES MANAGED SERVICES

Host/Platform Security. Module 11

Data Security Policy THE CTA. Guardian Electrical Solutions Ltd DATA SECURITY POLICY. Reviewed and approved by the Company Secretary Richard Roebuck

MANAGEMENT SOLUTIONS SAFEGUARD BUSINESS CONTINUITY AND PRODUCTIVITY WITH MIMECAST

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Our Cloud Offers You a Brighter Future

THE BLUENOSE SECURITY FRAMEWORK

A Decision Maker s Guide to Securing an IT Infrastructure

Cloud Computing Thunder and Lightning on Your Horizon?

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Cloud Security Who do you trust?

A practical guide to IT security

Converged Private Networks. Supporting voice and business-critical applications across multiple sites

Enterprise Data Protection

EXTENDING THREAT PROTECTION AND CONTROL TO MOBILE WORKERS

Newcastle University Information Security Procedures Version 3

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Nine Steps to Smart Security for Small Businesses

Securing Your Data In The Cloud: an insiders perspective

Deploying the Enterprise Cloud

Whitepaper. The ABC of Private Clouds. A viable option or another cloud gimmick?

itg CloudBase is a suite of fully managed Hybrid & Private Cloud Services ready to support your business onwards and upwards into the future.

GETTING THE MOST FROM THE CLOUD. A White Paper presented by

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Contents. Introduction. What is the Cloud? How does it work? Types of Cloud Service. Cloud Service Providers. Summary

How To Protect Your Data From Being Hacked

Product Overview. UNIFIED COMPUTING Managed Hosting Compute

Zone Labs Integrity Smarter Enterprise Security

This document has for purpose to elaborate on how Secomea have addressed all these topics with a solution consisting of the three components:

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS

SP Monitor. nfx One gives MSPs the agility and power they need to confidently grow their security services business. NFX FOR MSP SOLUTION BRIEF

The NREN s core activities are in providing network and associated services to its user community that usually comprises:

THOUGHT LEADERSHIP. Journey to Cloud 9. Navigating a path to secure cloud computing. Alastair Broom Solutions Director, Integralis

A Look at the New Converged Data Center

Gain the cloud advantage. Cloud computing explained Decide if the cloud is right for you See how to get started in the cloud

Cloud Service Providers Overcoming security and compliance barriers

Cloud Computing Security Considerations

Terms and Conditions

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

BlackStratus for Managed Service Providers

Cloud Storage vs Physical Media What you need to know!

DOBUS And SBL Cloud Services Brochure

Effective End-to-End Cloud Security

External Supplier Control Requirements

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

REDCENTRIC HEALTHCARE SOLUTIONS

CAPABILITY STATEMENT

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

Whitepaper. Managed Services in the 21 st century

Fujitsu Dynamic Cloud Bridging today and tomorrow

Whitepaper: Cloud Computing for Credit Unions

Technology Risk Management

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

Network Security Requirements and Solutions

nfx One for Managed Service Providers

Securing Virtual Applications and Servers

Extending Threat Protection and Control to Mobile Workers with Cloud-Based Security Services > White Paper

Transcription:

Ensuring security the last barrier to Cloud adoption Publication date: March 2011

Ensuring security the last barrier to Cloud adoption Cloud computing has powerful attractions for the organisation. It offers instant access to an infinitely flexible computing resource and the ability to make major cost savings through outsourcing. Yet for many organisations, the final barrier to adopting Cloud computing is whether it is sufficiently secure. This White Paper examines the perceived risks, assesses whether they are justified, and examines the technology and measures that can make the Cloud s virtual security a reality. Why are organisations attracted to Cloud computing? Cloud computing supplements or replaces an organisation s physical computing environment with flexible, scalable Internet and virtualisation technology. With Cloud computing, the organisation doesn t have to keep adding capitalintensive IT assets to meet growing storage and processing requirements. It can access computing resources as required (including sudden peaks in demand) and simply pay for what it uses. As data is stored remotely, employees can access it wherever they are; this allows flexible working and stimulates productivity. Meanwhile, IT employees previously involved in maintaining in-house data centre resources can now take on other, business facing roles. These business arguments are proving highly persuasive. In a recent Forrester survey of 2,803 IT decision-makers, 49% of North American companies and 45% of European companies report that pursuing a strategy of embracing cloud infrastructure services is a high or critical priority during the next 12 months 1. The main perceived security problems So far, the issue most dissuading organisations from adopting Cloud computing is security. One recent survey found 75% of respondents felt security while using the Cloud was a major concern 2. Organisations seek reassurance on several points: accessing the Cloud won t compromise their security; their sensitive data and intellectual property will be protected; they can retrieve their data if they want to change Cloud provider, or their provider ceases trading; and they can maintain their customer service standards and competitive performance. Internet access - A benefit and a weakness Foremost among Cloud security concerns for organisations is the vulnerability of the Internet to threats such as hacking, DDoS and viruses. Within an organisation s LANs and WAN, data is easily controlled, tracked and secured. But the more points at which that data is exposed to the Internet, the greater an attack surface it presents. Public Internet Cloud services offer easy access via the web, but this benefit is also a weakness. Customers can easily access the platform, but so too can any other Internet user making each connection a potential route for attack. Points of connection into the platform include end users accessing applications run from the Cloud; customers connecting to manage their service; server and application teams accessing for configuration or management; and service providers connecting to manage the platform. In a Software as a Service (SaaS) Cloud offering or any other Internet-delivered Cloud service, three of those four key connections are over the Internet and hence exposed (as depicted on the left in the illustration, below). Only the service provider s management interface is inside the security perimeter. Although internal attacks are a possibility, most security threats will come from outside, i.e. the Internet. The more Internet exposure, the greater the risks. 1 Source: Q&A: Demystifying Cloud Security, Forrester Research Inc., 29 October, 2010 2 Source: Data Centre World survey

Internet Internet Platform User Access Customer Platform User Access Customer Internal Internal The public Cloud, left, exposes more potential attack surfaces to the Internet than a platform where most access is via internal networks. Ensuring safe access Cloud providers who can integrate their service within private networks both their own and their customer s offer much greater security. By keeping the majority of the key connections inside the network, exposure to the Internet is minimised. In the example above on the right, only provisioning is accessed via the Internet. This area is relatively easy to control compared to, say, end user access, and exposure to risk here can be further mitigated by additional safeguards. Where is the data? Organisations are understandably concerned about data security in the Cloud. They are used to safeguarding their data within visible, physical hardware. The Cloud, however, is nebulous and intangible; an organisation cannot see where its data is stored or how it is handled, raising doubts about its safety. Logically, data in the Cloud still has a physical location at the Cloud provider s data centre. But because this centre is remote, there may still be concerns about where and how safe the data is. If there are multiple data centres, perhaps in different countries, does the organisation have to comply with extra compliance laws? And is there any way of telling which data resides where? Identifying what s stored where Choosing a provider whose data centres are all in the same country simplifies compliance. For UK organisations, having only UK data centres makes compliance easier to prove, and offers the opportunity to inspect the centres security arrangements subject, of course, to the customer s employees being security cleared beforehand. Organisations should look for a provider who can identify which centre stores specific data, with reassurances that it is duplicated in a separate centre, to allow continued access should the first centre go out of service. Customers also need to know what happens to their data if storage disks they no longer require are reused for another customer. Although their data should be erased, there is always the chance it may be found by the next user s disk recovery tool. Not all Cloud providers are diligent, so an organisation needs to check there is a comprehensive, effective disk erasure policy in place.

Will a shared environment mean more risks? Multi-tenant Cloud environments are attractive because the expense of the Cloud infrastructure is shared across all the customers, reducing the cost for each business. But how effectively are the organisations access, services, and data separated from those of other customers? The Cloud provider should be able to demonstrate it has established effective barriers between a customer s data and the outside world and with other customers sharing the same platform. Sufficiently robust partitioning should be in place to ensure no traffic can pass between customers, and that none of their virtual machines in the Cloud can access or be accessed by other tenants in that environment. Organisations should closely examine the Cloud provider s service architecture. The same level of separation should also be available within the customer s share of the Cloud. An organisation s internal processes and applications are designed to allow control of communication and traffic (so, for example, a line manager cannot access finance or HR records to discover the CEO s salary). The Cloud provider should be able to support this segmentation, so the customer can control which virtual machine (or group of machines) employees can access, and which departments can access management and provisioning functions. Safeguarding availability One of the main appeals of Cloud computing is its agility, allowing organisations to flex the amount of resources they need at any time. On a multi-tenant platform, it should not be possible for one customer to consume so much of the shared resources that it reduces another customer s service availability. Consequently, the Cloud provider must always allocate sufficient resources to accommodate sudden peaks in demand from all their tenants, simultaneously. This represents a major commitment on the part of the Cloud provider, so customers need to satisfy themselves the provider really does have sufficient capacity. In fact, the resources should be over-specified, so if one or more servers fail, there is always enough capacity to ensure service availability. Equally, within the customers share of the platform, one virtual machine should not be able to dominate the available resources and compromise the performance of the other virtual machines. The Cloud provider should have controls in place to prevent this happening. These controls should be sufficiently flexible to assign each virtual machine the capacity it needs to fulfil its role, and make sure that capacity is capped automatically.

How secure is Cloud The Cloud provider will need to connect to the customer s network to provision and support the service. If this connection is over the Internet, it introduces another potential weak spot. Ideally, the Cloud provider should only be able to access the customer s network via a secure, protected connection. There should also be controls in place to ensure only the provider s employees directly concerned with the task in hand whether building the customer s Cloud environment or updating it, are permitted access. To take full advantage of Cloud computing s agility, customers will want to undertake their own provisioning. However, it s important that access rights can be controlled, to ensure that activities that will incur cost can be controlled in line with company policy. A question of trust Obtaining definitive answers to all these security questions may prove difficult, particularly if an organisation uses more than one Cloud provider. An organisation might want to audit a provider s service, but how viable this is will depend on the number of customers the Cloud provider serves, and the organisation s ranking amongst those customers. If they are only one customer among many thousands, the provider simply may not agree to their audit request. Auditing is a complex and time consuming exercise, and though some customers (and their clients) insist on it, others may be satisfied their Cloud provider is accredited to industry standards. Although providers may quote several different standards, ISO 27001/2 Information Technology, Security Techniques is widely accepted as the most relevant. Finally, there is the Cloud provider s reliability. The Cloud market is a fast evolving area; although some providers are well established and trusted, others have failed, leaving their customers wondering what has happened to their data. With their reputation and prosperity at stake, customers must be sure their provider has a proven track record and is financially stable. Safety in the Cloud with Flexible Computing Vodafone has developed Flexible Computing to offer the benefits of Cloud computing, while satisfying their customers security concerns. We deliver this Cloud on a virtualised platform, accessed over the Vodafone Multi Service Platform (MSP) network across multiple UK data centres. This provides on-demand computing resources closely integrated into a customer s corporate Wide Area Network (WAN). Minimising access risks With Flexible Computing, data and services are not outside exposed to the Internet, but internal, using the customer s WAN and the Vodafone MSP network. Unlike the vulnerable Internet, the self-healing MSP is accredited by the CESG (the UK Government s National Technical Authority for Information Assurance) to carry protected Government traffic. Providing data security Flexible Computing stores customers data in Vodafone s UK data centres, which meet stringent UK Government standards for security. Customers can be reassured their data is stored according to UK regulatory compliance laws; on request, Vodafone will identify which UK data centre holds what data. Dual-site resilience (storing data in more than one centre) is also available, so in the highly unlikely event of a data centre failing, the customer can still access their data and continue operating. Creating barriers between tenants Flexible Computing isolates customers, the networks and their virtual machines from those of other customers sharing the same platform. This partitioning ensures there is no direct route between customers, and can also split each customer s partition into several segments, with appropriate access control between them. We securely integrate virtual machines running on the Flexible Computing platform into the customer s existing WAN infrastructure via a dedicated firewall context and can configure them individually to suit the customer s security policy. It is also possible to create separate groups of virtual machines, using Private VLANs (PVLANs), allowing customers to securely reproduce their current physical hardware multi-tier structures within the Cloud environment.

24/7 availability Vodafone runs the Flexible Computing platform below full capacity. We can add capacity rapidly whenever required and also offer automated service failover, to safeguard 24/7 service availability for the customer. Similarly, a resource sharing model ensures every virtual machine receives the correct loading of resources, adapting automatically as machines are added or removed. protection Vodafone uses a dedicated isolated network connection for provisioning, monitoring, managing and updating the customer s Flexible Computing platform, with access strictly limited to authorised personnel. Customers can also select a management service whereby Vodafone supplies an anti-virus, operating system patching, monitoring and backup service, further ensuring the availability and integrity of the infrastructure on behalf of the customer. Access to the portal is controlled and customers can select the authorisation level for each user, ensuring approval of spend can be aligned to company policy. How real are the risks? Are organisations overplaying the perceived security risks of Cloud computing? It may actually offer them greater security; a rigorously protected data centre is a safer place to store vital information than a laptop or USB stick that s easily lost or stolen. Organisations that feel safe with their own systems but distrust the Cloud may wish to compare those facilities again. IT environments tend to grow on an ad-hoc basis, with mixed proprietary infrastructure and applications. Cloud facilities are generally purpose-built and homogeneous, and consequently easier to monitor and secure. Additionally, while Cloud accreditation to standards such as ISO 27001/2 does not guarantee absolute security, it can indicate a greater level of protection than an organisation may currently attain. Ultimately, the customer must be satisfied its Cloud provider meets their requirements for authentication, authorisation, encryption, data loss protection, compliance and regulatory reporting. The need for impregnable security must be balanced against convenient access and easy management. The organisation will need to evaluate its existing policies on access control, data security, compliance, event logging and management, and work with the provider to extend them into the Cloud. The question of trust between service provider and customer that exists in any business relationship is clearly even more critical in the case of Cloud security. The provider that proves it can implement effective tools and procedures for Cloud security will ultimately engender, and deserve, customer confidence. Our experience with customers has been that the provision of a flexible computing resource as part of the wide area network has been the first step in providing customers the security assurances they need to have in place before starting the move to a multi-tenant Cloud solution. This step, however key, is not enough on its own, but when combined with the focus Vodafone has in providing secure solutions for enterprise and public sector organisations, and the way this has been reflected into the Flexible Computing product offering, we have found many organisations are now willing to step over the threshold of interest and move into real adoption of Cloud services within their operations.

VUK10412/03.13_01 To find out more, please contact your Account Manager or call us on 0800 096 5838 hostingenquiries@vodafone.com 2013. Vodafone Limited. Vodafone House, The Connection, Newbury, Berkshire RG14 2FN Registered in England No. 1471587

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information