IT executives are finding that they need to rethink their information security strategy and regulatory compliance practices as they move to a cloud computing environment in which data and resources are shared beyond their firewalls.
Raytheon Co. has made considerable investments in cybersecurity with traditional methods like intrusion prevention systems and firewalls, but those measures “get wasted” because they aren’t sitting in front of outsourced data and infrastructure in the cloud, said Michael Daly, deputy CISO and director of IT services at Raytheon. “So you are less able to take direct action yourself [in a cloud environment], and we need to figure out how to extend our cybersecurity practices and systems out to that outsourced environment.”
The Waltham, Mass.-based company has not moved to a public cloud environment yet. It is, however, developing a shared private “cloud-type service” for the cost savings it can attain by allowing it and its partners to test, build and collaborate on new programs or products for the likes of the Air Force, Army or Navy.
For Daly, the concerns regarding his information security strategy in a public or private cloud range from whether or not the firewall controls move along with the data or service, to whether the security keys handling the encryption stayed in place as virtual machines are created and disappear. Then there are regulatory concerns regarding his company’s ability to ensure International Traffic in Arms Regulations (ITAR) compliance in a shared environment.
“How do you know who needs access to what information, and do they have the right vetting to allow them access?” he said. “If this is within the U.S, we are under ITAR. How has [a] person been checked to make sure that person is a U.S. citizen under law?”
Where's the customer data?
“Follow-me” regulatory compliance, as Chris Wolf, a research vice president at Gartner Inc. in Stamford, Conn., describes it, is in its infancy. Auditors want an authoritative answer as to where a customer’s data resides in the cloud. “That’s hard to do,” Wolf said. “I hear people say, ‘Well, that virtual machine has that data, and it’s probably in this data center,’ and when you’re talking about a global cloud provider, it’s even harder. There’s no metadata trail that says, ‘Here’s where the data physically resides.’ I don’t have that root of trust for data today.”
The data may be encrypted, but addressing data exports is a work in progress, he said.
Become very friendly with a lawyer and your legal department, advises Daly. “I put my data out there, I don’t know if it is legally considered protected anymore under the regulations I have to comply with,” he said. “If I do my vulnerability testing every Thursday night, and come to find out the provider doesn’t allow that, what then? You have to carefully catch all that legal language.”
In fact, whether data is still considered private while traversing a public cloud is a question most experts can’t answer. “Right now, it’s not clear that a cloud service would pass regulations like PCI DSS or even state identity laws,” said Richard E. Mackey, vice president of Sudbury, Mass.-based SystemExperts Corp.
Who’s ultimately responsible for cloud security?
Wolf said that extending virtual private networks through and around the cloud is still something that technology vendors are trying to work through. Some vendors are developing cloud gateways, or a front-end security piece that can look at security policies and determine who can go where with regard to access or data, he said.
I put my data out there, I don’t know if it is legally considered protected anymore under the regulations I have to comply with.
Michael Daly, deputy CISO and director of IT services, Raytheon Co.
There are ways to bypass network appliances monitoring traffic in a virtual environment, but virtualization vendors are developing endpoint integration with third-party security appliances. “There is also the emergence of virtual switches that allow port spanning, which gives me the ability to listen for VM traffic and send that traffic to a monitoring appliance,” Wolf said.
In the end, it will be up to the customer to secure data before it leaves the network. But even that creates a Catch-22. “By encrypting it, you’ve made it impossible to do queries on it,” Mackey said. “Ideally, keep all the metadata that needs to be searched on your own network, and not the cloud.”
Vulnerability scanning is also out because the cloud provider will not run the risk of your testing bringing down other customers on your shared network, he said.
Raytheon’s Daly said he believes an answer to many of his public cloud security concerns lies in the provider offering modular services to customers -- somewhat of a private cloud within a public one. As it stands, a given cloud provider offers one model for security practices such as identity management or authentication, he said.
“Over time, [public cloud providers] will have to say, ‘Choose from this menu and your environment will be provisioned with all these different options,’” Daly said.
Even with these menu options, the line remains blurry as to which party, the customer or the cloud provider, is responsible for what security safeguards. “Just one example: If our users log in and the service is not responding well, was it because we didn’t do something right on our end, or is it because [the cloud provider] is not receiving it right on their end?” Daly said.