If Your Head’s In The Cloud, Keep Your Feet On The Ground
Cloud is just another way to outsource IT functions, but it’s important to keep an eye on the requirements of cloud-based network security, says Ruvi Kitov
The one key difference between traditional outsourcing models and the Cloud is that the elastic and on-demand nature of the Cloud creates a scenario where the physical location of a company’s data or infrastructure is not fixed. On top of that, to protect their own security, Cloud providers may not be inclined to provide significant visibility into their own IT operations. If you thought that “re-perimeterising” your electronic assets was difficult with other outsourcing models, the amorphous nature of the Cloud further blurs the lines.
Fortunately, tools and methodologies are available today that can enable Cloud providers to deliver the security and compliance levels that organisations need. Most security technology vendors have responded to the risk management and compliance needs of their customers by providing significant enhancements to their management, monitoring and auditing capabilities. The result is that stakeholders have much better visibility into the state of key systems and assets at any given point in time, regardless of where they physically reside.
Managing the Cloud
Whether it is via a common interface, an automated management tool, or a custom process, there are a host of methods that enable both Cloud owners and Cloud users to manage the confidentiality, integrity and availability of assets. Automated monitoring tools can also be used to ensure service levels are being met and can act as a common management interface for both Cloud customers and providers. This provides both parties with a way to share responsibility for managing security and compliance without the Cloud customer having to own the granular, day-to-day management of the infrastructure.
Furthermore, this kind of technology-driven accountability provides Cloud customers the ability to quickly take back or transfer IT management, knowing that the security and compliance history of the asset being managed can be understood with a few mouse clicks. If for some reason the relationship with the Cloud provider unexpectedly terminates or the company decides to take it back in house, the internal team has the benefit of the shared knowledge base.
Leveraging technology to create transparency and shared accountability is a model that has already caught on in Managed Services, especially within the MSSP space. In its Q3 2010 Forrester Wave: Managed Security Services, Forrester estimates that the global size of the managed security services market is about $4.5 billion, and predicts a 15 percent growth rate for at least the next three years. That number includes outsourced and software-as-a-service (SaaS) security services (a typical Cloud scenario) as well as other annualised security operations. Traditionally, MSSPs either host the entire security infrastructure or the management of systems that reside within the customers’ firewall. In Cloud-speak, this scenario would be described as a hybrid Cloud.
While the widespread use of virtualisation technology has added a new set of management challenges, innovations in the ability to manage the security and integrity of highly complex and dynamic virtual environments are advancing at a rapid pace. Enhancements in network security technologies that cater to managing security in multi-tenant environments are also evolving quickly. For example, advancements in firewall management technologies have enabled firewalls to be used much more effectively and strategically for internal network segmentation without risk of downtime or outages. This is just one example of many areas where automating network management can have a positive ripple effect.
Security in the Cloud
If you are thinking of moving your security to the Cloud, there is a wealth of information available that outlines how to approach everything from assessing the risk of specific IT assets as they pertain to specific models, to areas of focus for an SLA or to best practices across various disciplines of logical, virtual, and physical security.
One of the most comprehensive and credible sources for securing Cloud environments is the 76-page ”Security Guidance of Critical Areas of Focus for Cloud Computing“. The brainchild of the Cloud Security Alliance (CSA), the Guidance, which can be downloaded for free off the CSA’s website, is one of the largest and most impressive security community efforts to date. It should be required reading for anyone interested in or involved with approaching, managing, and maintaining security and compliance in the Cloud.
The maturity of certain segments of the current IT outsourcing market reflects that the technology is, for the most part, available to manage these kinds of relationships. But as we all know technology is only one leg of a three-legged stool. The other two legs, people and process components, are critical to the success of any IT initiative. That’s what makes the industry commitment to developing a holistic approach to Cloud security so refreshing – it shows that for as far as we might have to go, as an industry, we’ve come a long way in a relatively short time.
Ruvi Kitov is CEO of Tufin Technologies, provider of Security Lifecycle Management solutions that enable companies to cost-effectively manage their network security policy, comply with regulatory standards, and minimise IT risk.