Escolar Documentos
Profissional Documentos
Cultura Documentos
reports
Rep or ts.InformationWeek.com
Monitoring Security
In Cloud Environments
The use of cloud technology is booming, often offering the only way to
meet customers, employees and partners rapidly rising requirements.
But IT pros are rightly nervous about a lack of visibility into the security of
data in the cloud. In this Dark Reading report, we put the risk in context
and offer recommendations for products and practices that can increase
insight and enterprise security.
By Michael Cobb
Previous
Next
CONTENTS
reports
3
4
5
5
6
6
7
8
9
9
10
10
11
12
12
14
Authors Bio
Executive Summary
Monitoring Security in Cloud Environments
Figure 1: Biggest Cloud Concern: Security
Regaining Insight
Figure 2: Security Responsibilities in Cloud
Computing Environments
Monitoring a Dynamic Cloud Environment
Figure 3 : Data Security Life Cycle
Maximum Visibility, Maximum Security
Figure 4: Cloud Services Concerns
The Privilege Is All Mine
Cloud Data Will Disappear
Dont Lose Your Data in the Small Print
Bring Your Own Cloud
A More Secure Environment
Related Reports
ABOUT US
InformationWeek Reports analysts arm business technology
decision-makers with real-world perspective based on qualitative
and quantitative research, business and technology assessment and
planning tools, and adoption best practices gleaned from
experience.
OUR STAFF
Lorna Garey, content director; lorna.garey@ubm.com
Heather Vallis, managing editor, research; heather.vallis@ubm.com
Elizabeth Chodak, copy chief; elizabeth.chodak@ubm.com
Tara DeFilippo, associate art director; tara.defilippo@ubm.com
Find all of our reports at reports.informationweek.com.
TABLE OF
reports.informationweek.com
October 2013 2
Previous
Next
Table of Contents
reports
Michael Cobb
InformationWeek Reports
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of
experience in the IT industry. He is the founder and managing director of Cobweb
Applications, a consultancy that provides data security services. He co-authored the
book IIS Security and has written numerous technical articles for leading IT publications.
Michael is also a Microsoft Certified Database Administrator.
Want More?
Never Miss
a Report!
Follow
reports.informationweek.com
Follow
2013 InformationWeek, Reproduction Prohibited
October 2013 3
Previous
Next
Table of Contents
SUMMARY
reports
One of the major reasons enterprises have been hesitant to embrace cloud computing
technologies is a lack of visibility. Enterprises need ways to track their data as it travels or
is stored in the cloud, as well as a way to ensure that their data is safe in a shared
infrastructure.
To benefit from cloud computing and minimize risks to your organizations data, several
key components are required: visibility across infrastructures and applications, isolation
of critical services, and regularly audited automated processes for threat detection and
mitigation. Working closely with cloud providers, administrators can deliver accountability and audit trails for data events in and out of the cloud so enterprises know exactly
what is happening with their data. Cloud providers will have their own monitoring tools
to track the performance, continuity and security of all of the components that support
service delivery, but organizations must invest in their own systems to monitor physical,
virtual and cloud environments. Responsibility for security and monitoring of data critical
to daily business operations is ultimately your responsibility, not the providers.
In this Dark Reading report, we examine tools and practices that enterprises can use to
monitor the security of cloud environments and receive notifications when their data
might be at risk.
EXECUTIVE
reports.informationweek.com
October 2013 4
Previous
Next
Table of Contents
reports
Figure 1
27%
Ability to optimize how/where data is stored
35%
Performance bottlenecks
51%
Data retention and backup policies
60%
Latency over WAN
67%
Security
85%
Data: Avere Systems and Gatepoint Cloud Optimization Strategies Research 2013
S7431013/1
October 2013 5
Previous
Next
Table of Contents
reports
Regaining Insight
>> A.6.2.3: Addressing security in third party
as that located on-premises (see Figure 3).
Despite these reservations, the pressure to
agreements
Classifying data assets is essential to knowadopt some form of cloud computing technol- ing what level of security is required in the
>> A.7.2.1: Classification guidelines
ogy often becomes overwhelming. Given the cloud, so its worth revisiting and updating
>> A.7.2.2: Information labeling and handling
exponential increase in data and the number security policies so that they reflect changes
>> A.8.1.1: Roles and responsibilities
and variety of connected users and devices in made to the existing infrastructure to incor>> A.8.1.2: Screening
use today, often the only way to meet cus- porate cloud technologies. For example, poli>> A.8.3.3: Removal of access rights
tomers, employees and partners expectations cies that cover the following ISO 27001
>> A.9.2.6: Secure disposal or reuse of
of personalization and access to real-time in- clauses should all be reviewed:
equipment
formation is by harnessing cloud services. A
>> A.10.1.3: Segregation of duties
>> A.6.2.1: Identification of risks related to
first step is to decide which type of cloud envi>> A.10.2.1: Service delivery
external parties
ronment best suits the organizations secu- Figure 2
rity requirements and capabilities. To enSecurity Responsibilities in Cloud Computing Environments
sure that data is correctly protected in
Moving applications and data to a cloud environment can move some day-to-day security activities to the cloud
vendor, but this requires a robust third-party management policy to define who is responsible for what.
cloud environments, organizations need to
understand what data is going to be cloudSoftware-as-a-service (SaaS)
Managed application/service where customers consume
Basic security provided by cloud vendor.
application resources as needed.
based, how access to it can be monitored,
what types of vulnerabilities exist and how
Platform-as-a-service (PaaS)
Organization builds and manages its own custom
Application and data security managed by
to demonstrate that controls are in place to
applications on top of a platform provided by the cloud
cloud customer.
vendor.
meet regulatory obligations (see Figure 2).
Cloud computing can ease certain secuInfrastructure-as-a-service (IaaS) Cloud vendor provides storage, network and other basic
Cloud vendor protects infrastructure, but
rity issues while increasing others, but it
computing resources, while customers can deploy and
operating system, applications and data are
run
software
and
the
operating
system
of
their
choice.
managed
and secured by cloud customer.
will never eliminate the need to follow
traditional security principles data in
S7431013/2
Data: InformationWeek Reports
the cloud still needs the same treatment
reports.informationweek.com
October 2013 6
Previous
Next
Table of Contents
Strengthening Enterprise
Defenses With Threat
Intelligence
The value of threat intelligence is
based on organization-specific
factors, including how threat
intelligence is defined, the data
the organization evaluates, the
maturity of the shop in question
and the use cases for the data. In
this Dark Reading report, we examine how a combination of
threat intelligence and security
monitoring can boost enterprise
defenses, and recommend how
to determine if your organization
is ready to tap into the model.
Download
reports.informationweek.com
reports
tion-oriented reports every time a vulnerability is detected. The service provider also offers
certified cloud infrastructure packages that
meet specific compliance requirements, such
as the Health Insurance Portability and Accountability Act and Payment Card Industry
Data Security Standard (PCI DSS). Some cloud
service providers make SIEM data available for
self-analysis. With Amazon Web Services, for
example, its possible to collect logs and copy
them back to an on-premises SIEM. This can
provide a unified view of both cloud and onpremises environments using tools familiar to
network administrators. Check first that your
SIEM system is cloud-ready and can handle
data that may be in different formats.
Some SIEM tools are able to make use of
specific SaaS APIs to collect logs from public
cloud ser vices. Tools from IBM and HP
ArcSight, for example, can collect and monitor logs and data from a wide range of
sources to provide universal log man agement. Events across multiple platforms
can be correlated to produce dashboard
views and audit reports that combine interOctober 2013 7
Previous
Next
Table of Contents
reports
without requiring time-consuming administrator involvement. It should encrypt all traffic between the management console and sensors
to limit exposure of sensitive data. Offerings
Figure 3
S7431013/3
October 2013 8
Previous
Next
Table of Contents
reports
such as CloudPassage Halo can provide continuous security monitoring for any cloud environment. Automated provisioning ensures that
critical security controls are deployed across all
environments, while a REST API enables integration with tools such as vCloud.
Figure 4
reports.informationweek.com
3%
4%
Other
14%
12%
Vendor lock-in
16%
15%
27%
29%
30%
26%
30%
22%
31%
31%
45%
48%
51%
51%
48%
40%
Application and system performance
Rate
Something we could do
better? Let us know.
2012
Rate It!
2013
R6490213/9
Note: Three responses allowed
Base: 446 respondents in February 2013 and 511 in December 2011
Data: InformationWeek State of Cloud Computing Survey of business technology professionals at organizations with 50 or more employees
October 2013 9
Previous
Next
Table of Contents
reports
and encryption keys always remain onpremises. This offers some protection from
unauthorized users trying to access data once
in the cloud.
Enterprises running really big data environments such as Hadoop or other hybrid variants of physical, virtual and cloud infrastructures will need tools such as IBMs InfoSphere
Guardium or Solutionarys cloud-based ActiveGuard Security and Compliance platform.
Both systems can collect logs from virtually
any device or application capable of producing log files in IaaS, PaaS and SaaS environments. Solutionarys clients can also choose
from service levels ranging from self-service
to SIEM in the cloud to full service, depending
on individual customer needs. Guardium not
only provides virtualized database activity
monitoring capabilities but also database vulnerability assessments, data redaction and
data encryption. It also features automatic discovery and classification of data in the cloud,
an essential tool for ensuring that any data
that makes its way into the cloud is kept
within compliance requirements.
Previous
Next
Table of Contents
Share it!
Tweet
Like
Share
reports.informationweek.com
reports
ters worse. This is why a providers servicelevel agreement (SLA) needs to be examined
closely. Roles and responsibility matrices are
an important part of your relationship. Look
to contractually specify which party is responsible for ensuring compliance with any relevant policies or standards so there are no surprises or misunderstandings about whats
covered. Post-contract monitoring and a
right-to-audit clause are also important.
Dont make the mistake of having the legal
or procurement teams carry out pre-contract
due diligence without guidance from the IT
team, which will better appreciate the implications of certain conditions and provisos. In
addition to checking the business continuity
and disaster recovery plans of any provider
you will be working with, examine and assess
the providers supply chain relationships and
dependencies. Check also its security practices and procedures, such as encryption of
data at rest and in motion.
In addition, to avoid running afoul of data
protection laws, you must know where your
data will be located geographically. It may be
Previous
Next
Table of Contents
reports
certifications, Informatica Cloud gives administrators fine-grained access controls to determine user and group-level permissions.
RightScale provides a dashboard to manage
access to and usage of public, private and hybrid cloud resources, and server logs can be
pushed to your own compliance systems if required. Companies such as Software AG and
MuleSoft also offer integration and connection systems for hybrid infrastructures.
Bring Your Own Cloud
Enterprises arent the only ones making use
of cloud services, of course. Project teams will
often share documents using Google Docs,
and many employees have their own Dropbox
or Google Drive accounts and will happily use
them to shift work files and documents to
home PCs or mobile devices. While mostly set
up and used with good intentions, these personal clouds represent a real threat to data
control and security, not to mention the added
risk of third-party monitoring and access.
Acceptable-use policies for social media and
other cloud services have to be in place, of
Previous
Next
Table of Contents
reports
reports.informationweek.com
October 2013 13
Previous
Table of Contents
MORE
reports
LIKE THIS
Newsletter
Want to stay current on all new
InformationWeek Reports?
Subscribe to our weekly
newsletter and never miss
a beat.
Subscribe
reports.informationweek.com