The ins and outs of securely operating the enterprise cloud
Many businesses today count on the cloud to run their day to day operations. What they don’t count on, is being more susceptible to a data breach.
Today, the stakes are even higher, especially since Singapore’s Smart Nation initiative to better the lives of citizens through technology is entirely data-driven.
To underpin this, the Singapore Government unveiled a holistic national cybersecurity strategy in October last year.
When it comes to protecting their data, today’s business leaders who depend on the cloud to run their day to day business operations need to know the information is always protected and secure.
Today, and more than ever before, a multi-layered approach to cloud security is no longer an option but a requirement.
Confidence in the cloud does not come easily to everyone. The lack of complete transparency and control can make some businesses question their ability to manage operations while keeping all of the information safe.
Some businesses have even considered building private clouds with the idea that this would give them the control they want, but the high costs and potential for security and operational issues make this an unappealing option.
Luckily, by using a multi-layered approach to cloud security, cloud service providers can meet customers halfway, providing the highest levels of security while maintaining more visibility into the operations and increased control.
When looking at cloud security options, businesses need to take a hard look at the provider because not all cloud security is created equal.
They should ensure that all bases are covered including the baseline infrastructure, physical security standards, control and access requirements, and incident response processes.
No security solution is perfect, and service providers should also have strict operational controls and well thought out processes and procedures in place for when the inevitable security issues come up.
Finally, a good way to gauge your service provider’s security standard is to check if they have received local cloud security standard certification – the Singapore equivalent of that, would be the MTCS certification, issued by the Infocomm Media Development Authority (IMDA).
In order to provide a secure cloud infrastructure, start with a multi-instance architecture in which every customer instance has its own database. All routers, switches, firewalls and server-load balancers should be redundant throughout the infrastructure.
Additional security such as intrusion detection systems (IDS) and distributed denial-of-service (DDOS) protection at each location is necessary to quickly detect, alert and remediate suspicious activity.
In the end, a cloud infrastructure should be built similar to how a traditional enterprise data center is structured, with high availability, performance and security at the forefront.
Without physical security at every data center location, cloud service providers could do little to ensure their customer’s data is secure.
Each location should have multiple security measures in place, such as: purpose-built buildings, 24/7 surveillance, security guards, and biometric scanners (palm and fingerprint).
It should be very difficult to get into a cloud service provider’s data center, even when authorized to do so.
Only fully vetted and full-time personnel ought to be allowed into the data center and appropriate safeguards should be in place to ensure that only those individuals are allowed entry.
Physical security may be compromised through unexpected methods, including third-party or contractors used to perform equipment installation or hardware maintenance.
Access and Controls
As mentioned above, it should be difficult for those even with authorization to have access to the data center. However, beyond physical access, the cloud service provider should have strict controls on who can access the network and server infrastructure.
All access should require at least a secure virtual private network (VPN) connection using multi-factor authentication and one-time passwords.
In addition, read-write access to infrastructure devices should be granted to very few individuals with strict adherence to change management processes including clearance guidelines from the Site Reliability Engineering (SRE) team.
Audit logs of all login access and transactions on the instance is another requirement for the secure operation and appropriate monitoring of the enterprise cloud security.
Even the most secure cloud will encounter threats. Part of any cloud security design should be the procedures that will be carried out when a security incident occurs.
Consider who is in charge, and how the issue should be managed including all communications.
Ideally, every cloud service provider would have a security incident handling process and a response team trained with clear roles and responsibilities with work flows defined for detecting, researching, communicating and resolving any incidents.
Once the processes are in place, companies shouldn’t wait for an emergency to make sure their incident response plan is up to the task.
To ensure the process goes smoothly, regular tests should be performed during times that are not considered mission critical.
Up to Standard
A good indicator of your service provider’s security standard would be to check how they measure against local certification standards. In Singapore, the highest level of certification would be the MTCS Level 3 Certification from the IMDA.
By achieving this certification, it would indicate that your service provider is trusted to store extremely sensitive data such as health and medical records. Successful operation of the enterprise cloud requires multiple layers of protection.
Using physical security, strict operational controls, and a secure cloud infrastructure, customers will have the confidence they need to operate successfully and securely in the cloud.
Article by Jimmy Fitzgerald, Vice President and General Manager, Asia-Pacific and Japan, ServiceNow