Basics of Cloud Security

Date Published: March, 13, 2012

Cloud evolution can be considered synonymous to banking system. In good old days, people used to keep all the valuable assets (money, precious metals, stones etc.) in their personal possessions and even in underground lockers. They could not trust the bank for depositing their hard-earned money. Banking system evolved over the period of time and it took them almost half a century to build that trust.  Regulators all across the world played big role in creating a trusted legal and secured framework for banking and other financial services. Today, we hardly keep any cash; most of us carry plastic money and transact digitally.

Cloud computing is also evolving the same way.

Robust cloud architecture with strong security implementation at all layers in the stack powered with legal compliances and government protection is the key to cloud security. As Banks are doing business despite frauds, thefts and malpractices, cloud security is going to evolve, but at much faster rate. Digital world has zero tolerance for waiting! Evolution is natural and is bound to happen.

So what are the steps typically a cloud service provider should follow in order to secure his cloud?

Cloud is complex and hence security measures are not simple too. Cloud needs to be secured at all layers in its stack. These levels are:

  • Infrastructure
  • Platform
  • Application
  • Data

At infrastructure level:

A sysadmin of the cloud provider can attack the systems since he/she has got all the admin rights. With root privileges at each machine, the sysadmin can install or execute all sorts of software to perform an attack. Furthermore, with physical access to the machine, a sysadmin can perform more sophisticated attacks like cold boot attacks and even tamper with the hardware.

Protection measures:

  1.  No single person should accumulate all these privileges.
  2.  Provider should deploy stringent security devices, restricted access control policies, and surveillance mechanisms to protect the physical integrity of the hardware. Thus, we assume that, by enforcing a security processes, the provider himself can prevent attacks that require physical access to the machines.
  3. The only way a sysadmin would be able to gain physical access to a node running a costumer’s VM is by diverting this VM to a machine under his/her control, located outside the IaaS’s security perimeter. Therefore, the cloud computing platform must be able to confine the VM execution inside the perimeter, and guarantee that at any point a sysadmin with root privileges remotely logged to a machine hosting a VM cannot access its memory.
  4. TCG (Trusted Computing Group), a consortium of industry leader to identify and implement security measures at infrastructure level proposes a set of hardware and software technologies to enable the construction of trusted platforms suggests use of “remote attestation” (a mechanism to detect changes to the user’s computers by authorized parties).

At platform level:

Security model at this level relies more on the provider to maintain data integrity and availability. Platform must take care of mentioned security aspects: integrity, confidentiality, authentication, defense against intrusion and DDoS attack and SLA.

At application level:

The following key security elements should be carefully considered as an integral part of the SaaS application development and deployment process:
1.    SaaS deployment model
2.    Data security
3.    Network security
4.    Regulatory compliance
5.    Data segregation
6.    Availability
7.    Backup/Recovery Procedure
8.    Identity management and sign-on process

Most of the above are provided by PaaS and hence optimal utilization of PaaS in modeling SaaS is very important.

Some of the steps which can be taken to make SaaS secured are: secure product engineering, secure deployments, governance and regulatory compliance audits and third-party SaaS security assessment.

At data level:

Apart from securing data from corruption and losses by implementing data protection mechanism at infrastructure level, one needs to also make sure that sensitive data is encrypted during transit and at rest.

Apart from all the above measures, stringent security process implementation should also be part of making cloud secure coupled with periodic audits. Governing security laws should be amended with advent in technologies, ethical hacking and vulnerability testing should be performed to make sure the cloud is secure across all layers.

Satish Agrawal is Vice President – Cloud Computing at e-Zest Solutions Ltd. He has over 16 years of experience in IT and software product engineering space and has built and implemented end-to-end cloud solutions for clients across geographies

To read this article online, click here.

Join

Membership in the Trusted Computing Group is your key to participating with fellow industry stakeholders in the quest to develop and promote trusted computing technologies.

Join Now

Trusted Computing

Standards-based Trusted Computing technologies developed by TCG members now are deployed in enterprise systems, storage systems, networks, embedded systems, and mobile devices and can help secure cloud computing and virtualized systems.

Read more

Specifications

Trusted Computing Group announced that its TPM 2.0 (Trusted Platform Module) Library Specification was approved as a formal international standard under ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission). TCG has 90+ specifications and guidance documents to help build a trusted computing environment.

Read more