Category: Cloud Security
Posted by Heather Howland in Cloud Security, Security Intelligence
Q1 Labs’ CSO, Chris Poulin, recently authored a paper defining best practices for IT Security in a cloud environment. In this, he covers some interesting viewpoints on various hurdles expected when organizations secure their public or private cloud environments, as well as the steps necessary to create an effective security policy, and the similarities between SIEM and cloud environments.
Since this is a week of two major cloud related conferences - VMworld and Dreamforce – let’s talk cloud security!
What are a few of the steps cloud providers and customers can take when building out their own cloud security plan? One major chunk of the process is to start with an assessment of risk. That is, understand your current data types, locations, business processes, and information flow. Understand where the critically sensitive data is. Just like any other enterprise, cloud computing requires customers and cloud providers to define their own information topology before any reasonable security policy can be defined and implemented.
Step 1: Discovery
Know where all of your data is, no matter how you classify it. The key is uncovering the difference between the data that can and cannot be housed in the cloud. An eDiscovery process is recommended to locate buried and even misplaced data. Too often organizations find that Personally Identifiable Information (PII) is mixed with less critical data and matched with the wrong security protocols.
Step 2: Classification
After understanding where your data is, it needs to be classified appropriately and distributed to systems with security controls to match the data sensitivity. This step alone can help you make progress meeting various compliance regulations.
Step 3: Data transit
SIEM can help define your data transit policy by monitoring endpoints, firewalls, and network activity to govern if the data should be allowed to proceed to the cloud or not. Content-aware network profiling from Data Loss Prevention (DLP) solutions can fed to the SIEM to perform more complex correlations with other data feeds. For example, watch for PII such as a social security number in a patient healthcare record and combine that with the firewall logs and network activity found within a SIEM to gain a bigger picture of malicious activity.
As Chris Poulin has blogged, there is no question that more modern SIEM (a.k.a. Security Intelligence) solutions have their place in the cloud. It’s not a matter of if SIEM is ready for the cloud, but if the cloud is ready for SIEM. For more on IT Security best practices in cloud environments, take a spin through Chris’ complete writeup.
Related: SIEM and Cloud might be cousins
Posted by John Burnham in Cloud Security, Compliance, Cybersecurity, In the Industry
Day 1: we participated in a panel at the William Blair Technology Symposium, “The Future of Cloud Computing.” The panel was entitled, “How the Cloud Changes Security”. Great topic, great panel, staffed by security solutions suppliers. Major takeaway based on the questions asked of the panel, by the investment community, not end-users: confusion reigns supreme, and most likely due to the outrageous amount of hype surrounding “cloud”. Usually the questions were about virtualization, but using cloudy(ed?) language.
Day 2: Q1 Labs Customer Council. The topic of Cloud came up twice: once in the form a customer’s presentation of one of his major use cases: SIEM as the security intelligence platform for his companies cloud-based services offerings. He relies on QRadar for visibility/compliance and intelligence/threat management to both ensure the integrity of his brand and to provide proactive threat management. And once from another customer in the form of a question, essentially: “What is the role of SIEM in the Cloud, in your opinion?” This generated a very grounded discussion of the various cloud types (private, public, hybrid, multitenant) and how SIEM, Log Management, Vulnerability Management play a role. Clarity prevailed: one size does not fit all use cases.
Prosodie (France) another customer, recently announced their adoption of our QRadar Security Intelligence Platform for both visibility/compliance for their cloud-based services and in addition uses QRadar SIEM from Q1 Labs for intelligence/threat management of their internal network, similar to the customer referenced above.
So, customers view cloud clearly (like how I did that?) as a potentially viable business proposition worthy of examination, versus a cool technology shift: if cloud adoption enables them to do their jobs better and grow their businesses, great. If not, it drops off the list of priorities.
And it would appear that while the market observers might be a bit confused about the exact utility and deployment model of the cloud, customers are not, and seem to have a pretty clear vision for SIEM’s role in securing it.
Posted by Chris Poulin in Cloud Security, In the Industry, SIEM
It may not be a popular message in our industry, but I contend that the cloud is not SIEM-ready. Like nuclear power, the cloud is hot (pun intended) and is being rolled out without a fully fleshed-out maturity model. Public cloud providers are looking at it from a traditional defense-in-depth, perimeter security framework: provide protection around the cloud with firewalls, IDS/IPS, host-hardening, etc. The problem is that security needs to encapsulate the data as well as the infrastructure. Cloud 1.0 isn’t taking that into account: market forces are driving rapid build-out and early adoption. We still lack a full understanding of cloud security needs, and a mature public cloud security model will have to wait until Cloud 2.0
The central issue is the blending of customer data, of which much has already been written: how do cloud providers contend with one bad seed that attracts a criminal investigation? Your data will invariably get mixed in with the malefactor’s and subjected to FBI review. How do cloud providers understand context around customer data and provide targeted mitigating controls?
But it occurs to me that the question today isn’t how we deal with SIEM in the cloud, but rather how does SIEM provide cloud capability? I submit that in medium to large enterprises, SIEM should be managed as an internal security intelligence cloud. SIEMs take in vast amounts of data from many internal groups, and even organizational divides, with different interests:
- The firewall management group may feed logs into the SIEM to be alerted on security events such as port scanning across multiple firewalls which may indicate a low-and-slow (buzzword check: AdvancedPersistent Threat) attempt to breach the perimeter
- The systems management group may feed Microsoft Windows Active Directory events into the SIEM to be alerted on user login failures signaling a brute-force password attack or escalation of privileges attempt
- The network management group may feed flow data into the SIEM to detect denial-of-service attacks or troubleshoot asymmetric routing problems
While many groups feed data into the SIEM, there is one function, usually the security or risk management group, that manages it. This is analogous to cloud services, which have consumers and a provider. When the two are in separate organizations, there’s a clear dividing line between roles and responsibilities. Providers understand that the data belongs to the consumer, its customers, and providers have an obligation to:
- Protect the data under their care, employing the widely adopted Confidentiality, Integrity, and Availability model
- Segment data between customers
- Provide appropriate controls to protect unauthorized access to customer data from external entities and between customers sharing the same cloud
- Avoid accessing customer data for the provider’s use or benefit unless specifically allowed by the customer
- Respond to need of their customers, such as creating reports or adding new users
Think of SalesForce.com or Google Mail: they provide the cloud service and have many customers. They must adhere, contractually, to the tenets above.
Where this model differs between traditional public cloud services and an internal SIEM cloud, is that the SIEM provider generally has an overarching security responsibility that spans the data from all groups. For example, security and risk management need to correlate firewall logs with IPS alerts and network activity to detect threats. The difference is only slight, though, because while Google would not read customer emails, they do provide anti-spam filtering, track usage statistics, and look for intrusion attempts. While privacy advocates may see this as a violation, most consumers are fine with this level of access.
What consumers would not tolerate, however, is if Google decided to start forwarding customer emails to other customers out of their cloud. With a SIEM providing total context, or Security Intelligence as we call it at Q1 Labs, the security and risk management group may detect security threats, policy violations, or other actionable incidents that need to be escalated. This position has to be treated with a level of diplomacy and maturity. You can’t have organizations who manage and consume data from different departments use the data to indict its owners to management: “Our firewalls leave us exposed to XYZ vulnerability.” Just like a public cloud provider, the escalation process needs to be clearly defined and the procedure must include involving the data owners. This ensures that a chain of responsibility is followed and allows the issue to be resolved closest to the group responsible for managing the incident.
The point is, SIEM can bridge the gap between security silos in an organization. There has to be a clear contract between the operational management function and the SIEM consumers. The contract has to separate the duties of the managing entity and prescribe a process for handling incidents and policy violations that empowers the data owners, just like a cloud provider would be obligated to do. When managed properly, SIEM as a cloud engenders trust and cooperation, and ultimately yields a benefit to the SIEM consumers and the business at large.
Posted by Iven Connary in Cloud Security, Cybersecurity, Security Intelligence
I just finished reading an article today titled “The Cloud’s Impact on Security” [1]. I found the article enjoyable because it provides an insightful and succinct explanation of the often vague concept of “the cloud”. It also highlights numerous security challenges facing organizations that are shifting to emerging cloud services and technologies. What I did find lacking in this article was any guidance or suggestions for addressing the security challenges posed. With that omission in mind, I thought it might be helpful to blog about a few proven security best practices and technologies that can easily be applied to cloud deployments, designed to improve the overall security of data residing in the cloud.
One important concept presented in the aforementioned article is that a “cloud” is typically built from a wide range of solutions including “hosted services using shared, co-located or multi-tenant resources” – a public cloud. In addition, the article mentions that “vendors are using the word [cloud] when speaking about using internal IT resources in highly virtualized, dynamic pools” – private cloud”. This is important to understand because each deployment model will introduce different security challenges.
When finding a solution security best practices are fundamental, and technology is your friend. In a brief blog entry such as this it’s hard to present solutions to all security concerns when implementing cloud deployments. However, there are a few key challenges presented in the above mentioned article that are discussed below.
Meeting Emerging Regulatory Challenges
There is no doubt that new regulations will continue to emerge and existing regulations will evolve to better ensure the protection of data in the cloud. In fact, just last week Twitter settled charges with the Federal Trade Commission around information security – requiring Twitter to establish an external security audit program [2]. This paints a picture to me that in the future we will see expanding governance over the protection of personal information in the cloud. Now I will share some wisdom on ways to solve emerging compliance challenges in the cloud. The wisdom is… I don’t think the solution changes much over traditional networks – just continue to implement strong security best practices. Indeed, if Twitter, among other key security best practices, had implemented controls around password enforcement, use of default administrative passwords, and managing access to information, they probably would not have had an issue with the FTC. So pick a best practice – there’s a bunch out there to use as a starting point (i.e. CobiT, ISO, etc.), and mature your security practices to better protect your network and its invaluable data.
Securing Virtualization of IT Infrastructure
This is a challenge that is not just daunting, but can be a major headache depending on how far the data has moved towards 3rd party management and away from central control. My words of wisdom on this initiative are that organizations must leverage technology and proven security best practices to their best advantage and ensure that 3rd party providers are contractually required to support those technologies and controls (see next section on the latter topic). So how can companies leverage technologies and best practices in the private cloud? It’s actually not that hard. A virtualized server still acts as a server that can have all the same protections of a physical server (i.e. anti-virus, host side intrusion detection, proper identity access, and the like). When implemented, these layered security technologies will greatly improve the security posture of data stored on those servers. In addition, the logs and events from those virtualized servers can be collected, correlated and analyzed to detect security exploits and policy violations. The best practices of managing the security of virtualized servers should really be no different than managing the security of physical servers – ensure the infrastructure supports the best practice of collecting, analyzing, and correlating security events – something provided by a proper security information and event management (SIEM) solution.
With that understood, be aware that there are potential blind spots in a cloud where the virtual technology must evolve to better support the security of the virtual systems. For example, vendors that market virtual technologies should provide sufficient event logging to allow those that manage the cloud infrastructure to assess relevant activity within the virtual machine, as well as between the virtual machine and the physical network infrastructure. In another example, a VM hypervisor should be able to report when new VMs are created, taken down, modified, etc. Another blind spot to note is the ability to monitor network activity amongst virtual hosts in the virtual machine. In this area,the vendors that market virtual technologies must allow for the virtual networked to be tapped and monitored. As an example, VMware provides a virtual tap that enables other products to monitor network traffic within the virtual machine. Q1 Labs has a unique product in this area, called teh vFlow Virtual Activity Monitor, which allows network activity monitoring within a VMware virtual machine.
Securing Externally Hosted Services
To me this one seems like a no brainer. If your 3rd party cloud providers can’t ensure the level of access needed to properly protect the hosted data – then look for another provider or keep the services in house. If you do go with a 3rd party make sure the contract for services include proper access for monitoring the environment. This comes back to what the author of the aforementioned article means when he says “The harder things are to manage, the harder they are to secure”. If your 3rd party does not provide management access – you’ll never be able to ensure the integrity of the data on the managed systems.
To summarize, a few key thoughts when looking to secure information in the cloud:
- Implement well accepted security best practices, which also defines expectations for 3rd party providers
- Leverage appropriate technologies to your advantage (Log Management, SIEM, virtual network activity monitoring, etc.)
- Ensure the ability to monitor and correlate information in the cloud; this includes making sure 3rd party providers offer access to required management and security functions
[1] http://www.theregister.co.uk/2010/07/01/cloud_impact_security_workshop/, Tony Lock;
The latest on Cyber Security