The Australian Government published their National Cloud Computing Strategy in May earlier this year, placing the spotlight on data and where it resides. Ultimately, this is the key to how organisations can understand and prioritise the risks they expose themselves to in the cloud. While public and private clouds are well-understood, a hybrid model is most likely to be adopted by Australian organisations as it allows for sensitive resources to remain internal and under organisational control while taking advantage of the benefits that public cloud can provide.
Studies typically find that the barriers to cloud adoption are tied to security. A recent survey NetIQ conducted in conjunction with IDG found that “69 per cent of IT security decision makers in organisations around the world believe consumer cloud services post a huge risk to sensitive data”. The key reason for this is the lack of visibility offered by cloud service providers on access governance relating to customer data.
Concerns around data security in the cloud are further exacerbated by legislation. Under the impending Australia data breach notification law, an organisation that stores customer data in an offshore provider’s infrastructure remains the guardian of that data. This includes being liable for the data should anything happen to it (e.g. via a data breach).
Securing a hybrid cloud model requires a mindset shift from traditional IT security approaches. Analyst firm Forrester uses their Zero Trust model to illustrate the fact that IT security can no longer trust activities occurring internally within the walls of the organisation. Security is about verifying everything that occurs and organisations have to inherently assume an insecure state and react quickly as a security incident occurs.
To start with, organisations need to begin by building a solid identity foundation. Controlling the lifecycle of identities to ensure accesses are given and taken away appropriately provides auditability and governance. The identity fabric of any organisation needs to be portable and scalable due the exponential number of moving parts in the modern IT environment, so identity standards such as Security Assertion Markup Language (SAML) or OAuth should be adopted.
Next, all activity needs to be monitored, to ensure visibility across all environments. The key to true visibility however, is in achieving what many refer to as actionable intelligence. Without this, we are left with noise, which makes it much more difficult to identify and react to threats. Contextual information and an identity-aware approach combined with monitoring and audit capabilities provide the actionable intelligence required.
Scalable, centrally managed access controls are also critical when adopting a hybrid cloud model, especially in an environment where information can potentially be flowing between internal and external environments. Access to resources needs to be enforced for all users, in addition to the monitoring already mentioned.
One particular class of users however, requires special mention: privileged users. The National Cloud Computing Strategy references the Defence Signals Directorate’s 35 Cyber Security risk mitigation strategies, which notes that organisations must “minimise the number of users with domain or local administrative privileges.” Studies have found that the majority of data breaches use compromised accounts, with hackers preferring to gain control of a privileged account as it has the highest level of access on the system. This makes managing privileged users and reducing account privileges extremely important. Essentially, if an organisation has a handle on privileged accounts, a major vector for attackers to get at sensitive data is mitigated.
When it comes to securing the hybrid cloud the key measures to take are:
- Identify and classify data.
- Take an identity-centric, standards-based approach to security.
- Manage and control access.
- Reduce privileged access.
- Monitor and audit all user activity.
Any security issues an organisation has are only magnified when the cloud is brought into the picture. A solid identity foundation allows the agility to deal with the many challenges a hybrid cloud model brings. Above all else, organisations must remember that they are responsible for security, even when they do not have full control over their cloud.
Ian Yip is the product and business manager for Identity and Security Management across the Asia Pacific region at NetIQ Australia.