Cloud computing aims to bring new flexibility to enterprise IT: the idea of virtualizing computing resources removing them from physical hardware opens up many possibilities, not just in terms of cost cutting, but also in security and availability.

Security, availability, and integrity are all essential for enterprise IT and cloud computing promises to help businesses have access to data and applications at all times. Instead of thinking about business continuity in terms of disaster recovery, where the focus in on how quickly enterprises can restore operations, cloud computing could make the traditional concept of backups and recovery obsolete. Instead, the idea of totally-resilient operations becomes much more feasible, in which cloud-based resources are constantly replicated between sites to protect applications and data in the event of a physical incident.

“We used to focus on internal data centre redundancy. Now we’re seeing it as remote redundancy. So this idea of instantaneous remote backup is gaining traction,” explains Al Berman, executive director at DRI International, which trains professionals in business continuity. “I just came back from a meeting at the White House, and all they wanted to talk about was cloud computing and why no-one was talking about it. I said, ‘in the private sector, we’re not talking about it – we’re just doing it’.”

Mitigating risks

However, while enterprises embrace cloud computing’s ability to protect business operations, they should not enter into cloud computing relationships without first assessing and mitigating risks. Enterprises need to assess the security issues associated with virtualizing one’s data so that it becomes independent of a physical computing platform. Where is the data is to be kept? Who will have access to it? What access controls are in place to prevent the wrong people seeing it? And what technical measures are in place to prevent it being misappropriated?

“Cloud computing can be risky, which is why we are seeing the emergence of trusted intermediaries,” explains Alexandre Rigaldo, cloud computing program director at Orange Business Services. He identifies several broad risks that customers should consider when engaging in cloud computing relationships. “We are talking about a shared infrastructure, so that we have data from different people shared on the same physical machines. Also, you don’t know where your data is located, and this can be an issue in specific sectors.”

This emphasis on location stretches beyond where the data is stored into the area of accreditation. Certifications used by cloud computing providers may differ between one region and another, and what is acceptable from a regulatory perspective in one region may not be acceptable in another, he warns.

Finally, the data may be at risk if the communication mechanisms used to get it into the cloud and out again are not secure. Using the public Internet to communicate that data without encrypting it, for example, could incur regulatory risk.

“To mitigate this risk is not rocket science. The goal is to apply some basic IT security principles, and not believe in Santa Claus,” Rigaldo says. “Cloud computing doesn’t solve all of your issues. You have to be as careful when you buy cloud computing services as with traditional IT.”

One crucial step is to look at the life cycle of your information, says Rigaldo. Defining the sensitivity of specific types of data, based on the business processes that it serves, and the legal liability that it incurs, is vital when it comes to understanding how to deal with it.

Different approaches to the cloud

How an enterprise tackles these tasks will depend partly on the type of cloud computing model it is employing. Cloud computing models can be split in different ways. For example, platform as a service differs from software as a service, which is in turn a separate proposition to infrastructure as a service. All of these carry different risks in varying proportions.

It is also possible to slice the model along organizational lines. Some may prefer private clouds, where individual companies host their own data, while others may prefer a publicly available cloud service in which everything is hosted by a third party and runs from a shared platform. Alternatively, it’s possible to combine the two with a hybrid model that allows enterprises to retain some control, while still taking advantage of the economies of scale of the shared platform. All of these choices will have a bearing on the risk analysis process.

With such a bewildering array of options, how can an enterprise begin to make sense of it all?

Different organizations have published their approaches to securing cloud computing. The European Network and Information Security Agency (ENISA) recently published an information assurance framework as part of a broader report entitled “Cloud Computing: benefits, risks, and recommendations for information Security”. This framework is designed to help customers understand which questions to ask potential cloud suppliers.

The Cloud Security Alliance (CSA) also published its “Security Guidance For Critical Areas of Focus in Cloud Computing” in December, which discusses different cloud architectures and assesses how each of them can be best managed in the context of information lifecycle management, data portability, and application security. Governance featured heavily in the document, which laid out each party’s roles and responsibilities in areas such as lawfulness of content and incident response.

As enterprise IT moves firmly in the direction of a more virtualized world, in which logical resources are shunted between sites for maximum efficiency, guidelines such as these will be vital for enterprises looking to tackle the process of due diligence with service providers, or attempting to automate cloud processes within their own, private networks. In spite of the name, cloud computing should be about transparency and enterprises need to stress accountability and openness in all of their service relationships.

This article first appeared in the email newsletter we help produce for Orange Business Services called Enterprise Briefing: http://www.orange-business.com/en/mnc2/footer/news/enterprise_briefing/feb2010/technology.jsp

Judging from some of the news stories circulating online recently, you might be forgiven for thinking so. Researchers keep discovering flaws in the way that it works. Worryingly, these are not simply execution flaws. Rather, they are basic design flaws, which raise significant problems when it comes to mitigation.

Most recently, PhoneFactor, a company specializing in authentication using telephones, discovered a fundamental design flaw in SSL, a key technology designed to protect online web sessions from being hacked. 18 months ago, Dan Kaminsky, director of penetration testing at security consulting firm IOActive, discovered a flaw in the way that the Internet resolves web addresses. And shortly after he made his announcement, another pair of researchers announced yet another flaw, this time in the border gateway protocol [BGP], which is a key Internet technology designed to exchange information between different networks.

The most worrying thing about flaws such as these is that they render almost everyone using the Internet open to potential security attacks. For example, the flaw that PhoneFactor found lies with the secure socket layer [SSL], which is used to encrypt information passing between a website and a browser. It enables an attacker to inject their own data into the communication stream between the user and the website — even when that website is using encryption technology. This partly invalidates the padlock that you will see in your browser when surfing supposedly secure websites. Perhaps even more worryingly for enterprise users, it also potentially affects users of smartcards, which could render your whole two factor authentication system for remote employees [if you use one] vulnerable to attack.

Because SSL is a foundational technology which protects so many other things online, this design flaw is particularly worrisome. For example, others have pointed out that SSL is commonly used to protect database queries sent from one computer to another. If an attacker can inject their own commands into an SQL database query, they could turn something fairly innocuous — such as a request for a single customer’s details, for example — into something more malicious, such as a instruction to delete all of your customer records [assuming that the database granted such permissions].

Security problems have also been found in MD5, an encryption mechanism that has been traditionally popular on the Internet, and was used by some certificate authorities [the companies that create digital certificates designed to identify organizations and people, and authenticate them online].

Even so, not everyone believes that the Internet is fundamentally broken. Leslie Forbes, technical services manager at F-Secure, which sells software and services designed to make people more secure online, argues that it is the way we use it that is inherently flawed. “It is the model we used to trust [or not] the services offered across the medium that is broken,” Forbes says. “So, based on the premise that the Internet is supported by software, and software will have bugs — some never dreamed over the time of coding — there will always be fixes to be made.”

One of the biggest problems when such flaws are discovered is the remediation process. Fixing deployment errors is bad enough, but it generally only involves passing a piece of software or firmware and then distributing it online. But when the security problem involves a basic mistake in the design of a protocol, then this entails a potential change to a standard, which can be a much more complex task. Standards bodies move at a glacial pace, meaning that it can take years to alter existing documents to account for a design problem. In the meantime, companies must find workarounds that at least prevent an attack from happening in the interim.

Unfortunately, the general consensus is that such design flaws will keep cropping up as we become more adept at finding them [and hopefully do so before the Internet criminals]. “Any complex system will be difficult [or time-consuming] to analyze empirically, so it will continue to be both possible, and likely, that while there are Internet protocols, there will be serious flaws,” warns Martin O’Neal, managing director of security consulting firm Corsaire.

Not only must these companies work together, but they must do so largely in secret, so that they can find the solution to the problem before malicious attackers do. To this end, a group of companies including Microsoft formed the Industry Consortium for Advancement of Security on the Internet [ICASI]. ICASI focuses on working together to try and find solutions to security problems affecting the broader Internet and not limited to any one vendor.

Unfortunately, such efforts do not otherwise result in a fix before attackers exploit such basic vulnerabilities. For example, the SSL flaw that PhoneFactor discovered was kept secret until it was independently uncovered in a discussion forum. Shortly after that, security researcher Anil Kumas used it to engineer an attack against the Twitter micro-blogging service that would enable any attacker to authenticate themselves as another user.

Alternately, the question of whether the Internet is broken maybe too simplistic. The online world is never that binary. After all, you are still reading this article online — something that is miraculous when we consider that the web didn’t exist 20 years ago. However, thanks to increasingly sophisticated attackers online, we are finding the Internet in a continuous state of disrepair. This is the nature of the medium. It is chaotic, disjointed, and always in flux. Perhaps the best that we can do is to secure systems as best we can by applying the most up-to-date patches, and then protecting all of our valuable data by increasing his, and applying multiple layers of defense to thwart any single attack. Internet may not be broken, but that doesn’t mean we shouldn’t do our best to try and fix it.

Further info

PhoneFactor SSL flaw discovery http://www.phonefactor.com/sslgap/

BGP flaw – http://www.zdnet.com.au/news/security/soa/Flaw-in-BGP-net-protocol/0,130061744,339291643,00.htm?omnRef=1337

Twitter hack http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability-cve.html

Kaminsky DNS flaw news http://www.orange-business.com/en/mnc2/footer/news/enterprise_briefing/september2008/industry_watch.jsp

ICASI http://www.icasi.org

This blog was contributed by Danny Bradbury, one of Futurity Media’s international network of writers

Cloud computing is a staggeringly popular topic. Huge swathes of the work we did in 2009 related to cloud computing services and the trend looks set to continue into next year. Just about all parts of the information communications technology (ICT) industry are positioning themselves to take advantage of the predicted stratospheric growth. Although all hyped technologies will get their comeuppance at some point, cloud computing is unlikely to make much headway in enterprises if it they are worried about security.

Enterprise concerns over security are perfectly understandable: as a shared medium, how can they be sure that their data isn’t leaking into their competitors environment, and in fact are they even able to tell were their data is even stored. The latter issue can have a major regulatory impact in a number of areas, such as PCI-DSS compliance. Hackers are already reportedly rubbing their hands with glee at the prospect of hacking cloud computing environments. At the recent Black Hat conference, speakers demonstrated how to attack the cloud and a Trojan keylogger was reportedly found on Amazon’s AWS site only this week.

Given the importance of security to cloud computing’s success there’s little surprise that the industry is making solving the issue a priority. Here are some interesting resources & articles:

• The European Network and Information Security Agency has published a report on the risks of cloud computing;
• The Jericho Forum famous for its work on deperimeterisation published a white paper on cloud computing security earlier this year;
• In June, Jericho Forum and the Cloud Security Alliance joined up to address security. I was expecting to see a result on this collaboration in the autumn, but I haven’t seen anything yet;
• Ariel Silverstone suggests some metrics for measuring the security of your cloud computing providers;
• ISACA has published a white paper that looks at some of the security issues;
• The CSA and Novell are running an interesting looking webinar on Cloud security next week.