Enterprises are now clamoring for the corporate security gateway to give way to the new Cloud application security gateway.
Cloud application security requires a comprehensive strategy that balances business needs and security risks. The following steps take you from defining your requirements for cloud application adoption and threat modeling to activating security tools and maintaining security, compliance and IT governance.
Boris Gorin, head of security engineering for FireLayers, contributed to this slideshow.
Institute a standard set of requirements for cloud application adoption. IT should drive the process, but be sure to involve the business owners as this will help with user compliance. Clearly outline your “nice to haves” and show stoppers. Requirements can be divided into these three categories:
Align with your cloud application vendors. Within your RFPs, require vendors to clearly outline the technologies they use, certifications they have, and their compliance with common standards such as CSA Cloud Control Matrix.
Understand the level of risk you may be assuming when adopting a cloud application. To quote the CSA Notorious Nine: Cloud Computing Top Threats in 2013, “Without a complete understanding of the cloud provider environment, applications or services being pushed to the cloud, and operational responsibilities…organizations are taking on unknown levels of risk in ways they may not even comprehend. Take a good look at the vendor’s SLA.
Build a Threat Model
Build a threat model for each cloud application you are considering. Identify potential threats; technical and business, regardless of whether they can be exploited. Define usage scenarios where these threats may occur and the damage that might result.
Note: Alternatively, you can choose to develop a threat model first and build requirements based on the likelihood and criticality of risks identified.
Prepare for Shared Vulnerabilities
Choose the level of risk tolerance your organization is comfortable with when using services that rely upon a multi-tenancy model. This should be based upon your comprehension of the multi-tenancy model and the relevant shared technology vulnerabilities. Basically, be prepared that your organization may be exposed to risk if one of the other clients of the cloud-based service is compromised.
Use Strong Authentication Tools
Protect your cloud applications against account credential hijack and authentication bypass breaches from external attackers. Put additional authentication measures in place, such as two-factor authentication and one-time passwords, to add another layer of security when users are connecting from a myriad of devices (managed and unmanaged) via public WiFi’s and hotspots.
Put in Place Single Sign On (SSO) and/or an Identity Federation Solution
There is much room for error when users have to remember several sets of passwords for different cloud applications. Reduce this risk exposure by having an Identity Federation with the organization’s User Directory (such as an Active Directory or LDAP) that will leverage the existing authentication mechanism and ensure that only users that are authorized to connect to the organization or are physically on-site are able to connect to the cloud provider.
Activate Distributed Denial of Service (DDoS) Protection
Ensure that appropriate DDoS protection is in place so that you can ward off attacks, which are rampant. More than 43 percent of enterprises questioned in the 8th Annual Infrastructure Security Report report being victims of a DDoS attack causing partial or total infrastructure outages. With strong DDoS protection you can prevent external attacks that may block your users from accessing your cloud landscape.
Deploy Incident Response Procedures
Define and deploy incident response procedures appropriate for your organization. These procedures should be agreed upon by the cloud service provider. Having these procedures in place will clearly delineate the shared responsibilities between you (the customer) and the cloud service provider. Furthermore, they will ensure the incidents are handled and documented in a timely manner.
Contain Data Loss
Accidental data deletion or overwriting can cause the permanent loss of data/files in the same way as similar malicious behavior. Having adequate off-site backups can prevent organizations from irreparable damage caused by data loss threats.
Protect Data and Privacy
Be mindful of data protection and privacy laws when designing cloud infrastructures which leverage geographical diversity. It is recommended that you deploy data protection and privacy controls supporting the laws of the various data protection authorities under whose jurisdiction you may fall.
Bridge the Gaps
Based on the risks you defined and the relevant vendor compliance, there most likely will be gaps or scenarios where you feel the vendor's protections do not appropriately address the risks you have identified during the threat model process. It is up to you to reduce the risk surface and come up with creative mitigations. Mitigation examples may include limiting access to sensitive data, disabling a feature, using a third-party security tool, reducing the amount of connectivity options, or introducing other compensating controls.
Even though you have deployed various cloud application security solutions (encryption, DLP, anti-virus, anti-malware) residual risk will always remain when adopting a new cloud application. Ultimately, it is a business decision to integrate a new cloud application into the enterprise’s business processes. Making that decision needs to take into account whether the trade-off between the cloud application's security risk profile and its business capabilities is worth it. One solution is to have a task force, which includes business and IT leaders, to explore these issues.
Put it in the Contract
Place in your agreement with the cloud application vendor incentives and penalties to support your specific technical requirements and risk tolerance, expectations for their native controls, and additional efforts to which the vendor has committed.
Certifying a cloud application is only the beginning. You have just introduced a new risk asset into your ecosystem and you need to maintain governance over it. Make sure you have the right cloud application governance process in place. Control usage by training your information workers and enforcing usage policies. Conduct periodic health checks and risk assessments. Bottom-line, stay alert to the ever-changing security landscape.
Boris Gorin is head of Security Engineering at FireLayers.