By Cassandra Balentine
The cloud provides new opportunities in many areas of software, transforming the way organizations access information and applications. However, as the move to the cloud continues across a variety of industries, security remains a constant concern.
To address security across the software development and delivery lifecycle, cloud application providers should consider several areas of security vulnerability including identity and access management, data loss prevention, Web security, email security, security assessments, intrusion management, encryption, business continuity, and network security.
“We all know that it is incumbent on us—as a cloud service provider—to protect and prevent known vulnerabilities, while also accepting the fact that there will always be new threats that we must identify and isolate,” says Jeff Budge, VP, solution architecture, OneNeck IT Solutions.
This article looks at the evolution of cloud security and the tools and solutions available for providers to better address security concerns.
Current Security Management Practices
The burden of security for cloud-based platforms fall on both the provider and user.
“Cloud infrastructure providers today ensure a basic degree of security for their offerings, but they are built around a bring-your-own security focus,” says Ashutosh Kulkarni, SVP/GM, Informatica Cloud. “Their primary focus is on keeping their multi-tenant infrastructure safe—with data safety left to the customers. We believe that infrastructure security is necessary, but not sufficient.”
“Most cloud providers are outsourcing security to tooling partners. Without support, many customers don’t have the resources to understand the threat environment, design appropriate tools, and get the most out of their deployment environment. Without that level of support, a customer’s spend on security will have less efficacy than an approach that includes the service they need,” says Jarret Raim, senior security product manager, Rackspace.
Data management considerations are increasingly important, and is an area of security focus for cloud providers. Those looking to adopt cloud-based offerings must also keep data security top of mind.
Brett Wilson, SVP/GM, software as a service (SaaS) platform manager, CYREN, points out that in general, cloud providers appear to be managing security concerns from a data protection perspective. “They make every effort to ensure that data is encrypted in motion and at rest, and that access is only given to authenticated users,” he offers “The challenge for these platforms is how far to take user authentication in order to validate that there is a legitimate user at the other end of the transaction, rather than a comprised host.”
He explains that this is because multi-factor authentication, when clumsily implemented, negatively impacts the user experience. “There are few things more frustrating than being asked to provide secondary, or even tertiary authentication because we are attempting to legitimately access data from an unknown—to the application—host,” says Wilson.
To address this, he says CYREN believes in a holistic security approach. “To that end, cloud service providers should consider how to separately validate the legitimacy of the hosts they transact with, as well as deliver more client-side capabilities to assist in determining whether a host is compromised. If the reputation of the host can be established prior to the transaction, the need for multi-factor authentication can be removed in many use cases.”
Encryption is another area cloud providers focus on, encrypting data in-transit and at rest. “Encrypting the data is the first step, but the bigger question is, ‘where are the data encryption keys stored and who has access to the keys?’ Consumer-grade cloud offerings force customers into storing data and encryption keys in the public cloud—and that’s a big problem for enterprises,” says Ann Fellman, VP of product marketing, Code42.
As technology continues to advance, new security concerns emerge and evolve the ways in which providers—especially cloud-based offerings—ensure security concerns are properly addressed and managed for the client.
Budge expects the market to continue to mature, and anticipates further automation and self-healing with the tools and the technologies available in the security space.
“We also expect increased demand in the compliance space, such as customer demand for support of infrastructure specifically targeted at compliance frameworks and requirements for the cloud provider to participate in customer risk assessments and audits. There are trends showing increased interest in certifications and accreditations aligned with specific industry and vendor standards,” continues Budge. “Lastly, we see signs of renewed interest in business continuity and disaster recovery planning.”
“In the coming years, we expect security to evolve from infrastructure- and perimeter-centric security to data-centric security. The most critical asset customers care about securing is mission-critical data,” says Kulkarni. Rather than focusing on the perimeter and infrastructure, he expects the focus of information security to move to securing the data itself.
This involves identifying the most sensitive data within a cloud application, understanding how that data is accessed and proliferated, what regulations are at play, and safeguarding that data through encryption, masking, or other means to ensure that it is secured. “Providing this level of insight around your most valuable data also means you will have more confidence on where to focus your security investments,” says Kulkarni.
Fellman suggests that cloud providers are starting to respond to the demand of enterprises to offer both on premises and hybrid deployment options. “We’ve seen many customers migrate to hybrid models, which isn’t surprising given Gartner’s prediction that nearly half of large enterprises will have hybrid cloud deployments by the end of 2017.”
Hybrid clouds offer “the best of both worlds,” including on demand, unlimited, global scalability while meeting demanding security and compliance requirements, says Fellman. “In a hybrid environment, the customer keeps the encryption keys, ensuring full control of data security and privacy. Hybrid cloud strategies play a big role as multi-national organizations with global employees require the ability to specify which data must be stored in which countries.”
Tools and Solutions
To aid cloud providers in ensuring application security in cloud or hybrid cloud environments, many vendors have stepped up to the plate. Here are highlights of select solutions, as well as the specific security vulnerabilities they focus on. For a full list of cloud security solutions, and more cloud tools, flip to the Target Chart following this article.
Code42 protects enterprises from suffering from data loss events. Fellman points to a 2014 Ponemon Institute study reporting that data loss events now cost businesses an average of $640,000 with totals in the millions of dollars in damage—and in some extreme cases, even bankruptcy or complete shutdown.
“As more cyber threats like ransomware and revengeware emerge, businesses recognize the importance of backing up their data and the ability to recover it quickly and easily. This is especially important since much of the data generated by employees lives on devices outside of the traditional data center,” says Fellman.
Code42’s CrashPlan backup and SharePlan file sync/share solutions offer enterprises a secure endpoint data management platform that can be deployed via public, private, or hybrid cloud models, and easily scales from ten to 100,000 or more users. “Compliance-conscious enterprises with particularly high security requirements can store their encryption keys on premises and rest assured that their sensitive business data cannot be accessed by third parties without their explicit knowledge and consent,” says Fellman.
To address data security and privacy requirements, Code42 customer data is encrypted end-to-end via 24/7 proactive monitoring and support. IT managers have complete control over which user data is stored where—public, private, or hybrid cloud, in a fully encrypted environment.
CYREN offers cloud-assisted security services, which were initially offered as OEM embedded security technologies, such as antispam, anti-malware, IP reputation, outbound antispam, malware attack detection, and URL filtering. These features were integrated by security vendors and service providers to power their security solutions.
The company then built a global cyber intelligence platform featuring more than 500,000 points of presence. In 2013, CYREN brought an email SaaS solution to market, and followed up with its global, Web SaaS solution in 2014, CYREN WebSecurity.
In addition to full-service platforms, CYREN continues to offer cloud-based OEM security services, which now also include cyber intelligence feeds containing real-time detection data for several cyber threat types, including malicious IPs, zero-hour malware, and zero-hour phishing URLs. “These latter feeds have been integrated into network security technologies, as well as security products and service provider platforms,” says Wilson.
CYREN products and services run on a common, global, cloud-based platform and share data threats, according to Wilson. He explains that this means every CYREN solution benefits from the analysis of 17 billion daily transactions processed by the CYREN global cyber intelligence platform in protecting more than 600 million users.
“As an illustration of the power of this approach, the CYREN WebSecurity SaaS product instantaneously blocks access to malicious URLs discovered as a result of global spam processing, malware deconstructed in the CYREN malware lab, or because they are tied to malicious IPs,” says Wilson. “This cyber intelligence exists with the product, regardless of whether any user of the service has ever attempted to access such sites.”
Informatica Cloud offers a ubiquitous integration platform as a service (iPaaS), which comprises three key areas of functionality, including intelligent data integration, application process orchestration, and comprehensive data management.
“One of the most unique aspects of Informatica Cloud is its secure agent architecture where the data transfer orchestration is done by the secure agent, which can reside on premise behind a customer’s firewall or hosted in a secure cloud and ensure that no data is ever stored on Informatica servers,” explains Kulkarni.
In addition to securing its own cloud offering, Informatica Cloud also delivers test data management as a service. This service ensures that test data can be masked and secured even as it moves between on premise and cloud environments.
Informatica Cloud delivers a variety of security capabilities including network application security, system application security, database security, and Informatica Cloud application security.
The solution is designed for the hybrid enterprise. “Most organizations are in various phases of maturity in moving to the cloud, which means that for the next several years, they will need to deal with the reality of hybrid IT—having their critical business applications distributed across on premise data centers and various cloud infrastructure-, platform-, and software-as-a-service offerings,” says Kulkarni. “The Informatica iPaaS, based on the Vibe Virtual Data Machine architecture, is unique in that it ensures the same data integration, process orchestration, and data management capabilities irrespective of where the data resides,” he adds.
OneNeck IT Solutions offers security services that address a scope of security and compliance needs that businesses face. “We have a depth of experience in assisting our customers with their security needs, and our security experts stay current on emerging threats,” says Budge.
The company provides security assessments, application security, data center and cloud security, identity and secure access, network security, secure enterprise mobility, and security information and event management.
“OneNeck’s portfolio of services are designed to combat an array of security threats. Since it’s virtually impossible to predict all of the types of threats that could impact a business’ IT environment, OneNeck designs our services to be comprehensive in the types of environments we cover. We are also committed to addressing known specific threats and identifying and protecting against new or unknown threats,” says Budge.
Examples of security threats the company watches for include denial of service, malicious insiders, data loss, abuse and nefarious use, data breaches, and insufficient due diligence.
One of the company’s primary differentiating factors is its hybrid IT solutions approach. “OneNeck provides a comprehensive set of capabilities including hardware and software resale, technical advisory and implementation services, managed services, and enterprise application management. In the context of security and compliance, that means we can work with a customer in a variety of models such as advising and reselling tools, implementing security architectures, providing managed services of security infrastructure, or supporting compliance activities related to enterprise resource planning environments,” adds Budge.
Rackspace offers a hybrid cloud product portfolio, giving each customer the best fitting infrastructure for its unique needs—whether on single- or multi-tenant servers, or a combination of these platforms.
The company’s security portfolio varies across these offerings, but it specifically provides identity or access management, data loss prevention, Web security, email security, security assessments, intrusion management, encryption, and network security, with the caveat that some offerings are only available for certain hosting configurations.
The company says it offers a full suite of solutions to meet a variety of security needs. “No single solution is capable of protecting digital environments from the variety of threats they will face,” explains Raim. “All cloud providers must provide a set of tools that meet the customer’s needs based on their risk tolerance, exposure, etc.,” he adds.
“We offer a suite of solutions from leading partners in the security space, as well as up-and-coming modern technologies. These technologies are then wrapped by Fanatical Support to make them a part of the customer’s managed cloud experience,” says Raim.
Raim says the company has plans to expand service capabilities in this space in the coming year. “This will provide a set of managed security services that more holistically secures customer assets,” he adds.
Security is a priority, and a top consideration, when it comes to cloud offerings. It is essential that providers of cloud applications offer assurance that the data hosted and managed on their servers is as or more secure than if they were managing it on premise.
As new data threats emerge, and data breaches continue to make headline news, security is increasingly an issue of great concern. These providers, and more, offer solutions to help enable increased capabilities without the trade-off of security.
For more information on cloud tools and services, look to the Target Chart following this article, which points to providers of cloud security services, as well as a broad range of other focus areas that represent critical roles of cloud tools. SW