Next

reports
Rep or ts.InformationWeek.com

Monitoring Security
In Cloud Environments
The use of cloud technology is booming, often offering the only way to
meet customers, employees and partners rapidly rising requirements.
But IT pros are rightly nervous about a lack of visibility into the security of
data in the cloud. In this Dark Reading report, we put the risk in context
and offer recommendations for products and practices that can increase
insight and enterprise security.
By Michael Cobb

Presented in conjunction with

Report ID: S7431013

October 2013 $99

Previous

Next

CONTENTS

reports

3
4
5
5
6
6
7
8
9
9
10
10
11
12
12
14

Authors Bio
Executive Summary
Monitoring Security in Cloud Environments
Figure 1: Biggest Cloud Concern: Security
Regaining Insight
Figure 2: Security Responsibilities in Cloud
Computing Environments
Monitoring a Dynamic Cloud Environment
Figure 3 : Data Security Life Cycle
Maximum Visibility, Maximum Security
Figure 4: Cloud Services Concerns
The Privilege Is All Mine
Cloud Data Will Disappear
Dont Lose Your Data in the Small Print
Bring Your Own Cloud
A More Secure Environment
Related Reports

Monitoring Security in Cloud Environments

ABOUT US
InformationWeek Reports analysts arm business technology
decision-makers with real-world perspective based on qualitative
and quantitative research, business and technology assessment and
planning tools, and adoption best practices gleaned from
experience.

OUR STAFF
Lorna Garey, content director; lorna.garey@ubm.com
Heather Vallis, managing editor, research; heather.vallis@ubm.com
Elizabeth Chodak, copy chief; elizabeth.chodak@ubm.com
Tara DeFilippo, associate art director; tara.defilippo@ubm.com
Find all of our reports at reports.informationweek.com.

TABLE OF

reports.informationweek.com

October 2013 2

Previous

Next

Table of Contents

reports

Michael Cobb
InformationWeek Reports

Monitoring Security in Cloud Environments

Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of
experience in the IT industry. He is the founder and managing director of Cobweb
Applications, a consultancy that provides data security services. He co-authored the
book IIS Security and has written numerous technical articles for leading IT publications.
Michael is also a Microsoft Certified Database Administrator.

Want More?

Never Miss
a Report!
Follow
reports.informationweek.com

Follow
2013 InformationWeek, Reproduction Prohibited

October 2013 3

Previous

Next

Table of Contents

SUMMARY

reports

Monitoring Security in Cloud Environments

One of the major reasons enterprises have been hesitant to embrace cloud computing
technologies is a lack of visibility. Enterprises need ways to track their data as it travels or
is stored in the cloud, as well as a way to ensure that their data is safe in a shared
infrastructure.
To benefit from cloud computing and minimize risks to your organizations data, several
key components are required: visibility across infrastructures and applications, isolation
of critical services, and regularly audited automated processes for threat detection and
mitigation. Working closely with cloud providers, administrators can deliver accountability and audit trails for data events in and out of the cloud so enterprises know exactly
what is happening with their data. Cloud providers will have their own monitoring tools
to track the performance, continuity and security of all of the components that support
service delivery, but organizations must invest in their own systems to monitor physical,
virtual and cloud environments. Responsibility for security and monitoring of data critical
to daily business operations is ultimately your responsibility, not the providers.
In this Dark Reading report, we examine tools and practices that enterprises can use to
monitor the security of cloud environments and receive notifications when their data
might be at risk.

EXECUTIVE

reports.informationweek.com

October 2013 4

Previous

Next

Table of Contents

reports

Monitoring Security in Cloud Environments

Monitoring Security in Cloud Environments

The cloud is no longer outlying technology.
Indeed, any organization that isnt using cloud
computing technology is probably considering it. The benefits can be enormous: flexible,
on-demand access to superior resources
but only when and where needed usually
with lower unit costs and reduced complexity.
But concerns over the security of data held in
the cloud remain a barrier to adoption.
The news of PRISM, a surveillance program
that gives the National Security Agency access
to users data held by major websites, has further increased cloud paranoia and fears over
data privacy. Forrester Research estimates that
the impact of PRISM on the cloud computing
industry could be as much as $180 billion (see
Figure 1).
PRISM aside, security has lagged behind
advances in other cloud features, even though
numerous laws and industry standards mandate the safeguarding of information. Issues
such as reliability, uptime and disaster recovery have seen significant improvement, but
reports.informationweek.com

initiatives to address monitoring, auditing and

corporate governance have been less noticeable. For example, security monitoring is far
less developed than operational performance
monitoring.
The perceived loss of visibility into events is
a resistance point for many administrators

because they cant see whats happening or

whether safeguards are working. Understandably, many administrators question how they
can achieve an adequate level of security
monitoring for data in the cloud comparable
to that of data stored on-premises when a
third party owns the hardware and network.

Figure 1

Biggest Cloud Concern: Security

Security is executives top worry about storing data in public clouds.

Remote management capabilities

27%
Ability to optimize how/where data is stored

35%
Performance bottlenecks

51%
Data retention and backup policies

60%
Latency over WAN

67%
Security

85%
Data: Avere Systems and Gatepoint Cloud Optimization Strategies Research 2013

S7431013/1

October 2013 5

Previous

Next

Table of Contents

reports

Monitoring Security in Cloud Environments

Regaining Insight
>> A.6.2.3: Addressing security in third party
as that located on-premises (see Figure 3).
Despite these reservations, the pressure to
agreements
Classifying data assets is essential to knowadopt some form of cloud computing technol- ing what level of security is required in the
>> A.7.2.1: Classification guidelines
ogy often becomes overwhelming. Given the cloud, so its worth revisiting and updating
>> A.7.2.2: Information labeling and handling
exponential increase in data and the number security policies so that they reflect changes
>> A.8.1.1: Roles and responsibilities
and variety of connected users and devices in made to the existing infrastructure to incor>> A.8.1.2: Screening
use today, often the only way to meet cus- porate cloud technologies. For example, poli>> A.8.3.3: Removal of access rights
tomers, employees and partners expectations cies that cover the following ISO 27001
>> A.9.2.6: Secure disposal or reuse of
of personalization and access to real-time in- clauses should all be reviewed:
equipment
formation is by harnessing cloud services. A
>> A.10.1.3: Segregation of duties
>> A.6.2.1: Identification of risks related to
first step is to decide which type of cloud envi>> A.10.2.1: Service delivery
external parties
ronment best suits the organizations secu- Figure 2
rity requirements and capabilities. To enSecurity Responsibilities in Cloud Computing Environments
sure that data is correctly protected in
Moving applications and data to a cloud environment can move some day-to-day security activities to the cloud
vendor, but this requires a robust third-party management policy to define who is responsible for what.
cloud environments, organizations need to
understand what data is going to be cloudSoftware-as-a-service (SaaS)
Managed application/service where customers consume
Basic security provided by cloud vendor.
application resources as needed.
based, how access to it can be monitored,
what types of vulnerabilities exist and how
Platform-as-a-service (PaaS)
Organization builds and manages its own custom
Application and data security managed by
to demonstrate that controls are in place to
applications on top of a platform provided by the cloud
cloud customer.
vendor.
meet regulatory obligations (see Figure 2).
Cloud computing can ease certain secuInfrastructure-as-a-service (IaaS) Cloud vendor provides storage, network and other basic
Cloud vendor protects infrastructure, but
rity issues while increasing others, but it
computing resources, while customers can deploy and
operating system, applications and data are
run
software
and
the
operating
system
of
their
choice.
managed
and secured by cloud customer.
will never eliminate the need to follow
traditional security principles data in
S7431013/2
Data: InformationWeek Reports
the cloud still needs the same treatment
reports.informationweek.com

October 2013 6

Previous

Next

Table of Contents

Strengthening Enterprise
Defenses With Threat
Intelligence
The value of threat intelligence is
based on organization-specific
factors, including how threat
intelligence is defined, the data
the organization evaluates, the
maturity of the shop in question
and the use cases for the data. In
this Dark Reading report, we examine how a combination of
threat intelligence and security
monitoring can boost enterprise
defenses, and recommend how
to determine if your organization
is ready to tap into the model.

Download
reports.informationweek.com

reports

>> A.10.2.2: Monitoring and review of third

party services
>> A.10.2.3: Managing changes to third
party services
>> A.10.10.1: Audit logging
>> A.10.10.2: Monitoring system use
>> A.10.10.3: Protection of log information
>> A.10.10.4: Administrator and operator
logs
>> A.10.10.5: Fault logging
>> A.12.3.2: Key management
>> A.14.1.13: Developing and implementing
continuity plans
Security fundamentals may not change
when data is moved to the cloud, but visibility into the network does. Monitoring will
probably represent the biggest challenge, adjusting to the changes in the boundaries of
control and the need to modify existing practices. The lack of security monitoring of assets
that the enterprise has placed in the cloud is
where most problems arise. Many organizations believe that the loss of control that occurs when moving data assets to the cloud

Monitoring Security in Cloud Environments

just has to be accepted that the benefits

and security provided by on-premises intrusion-prevention systems, data loss prevention
(DLP) tools, and security information and
event management (SIEM) tools have to stop
at the corporate perimeter.
Monitoring a Dynamic Cloud Environment
The outsourced nature of the cloud and the
inherent loss of control that goes along with
it means that extra efforts have to be made to
continuously monitor access to both structured and unstructured data to ensure privacy
and integrity. By security monitoring we mean
collecting and analyzing logs, as well as sending alerts about security-related system and
application events so administrators know
when something unexpected has happened
and can look back at past events forensics.
So how do you achieve this when a servers
underlying hardware can change over the
course of the day?
Software-as-a-service vendors usually offer
monitoring as a fully managed service option.
FireHost, for example, provides real-time ac-

tion-oriented reports every time a vulnerability is detected. The service provider also offers
certified cloud infrastructure packages that
meet specific compliance requirements, such
as the Health Insurance Portability and Accountability Act and Payment Card Industry
Data Security Standard (PCI DSS). Some cloud
service providers make SIEM data available for
self-analysis. With Amazon Web Services, for
example, its possible to collect logs and copy
them back to an on-premises SIEM. This can
provide a unified view of both cloud and onpremises environments using tools familiar to
network administrators. Check first that your
SIEM system is cloud-ready and can handle
data that may be in different formats.
Some SIEM tools are able to make use of
specific SaaS APIs to collect logs from public
cloud ser vices. Tools from IBM and HP
ArcSight, for example, can collect and monitor logs and data from a wide range of
sources to provide universal log man agement. Events across multiple platforms
can be correlated to produce dashboard
views and audit reports that combine interOctober 2013 7

Previous

Next

Table of Contents

reports

nal and cloud-based applications.

In platform-as-a-service (PaaS) environments,
customers have the option of installing monitoring agents locally to push traffic and logs to
an in-house server for processing. Be aware
that in a multitenant environment it may not
be possible to reboot whenever agents need
installing or updating, and that there may be
limitations on the installation of software requiring certain privileges. In either case, network bandwidth, latency and data transfer
costs can make sending every transaction to a
remote server for analysis inefficient and may
prevent timely interruption of malicious activity. With that said, performance can be improved using various compression techniques.
An option for security monitoring assets in
an infrastructure-as-a-service environment is
to load a SIEM tool directly into the IaaS using a distributed monitoring system where
each instance in the cloud has a sensor or
agent running locally. Theres no high-bandwidth requirement, and tools of choice can
be deployed. However, the log storage costs
in the cloud may be substantial, and theres
reports.informationweek.com

Monitoring Security in Cloud Environments

no unified view of on-premises and on-IaaS

monitoring.
This type of system must have the ability to
be provisioned automatically on new servers

without requiring time-consuming administrator involvement. It should encrypt all traffic between the management console and sensors
to limit exposure of sensitive data. Offerings

Figure 3

Data Security Life Cycle

When evaluating data security in the context of the cloud, the problems are far more similar to those with on-premises
systems than they are different. There are differences, though, which necessitates a review of data security practices.

Data: InformationWeek Reports

S7431013/3

October 2013 8

Previous

Next

Table of Contents

reports

such as CloudPassage Halo can provide continuous security monitoring for any cloud environment. Automated provisioning ensures that
critical security controls are deployed across all
environments, while a REST API enables integration with tools such as vCloud.

Monitoring Security in Cloud Environments

of each release. Another option for gaining

insight into operational issues is to send logs
to a hosted service such as Splunk Storm,
which provides analytics in areas such as site

performance, error rates and percentile distributions of API endpoints.

To optimize visibility, look for a monitoring
system that centrally logs all activity and flags

Figure 4

Cloud Services Concerns

When thinking about risks related to using cloud services, what are your top concerns?

reports.informationweek.com

3%
4%

Other

14%
12%

Features and general maturity of technology

Vendor lock-in

16%
15%

27%
29%

Integration of cloud data with our internal systems

30%
26%

Business viability of provider; risk company will fail

30%
22%

Business continuity and DR readiness of provider

31%
31%

45%
48%

51%
51%

48%
40%
Application and system performance

Rate

Unauthorized access to or leak of our customers' information

Something we could do
better? Let us know.

2012

Unauthorized access to or leak of our proprietary information

Rate It!

2013

Security defects in the technology itself

Like This Report?

Maximum Visibility, Maximum Security

Understandably, business owners are as
concerned about the performance of their
cloud-based applications as they are about
their security.
To assess and monitor pre- and post-cloud
migration business transaction service levels,
the AppDynamics Cloud Application Management product graphs application dependencies to aid in planning communication and
architecture for cloud migration. Comprehensive transaction volume, service level and
throughput monitoring can pinpoint bottlenecks as transactions progress across distributed tiers and services. Code diagnostics can
identify holdups in code execution, and the
Agile Release Comparison feature helps
developers understand the business impact

R6490213/9
Note: Three responses allowed
Base: 446 respondents in February 2013 and 511 in December 2011
Data: InformationWeek State of Cloud Computing Survey of business technology professionals at organizations with 50 or more employees

October 2013 9

Previous

Next

Table of Contents

reports

suspicious events across all servers wherever

they reside. Also look for a product that has
the ability to keep track of business transactions as theyre happening. A transaction in a
virtualized environment can span multiple
physical servers as virtual machines spin up
and down, so individual server metrics arent
as relevant as those for a transaction when it
comes to security. Businesses developing
their own applications that are to be hosted
in the cloud should ensure that their developMonitoring the activities of database
ers code key events to
and system administrators is crucial
generate log entries,
particularly data-rein any environment given the highlated events, as relevel privileges theyre granted to
quired by auditors.
carry out their duties.
For organizations using third-party online
services, CipherCloud offers various information-protection products tailored for particular cloud-based services, including Salesforce,
Chatter, Amazon Web Services, Gmail and Office 365. Security can be set on a field-by-field
basis for structured and unstructured data,
reports.informationweek.com

Monitoring Security in Cloud Environments

and encryption keys always remain onpremises. This offers some protection from
unauthorized users trying to access data once
in the cloud.
Enterprises running really big data environments such as Hadoop or other hybrid variants of physical, virtual and cloud infrastructures will need tools such as IBMs InfoSphere
Guardium or Solutionarys cloud-based ActiveGuard Security and Compliance platform.
Both systems can collect logs from virtually
any device or application capable of producing log files in IaaS, PaaS and SaaS environments. Solutionarys clients can also choose
from service levels ranging from self-service
to SIEM in the cloud to full service, depending
on individual customer needs. Guardium not
only provides virtualized database activity
monitoring capabilities but also database vulnerability assessments, data redaction and
data encryption. It also features automatic discovery and classification of data in the cloud,
an essential tool for ensuring that any data
that makes its way into the cloud is kept
within compliance requirements.

The Privilege Is All Mine

Monitoring the activities of database and
system administrators is crucial in any environment given the high-level privileges
theyre granted to carry out their duties. In a
cloud environment, role-based monitoring
takes on greater importance because unknown personnel at unknown sites will have
privileged access rights.
Ensure that your own staff monitors thirdparty activities, particularly attempts to access
high-value data assets such as credit card tables. Triggers that can detect inappropriate
database access without relying solely on query
analytics should be in place. This is important
because privileged users can create new views
or insert stored procedures that compromise
information without the SQL command necessarily looking suspicious. Separation of duties
is another crucial control that needs to be in
place to prevent abuse of privileges.
Cloud Data Will Disappear
Sooner or later, your cloud providers system
will go down. This is true when it comes to
October 2013 10

Previous

Next

Table of Contents

Like This Report?

Share it!
Tweet

Like
Share

reports.informationweek.com

reports

small cloud providers, and its true when

youre dealing with big guys such as Google,
Amazon and Microsoft. Data and applications
wont be accessible, and in some instances
data may disappear for good. For example,
software problems at one of Amazons data
centers recently knocked out Instagram, Netflix, Vine, Airbnb and several other high-profile
Web services for several hours. And Google
has repeatedly experienced issues that have
caused Gmail outages, with some users losing
some or even all of their email data.
Business continuity planning is always best
done prior to a security event occurring. Stale
policies and unprepared staff will undoubtedly increase the severity of any security
event. Check that the cloud providers own
disaster recovery and business continuity
plans meet your requirements, and take into
account how its plans may affect your own
continuity of operations and access to data.
Dont Lose Your Data in the Small Print
Confusion over roles and responsibilities,
particularly if a crisis hits, will only make mat-

Monitoring Security in Cloud Environments

ters worse. This is why a providers servicelevel agreement (SLA) needs to be examined
closely. Roles and responsibility matrices are
an important part of your relationship. Look
to contractually specify which party is responsible for ensuring compliance with any relevant policies or standards so there are no surprises or misunderstandings about whats
covered. Post-contract monitoring and a
right-to-audit clause are also important.
Dont make the mistake of having the legal
or procurement teams carry out pre-contract
due diligence without guidance from the IT
team, which will better appreciate the implications of certain conditions and provisos. In
addition to checking the business continuity
and disaster recovery plans of any provider
you will be working with, examine and assess
the providers supply chain relationships and
dependencies. Check also its security practices and procedures, such as encryption of
data at rest and in motion.
In addition, to avoid running afoul of data
protection laws, you must know where your
data will be located geographically. It may be

necessary to segment data geographically by

using providers with a choice of international
hosting facilities to keep sensitive data within
specific jurisdictions and then move processing functions to the data (and not the other
way around).
Reviewing the providers security controls is as
important as understanding the security packages that are available for your own protection
and monitoring. Many cloud vendors rely on
tools and systems from third-party partners to
deliver best-of-breed security capabilities.
The Cloud Security Alliance Security, Trust &
Assurance Registry is a free, publicly accessible registry of self-assessment reports submitted by various cloud providers that document
compliance with CSA-published best practices. Providers should be compliant with
other important certifications, assessments
and security frameworks, such as ISO 27001,
Statement on Standards for Attestation Engagements 16 (SSAE 16) and HITRUST.
Finally, your SLA should address what levels
of support are available. You need to make
sure that the provider offers not only support
October 2013 11

Previous

Next

Table of Contents

reports

for tackling critical issues but also accessible

advice you can tap into when building, managing and monitoring your infrastructure. A
good relationship with a provider that understands your data is invaluable.
A Hybrid Cloud Strategy
Enterprises that arent yet ready to move all
their applications and data to a public cloud
should consider establishing a hybrid cloud
strategy. This will enable them to take advantage of cloud benefits where possible. Data security requirements will determine where specific processes and data types are best located:
>> Public cloud for maximum flexibility and
efficiency
>> Private cloud for maximum control
>> On-premises for compliance and privacy
Data in each environment can be synced
and monitored using tools such as Informaticas Cloud, which features prebuilt connectors to on-premises and cloud-based applications, databases, flat files, file feeds and social
networks. Compliant with SSAE 16, ISO 27001,
PCI DSS and Salesforce.com AppExchange
reports.informationweek.com

Monitoring Security in Cloud Environments

certifications, Informatica Cloud gives administrators fine-grained access controls to determine user and group-level permissions.
RightScale provides a dashboard to manage
access to and usage of public, private and hybrid cloud resources, and server logs can be
pushed to your own compliance systems if required. Companies such as Software AG and
MuleSoft also offer integration and connection systems for hybrid infrastructures.
Bring Your Own Cloud
Enterprises arent the only ones making use
of cloud services, of course. Project teams will
often share documents using Google Docs,
and many employees have their own Dropbox
or Google Drive accounts and will happily use
them to shift work files and documents to
home PCs or mobile devices. While mostly set
up and used with good intentions, these personal clouds represent a real threat to data
control and security, not to mention the added
risk of third-party monitoring and access.
Acceptable-use policies for social media and
other cloud services have to be in place, of

course, but companies must ensure that the

policies are actually being adhered to
monitoring employee access and activity with
disciplinary action for noncompliance is essential. DLP systems will also be required to catch
unintentional lapses. But beyond looking for
and punishing lapses, companies can deal
with the issue of personal clouds by offering
employees secure in-house alternatives.
Further, the PRISM situation as well as
what we have learned from Wall Street Journal reports that the NSA has a surveillance
network capable of accessing three-quarters
of all U.S. Internet traffic teaches us that
in-house encryption is far more preferable
than using third-party services located outside the company firewall.
A More Secure Environment
Cloud computing does have the potential
to be more secure than traditional environments, as delivering resilience and security
24/7 is a providers main business. For example, most cloud providers are better placed to
keep services online while mitigating and
October 2013 12

Previous

Next

Table of Contents

reports

Monitoring Security in Cloud Environments

dealing with denial-of-service attacks that

would take out most enterprise defenses. Best
practices for delivering reliability, accountability, transparency and confidentiality of cloud
computing are still a work in progress, but
progress is being made. For example, the TM
Forum, a global trade association focused on
delivering best practices and standards for
the digital economy, is finding ways for cloud
providers to use geographic information system technology to identify and mitigate
threats such as ice storms and earthquakes.
This will help lower the risk of cloud outages
that can jeopardize security systems.

reports.informationweek.com

October 2013 13

Previous
Table of Contents

MORE

reports

LIKE THIS

Newsletter
Want to stay current on all new
InformationWeek Reports?
Subscribe to our weekly
newsletter and never miss
a beat.

Subscribe
reports.informationweek.com

Monitoring Security in Cloud Environments

Want More Like This?

InformationWeek creates more than 150 reports like this each year, and theyre all free to registered users.
Well help you sort through vendor claims, justify IT projects and implement new systems by providing
analysis and advice from IT professionals. Right now on our site youll find:
Applications Monitoring for Security Professionals: When it comes to monitoring, the application space
is often forgotten. This leaves a gaping hole because the behavior of applications can reveal a great deal
about security events and their causes. The inherent variability of applications can make monitoring a
challenge, but enterprises can extend existing tools to include the applications space. In this report, we
make the case for the development of an applications monitoring strategy and provide recommendations
for implementation that tap into existing products and processes.
Network Monitoring as a Security Tool: The use of network monitoring tools in a security context can
help companies fill gaps in protection as well as identify potential problems. Used strategically, network
monitoring tools may help enterprises detect potential security problems that they might otherwise have
missed while also helping security organizations justify additional investment.
15 Ways to Get More Value From Security Log and Event Data: Enterprises are swimming in the sea of
data generated by networks, servers, personal computing devices and applications, but they are thirsty for
actionable data. In this report, we recommend ways in which security professionals can dig through huge
storehouses of log data, security event information and other monitoring data to identify and halt compromises or threats. The good news: This Herculean task can be eased at least somewhat by leveraging
existing systems and insight.
PLUS: Find signature reports, such as the InformationWeek Salary Survey, InformationWeek 500 and the
annual State of Security report; full issues; and much more.
October 2013 14