I went to the GrrCon security conference to hear Adam Ely, the CISO of BlueBox Security and the former CISO of SalesForce.com and CSO of Heroku, give his recommendations for dealing with cloud security.
As we've discussed before, one way to tackle cloud security is to partner with a vendor that specializes in hosting compliant and secure applications. Most of the offerings from those vendors look more like hosted solutions, perhaps with a dashboard and a little bit of scalability, but you'll have to build your infrastructure yourself.
To an application developer, that seems like a lot of work. To the ops team, it seems like yet another system it doesn't have the time or energy to support.
Ely mentioned two other options. One is the software-as-a-service (SaaS) model -- renting a solution from a vendor. The other is something commonly called platform-as-a-service (PaaS) -- building the app yourself but renting the scalable stack. In other words, you upload source code in the right format to a preconfigured Web server, and everything just works.
SaaS and PaaS seem great, but they also mean letting go of a significant part of the infrastructure. What do you say when the security auditors come knocking on your door?
Adam Ely presents on "Securing Cloud Applications" at GrrCon.
Areas of risk
Ely identifies three specific types of risk: physical (when bad guys get in the datacenter), staff (when people get access they should not have), and abuse of authorized access by operations and security professionals. For PaaS, there is also the risk that the vendor will not keep the servers patched and hardened. With SaaS, the vendor also writes the code, and that code could have application vulnerabilities, like SQL injection.
Companies that want to move to these models have to deal with these risks at least to the satisfaction of management -- and likely to the satisfaction of IT, government agencies, or standard auditors.
A little customer, a big vendor
After listing the risks, Ely said nothing is free. If your company is paying eight dollars per month (or even per user) for a piece of software, you'll get the kind of support that eight dollars a month can provide -- which is very different from the kind of full-time hand holding a traditional operations staff can provide a group of IT security auditors.
For many customers, it is unlikely or impossible to get the vendor to comply with a security policy, especially since so many companies have conflicting policies. Ely suggests four techniques to reduce your risk.
- Communicate intent, not implementation: Instead of telling the vendor the how, talk about your company's expectations. The cloud vendor probably hears similar things from many customers, and it can speak to the intent of your concerns.
- Audit: PaaS providers typically offer log and production monitoring, intrusion prevention, and possibly firewall reports -- all of which you can include in your security policy.
- Continuous audit: Many vendors have APIs to monitor who is doing what in the system, especially the backend. Who is logging on to the hardware, what are they doing, who is uploading data, who is looking at what -- vendors can help answer all these questions to one degree or another. Monitoring these things can help you stay compliant and identify risks early.
- Encryption is data protection: If your data needs to be protected, wrap it in an encryption layer. Again, find a vendor that understands the problem and can support you. Don't force a vendor relationship because it's easy -- make sure the vendor can do what you need done. For example, Ely mentioned that Heroku is not interested in supporting healthcare companies with HIPPA requirements. The rules are too stringent, and the risks are too great. At least for now, the cloud vendor does not pursue or support those customers. It's better to find that out at the beginning of the process than at the end.
Ely offered an ideal scenario: Systems are dispensable, configuration management is automated, vulnerability assessments are continuous, and security events are alerted as part of operational management. It would be uneconomical for most companies to build this kind of system, but cloud vendors like Amazon and SalesForce can build it and spread the costs over thousands of customers.
Of course, that introduces a new partner and new risks, so work with your vendor to understand their implementation -- before you cut over.