Different vendors offering cloud security

‘Cloud security’ is a broad term referring to the many different security aspects of the cloud – which itself comes in many different forms, each having it own security implications and requirements. Like the cloud itself, cloud security is a relatively recent discipline which is constantly evolving to meet new challenges and demands. Cloud security encompasses all of the different elements of this broad ecosystem, including maintaining the security of data within the cloud itself and between end users and the cloud; ensuring the integrity of apps used to access the cloud and use its services; through to protection of the servers and other hardware that make up cloud infrastructure.

Although users talk about ‘the cloud’, cloud computing comes in several different forms, each of which has its own specific strengths and weaknesses – both from business and a security perspective.

Public cloud. The public cloud is what most people imagine when they refer to the cloud. It refers to Cloud Storage and computing facilities that are accessed remotely, thereby enabling individuals and organisations to outsource these and avoid purchasing servers and infrastructure themselves. The public cloud has particular security needs because it is outside the control of its users; data is held by a third party, and is subject to the reliability of their hardware, their training and expertise, their personnel’s security checks and the laws in their jurisdiction.

Private cloud. A private cloud is a model of cloud computing in which the cloud is located behind a corporate firewall. Data is not shared with the outside world in the way that it is with the public cloud.

Hybrid Cloud. As the name suggests, this is a combination of public and private clouds that allows organisations to access the best of both worlds. Nevertheless, there are some unique security challenges due to both the use of the public cloud for some data and the need to transport data from public to private cloud, and vice versa.

Community cloud. Somewhere between a public and private cloud, the community cloud shares storage and resources between several organisations, often with similar interests or shared concerns.

The profusion of different forms of cloud is also complicated, from a security perspective, by the different service models available, each of which again has its own issues:

Infrastructure as a Service (IaaS). IaaS providers offer their customers computers or virtual machines, typically located in data centres, for remote use. Customers can install their own operating systems and software on them and use them as they would a local machine by connecting over the internet. The advantage is that the user does not have to purchase hardware, or often even concern themselves with upgrades or security patches. These responsibilities are taken on by the provider.

Software as a Service (SaaS). Users have access to software and databases that are run and maintained by cloud providers. These services are purchased by subscription or pay-per-use. Purchase and maintenance of the infrastructure required to host the software services is taken on by the provider, meaning that customers do not need to install or run the software itself.

Platform as a Service (PaaS). With PaaS, customers purchase an entire computing platform, which may comprise an operating system, programming language and its execution environment, a database, web server and so on, so they don’t have to purchase and maintain the hardware and software that would otherwise be required for such a platform. Depending on the platform and service model, resources may be scaled automatically.

Due to the diversity of cloud types and service models, maintaining cloud security is therefore an extremely broad task that demands a similarly large toolkit and range of disciplines.

Cloud Security: Company Profiles

Because cloud computing is a comparatively new phenomenon, and one that is gaining in scope and complexity all the time, the tools required to maintain its security are also in their infancy. New companies, software and processes are being developed on an ongoing basis. Cloud security tools also lag the development of the cloud itself – predicted by Gartner to reach over $200 billion by 2016 – but are catching up fast. Here are 10 companies that have different offerings for cloud security – some new, some established players, but all worth knowing about.

Bitium

Bitium provide cloud application management tools as well as other services such as analytics. The company’s approach is based on the insight that the Bring Your Own Device trend will only accelerate in coming years. BYOD means that employees are using many different devices over the course of the day – some belonging to their workplace, some to them personally. They may access a huge variety of apps on these devices – again, some for work, some for personal use, and others that span the gap (for example, a large number of work contacts are made and maintained through social networks like Facebook, LinkedIn and Twitter).

This raises problems for businesses, not least in terms of security. Corporate apps may be used on personal devices, and vice versa; employees have a knack of finding their way around any restrictions on these, by using alternative apps or their own devices. That means businesses simply may not know what is going on where – corporate information may be shared, intentionally or inadvertently. Managing these apps is often a complex task and the increased security measures for the corporation can badly affect the user experience.

Bitium’s solution is to enable strong security without harming usability. Users can access a huge number of apps with a single sign-on, and administrators can manage employees’ application access securely and quickly. Bitium’s analytics offering enables corporations to see what apps individuals and teams are using regularly, meaning they can pre-empt security risks and save money by decommissioning unused apps.

CipherCloud

Ciphercloud takes a holistic approach to cloud security. Their approach is designed to make moving data into the cloud more secure, through a platform that allows a series of security features including encryption, malware detection, tokenisation, data loss prevention, and auditing. Data is encrypted locally on customers’ devices or virtual machines. CipherCloud then provides a gateway for this encrypted data to be uploaded to the cloud via SSE. Keys to the data are stored locally, and are not shared with the cloud provider. Data is only decrypted once it is requested by an authorised user and returned to a local machine from the cloud. This allows businesses to manage a series of risks associated with the cloud at once, giving them confidence that they can maintain security and compliance as they expand their cloud infrastructure.

CipherCloud have a good track record and work with some big names, including large global banks, government agencies, insurance companies and healthcare providers. They have also created specific versions of their product for a number of large cloud platforms, such as Amazon Web Servers, Salesforce.com, Box, Gmail and Office 365. CipherCloud have claimed that their platform allows companies legally to upload sensitive data to the public cloud.

IBM Dynamic Cloud Security

One of the big corporations in IT infrastructure, it’s only natural that IBM would take an interest in the cloud – and with it, a broad toolkit to maintain security. IBM’s offering aims to protect cloud environments using a range of strategies and solutions which cover every aspect of the cloud – including its full lifecycle and all of its associated elements of security. These include identity and access management, application and data security, infrastructure protection and security intelligence.

IBM Dynamic Cloud Security spans IaaS, SaaS and PaaS. It is designed to work together with organisations’ existing security processes to create an integrated system that includes regular IT infrastructure as well as private, public and hybrid cloud setups. IBM’s tools enable users to manage identity and access in the cloud; scan and strengthen application security from the development stage; monitor and audit cloud data in real-time; and pre-empt and respond to current and emerging threats with security intelligence.

McAfee Cloud Security

Another well-known name in web security, McAfee established its reputation as an antivirus company. They too have branched out into cloud security tools, recognising the huge benefits that cloud computing has for organisations of all sizes – and also the risks that are become ever more apparent.

McAfee take a slightly different approach to many other organisations. Different cloud vendors have their own unique security practices, which may be complex and obscure. McAfee’s approach is to enable organisations to develop their own security protocols, which are then applied to the cloud environment. This is achieved by securing the data that is moving between the organisation and the cloud, as well as ensuring that data is securely stored in the cloud.

The advantages of this are clear. For a start, it enables clarity and transparency of cloud security procedures, since they can be set and maintained by the organisation themselves – rather than a third-party provider. This has benefits for compliance as well as consistency. All critical data is secured as it moves between the cloud and your organisation. McAfee operate a modular platform that allows organisations to choose the elements that it needs. These can be deployed to a public, private or hybrid cloud, as required. Constant data monitoring means that organisations can check their data is safe at any given point, whilst still enjoying the cost and scalability benefits of the public cloud.

MyPermissions

MyPermissions helps users to control which websites and apps have access to their personal information. This is a key service since harvesting such information is now the predominant business model of the internet. Instead of charging a subscription fee, websites ask for personal data in return for making their services available. Users are typically fairly happy to cooperate, since they view this information as having little value and are pleased not to be charged. To the companies involved, though, the information can be used for a wide variety of purposes – targeting advertising, profiling to improve their services and sell additional packages, and so on. However, it may also be sold on to third parties, with or without the user’s consent. The security of these companies is also key, because hackers may gain access to personal information for their own purposes.

This is by no means a small problem. Social connect is a standard way of validating new users (‘Sign in with Facebook’). Hundreds of millions of connections are performed this way for Facebook alone.

MyPermissions monitors its users’ information and alerts them when websites or apps attempt to access material such as location data, financial details, photos and so on. The user can then control what permissions different apps are allowed, so if a site or app is trying to access something they want to remain private, access can be denied.

Netskope

Netskope’s aim is to address the inherent tension there exists between fast, agile progress and maintaining good security. Their tools enable businesses to gauge how enterprise-ready their apps are. ‘Netskope automatically discovers and gives you analytics and policy enforcement in real-time and across any app, whether you manage it or not.’

The essential obstacle that Netskope is targeting is trust. New enterprises inevitably use third-party public cloud applications and services, and this use necessarily implies trust. If organisations do not trust providers’ security practices, growth will be hampered. Conversely, trust in these third-party public cloud services will result in rapid adoption.

Where enterprises remain cautious about cloud services, their employees may be less wary. This creates a system in which employees go outside of their organisations’ policy frameworks and simply use the services that work best for them – without necessarily knowing or caring about the security implications. The bring-your-own-device culture is only accelerating this problem. Netskope provides visibility of different cloud services, allowing organisations to discover and audit them – and to enforce policies to make them safe and compliant. All of this is packaged in a way that gives administrators control over cloud usage in a straightforward, fast and cost-effective manner.

Skyhigh Networks

Skyhigh explores and analyses an organisation’s cloud systems, enabling provision for their proper maintenance and security.

Skyhigh Secure is an end-to-end solution that goes alongside its Cloud Risk Assessment: a suite that is designed to discover the extent of an organisation’s cloud systems (including IaaS, PaaS and SaaS) and how they are used by employees. Once it has established visibility of an organisation’s cloud usage, Skyhigh reports a risk assessment for relevant services based on 30 different fields across a range of categories.

This report enables businesses to identify potential vulnerabilities. The information is passed along to Skyhigh Secure, which will then provide capabilities for control and improved security of the relevant areas. This includes contextual access control, application auditing, encryption, data loss prevention, and cloud-to-cloud access control.

Skyhigh has a series of products aimed at particular cloud providers, including Google Drive, Office 365, Box and Dropbox. This is significant because a large number of businesses and individuals use these as standard, assuming that they are secure – when in reality there have been numerous high-profile leaks and data thefts. Use of these platforms may extend to both business and personal use from both work and home, as employees increasingly use a range of devices that span office and individual use.

SafeNet

SafeNet boast the ability to turn any cloud into a trusted and compliant environment. They achieve this through a data-centric approach that integrates with organisations’ existing resources.

SafeNet have an impressive reputation in security. They protect over 80 percent of the world’s intra-bank fund transfers, a total of almost $1 trillion per day. With 25,000 customers in over 100 companies, they protect up to 750 million encryption keys and 35 million identities. All of this makes for a very solid track record, for which they have been repeatedly recognised and commended.

SafeNet’s products enable organisations to secure their data across the entire lifecycle of the cloud, starting with securing their data centres in preparation for migration, and encrypting and securing the contents of VMs to prevent theft or exposure. High-speed encryptors enable fast and secure data transfer to and from the cloud. They also offer security solutions for SaaS and PaaS by providing encryption services that work with the most widely-used web application servers and apps.

Snoopwall

Malware is an enormous problem. At its arguably least significant, this includes virus software and worms that are designed to destroy data and crash computers, or simply to propagate to new users, with or without delivering a serious payload. However, malware has grown ever more sophisticated. It is now used for a wide range of purposes, including taking control of an individual’s computer (without their knowledge) and collecting valuable personal information including login details, passwords and financial information. More worryingly, there are a growing number of cases in which company executives have been targeted by hackers and malware aimed at stealing specific details, which can then be used to undermine the business. Moreover, these threats come from a wide range of sources. Recent reports strongly suggest that security agencies have been using malware to gather information, and hardware companies have even installed malware themselves to allow the collection of data. These create security loopholes that can be exploited by malicious third parties.

Snoopwall addresses this issue by providing anti-spyware and anti-malware software that is designed to detect and prevent attempts to monitor and control users’ devices remotely, from tablets and smartphones to laptops and desktop machines. Snoopwall acts as a gatekeeper, guarding access to high-risk data ports. Potential entry points include webcams, microphones, GPS, USB and others that are known to be used by attackers to install malicious software.

VMware

VMware are one of the oldest companies operating in the cloud and virtualisation space and have a series of cloud management products, including vCloud and vRealize. They also offer a big data analytics solution. VMware argues that many organisations simply extend their existing security procedures when they expand into the cloud, making them inefficient and ineffective. Because they are not ‘virtualisation aware’, they also risk becoming non-compliant. A profusion of hardware-based solutions makes for greater costs and complexity.

VMware solutions address this problem by allowing businesses to virtualise their security. The security infrastructure can then be administrated using the same interface used for the organisation’s private cloud. Flagship products VMware vCloud Networking and Security Edge protect the virtual data centre in a cost-effective and efficient way, also providing gateway services such as firewall/NAT, load balancer, VPN and DHCP.

Cloud Security in Further Detail

From this list of companies, it can be seen that cloud security is no single thing. It is a diverse collection of technologies, practices and policies that together protect every aspect of an organisation’s cloud usage. This is truly wide-ranging, for a number of reasons. Firstly, the nature of ‘the cloud’ itself is diverse, typically falling into one of several different major categories (private, public, hybrid), each with their own security issues.

Then there are the services used on the cloud, which can range from the simplest – Infrastructure as a Service, which gives users the greatest control to install, use and manage operating systems and applications – through to Software and Platform as a Service, which involve handing over responsibility and control for management and maintenance to a third party.

Lastly, the nature of the organisation and the business it conducts will determine the security risks inherent in its cloud use; both software development and financial services companies may use a hybrid cloud, for example, but their security needs will be very different.

The Changing Security Landscape

Until an organisation truly understands how it is using the cloud, formulating a security policy is near-meaningless. This entails gaining a strong grasp on the type of cloud they are using (public, private, hybrid); the model they are purchasing (IaaS, SaaS, PaaS); the location of the cloud provider (different jurisdictions will have different legal and regulatory frameworks); the security policies and practices used by the provider; and the extent of their employees’ engagement with the cloud, to name a few. None of these may be as clear-cut as it first seems. There is an overlap between different types of cloud and the services provided. Moreover, it is not always clear where a provider is located, or how this will impact your outlook. It is also worth understanding that employees’ personal practices may not match organisational policy – and that it is largely futile to address this directly. Mobile working means that the line between home and office is becoming increasingly blurred; employees do not leave their work behind them at the end of the day, and frequently use email, share documents and perform other work on personal devices. They may bring these into the office with them. Similarly, office devices may be used for personal purposes.

All of this creates an environment in which it can be almost impossible to control the flow of company and personal data to and from the cloud. As Jerry Irvine, CIO of Prescient Solutions, comments: “Cloud computing has been around for more than a decade. Companies have had laptops, which allow for remote communications, email and websites that they use across the Internet, and connections between their facilities and partners facilities to exchange data.”

All of this is cloud computing. Today, however, companies are using significantly more cloud providers, and allowing access to more remote users and devices than ever before. As a result, the complexity of networks has increased and requires even greater levels of security than ever before. Traditional security measures, which included firewalls and intrusion detection system were designed to protect facilities and equipment with defined parameters that have with minimal entry points into the networks and devices.

The growth of devices, data centres and services, as well as the trend towards ‘always-on’ mobile working, means that many of these legacy security practices are greatly compromised. Instead of focusing on such traditional systems, businesses need to look at security from the application and data point of view. Once the sensitivity of data is gauged, it can be treated accordingly with the appropriate controls and processes.

All of this means that discovery is a key first step: until you know how your organisation is truly using the cloud, and which areas of that usage constitute an unacceptable risk to your data security, it is impossible to implement a sound policy to address it.

Threats to Cloud Security

Due to the cloud’s extremely broad nature and usage, threats come in a wide variety of forms. One analysis categorises nine different types of threat:

• Data breaches
• Data loss
• Account or service traffic hijacking
• Insecure interfaces or APIs
• Denial of service
• Malicious insiders
• Abuse of cloud services
• Insufficient due diligence
• Shared technology vulnerabilities

Some of these are obvious and well-recognised, such as the risk of hackers taking control of an account or service, or data being lost, corrupted or leaked. Others may come as a surprise. Few business leaders would have recognised that insider attacks constitute such a significant and common threat to cloud computing services. These insiders may be ‘a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.’ Depending on the service model, the level of risk could be serious – including access to both data and encryption keys, if these are not managed by the customer. In fact, the greater trust is placed in the cloud platform, the more serious compromise is possible.

Similarly, a lack of sufficient information about the cloud service constitutes a major vulnerability. In the rush to access the reduced costs, economies of scale and convenience of the cloud, many organisations overlook the need to gain a thorough grasp of the technology, meaning that they are open to various different types of risk – which bring with them issues of liability and operational effectiveness. The only way to mitigate this problem is to carry out extensive due diligence before migration to the cloud, or scaling up cloud usage.

Aspects of Security and Privacy

Cloud security can be viewed in terms of the different domains it seeks to address. Compliance will typically rely on each one of these domains being covered to an agreed standard, thereby reducing the risk to the end user of compromise in all its different forms. These domains include:

Physical security. It is generally the responsibility of the cloud service provider to secure the cloud infrastructure against threats such as damage due to natural causes (e.g. floods), tampering, fire, theft and unauthorised access. Electricity supplies and other vital services such as fire systems should also be robust enough that the system cannot easily be attacked through these means.

Personnel. Security screening should play a role in selecting reliable staff of high integrity, where there is a risk of data theft or compromise. This extends from the selection process through to monitoring after employment has ended, in the most serious cases. Where sensitive data or other information is handled, measures will usually be written into the contracts of any temporary contractors or permanent employees. Security and awareness programmes may be undertaken as part of ongoing training.

Identity management. An identity management system will be used to control access to sensitive information and resources. The identity management system used may be the customer’s existing system, integrated using suitable tools, or provided by the cloud hosting company itself.

Applications. Software as a Service brings with it the risk that applications may be compromised. Thus customers who purchase SaaS from an otherwise secure platform could be at risk from vulnerabilities inherent in third-party applications. Security is improved (though never guaranteed) by rigorous specification, careful design, extensive testing and ongoing maintenance of these apps. Because of the wide nature of vulnerabilities that may be present, from obscure security loopholes to intentionally-placed malware, customers will need to carry out their own due diligence and research, and decide whether the apps they use will meet their responsibilities for compliance.

Availability. The remote nature of cloud services raises issues of how reliable access to data and computing resources will be. This is a multi-faceted issue, since availability does not only depend on the cloud provider. The customers internet connection and bandwidth, as well as other utilities, will govern their ability to connect with the cloud. Cloud providers are responsible for ensuring that customers have access to their system inasmuch as they are able.

Privacy. Sensitive data such as financial information should ideally be encrypted, and only authorised individuals given access to it.

Types of Security Controls

Effective cloud security comes in several strands, each of which is effective at a different level of compromise. The aim of these controls may range from preventing an attack from occurring in the first place to mitigating the effects of an attack as it happens or afterwards, reducing the impact on the customer. The controls themselves come in many forms, but can generally be placed in one of four overall categories: Deterrent, Preventative, Detective, Corrective.

Deterrent controls are intended to put off would-be attackers. They can be viewed as a kind of warning sign that informs them of possible consequences of their actions. These can arguably be seen as part and parcel of a wider body of Preventative controls, which are designed to stop an attack from happening by making it harder to carry out. Realistically these measures will always reduce vulnerabilities rather than eliminate them entirely. However, a small increase in security measures (from the customer’s point of view) may be enough to convince an attacker that breaching the defences is not worth the effort. Proper authentication of users makes it far less likely that unwanted users gain access. Proper creation and storage of strong passwords makes it significantly less likely that an attacker will be able to crack them.

Detective controls are designed to flag an incident and react to it to reduce any adverse impact. These controls work in tandem with preventative and corrective measures to shut down the attack or address its consequences. Ongoing monitoring of systems and networks, including intrusion detection, comprise a vital strand of these controls. Lastly, Corrective controls aim to limit the damage caused by a breach or other incident. One common measure is to keep secure backups of data (usually made at regular intervals to minimise data loss), which can be restored should a system be compromised and data destroyed.

Effective cloud security will draw on all of these in some way. Once again, their exact form will depend on the nature of the organisation and its use of the cloud, as well as the type of cloud and service model in question. For example, all organisations should undertake some kind of backup process, though the frequency and storage requirements will vary according on the business. All organisations should maintain strong passwords, but how often these are changed and how they are administrated will depend on the sensitivity of the data involved.