Considerations for Cloud Security Operations

📝 Abstract

Information Security in Cloud Computing environments is explored. Cloud Computing is presented, security needs are discussed, and mitigation approaches are listed. Topics covered include Information Security, Cloud Computing, Private Cloud, Public Cloud, SaaS, PaaS, IaaS, ISO 27001, OWASP, Secure SDLC.

💡 Analysis

Information Security in Cloud Computing environments is explored. Cloud Computing is presented, security needs are discussed, and mitigation approaches are listed. Topics covered include Information Security, Cloud Computing, Private Cloud, Public Cloud, SaaS, PaaS, IaaS, ISO 27001, OWASP, Secure SDLC.

📄 Content

Oracle CSO Advisory Board, Cloud Security Session, New York, NY, January 2016

1

Abstract—Information Security in Cloud Computing environments is explored. Cloud Computing is presented, security needs are discussed, and mitigation approaches are listed.

Index Terms—Information Security, Cloud Computing. Private Cloud, Public Cloud, SaaS, PaaS, IaaS, ISO 27001, OWASP, SDLC

I. INTRODUCTION

he promise of cloud computing offers scalability, reduced costs, flexibility, interoperability, transportability, self-configuration, and more. Unfortunately, all these attributes also introduce new security risks for the users of such an environment. It is important to know what is meant by cloud computing, what the vulnerabilities are in such environments, and what countermeasures are available to protect data that might be used in a cloud environment and to facilitate use of such promising and not prevalent technologies. This paper will touch on some of these topics in a summary fashion for those readers interested to get a quick understanding of the scope of the problem. II. BACKGROUND

The author is the CSO (Chief Security Officer) of CT Corporation (CT) which is a division of Wolters Kluwer (WK). WK is a Netherlands-based international publisher and digital information services provider with operations around the world. CT is engaged in corporate legal services in support of many types of companies. The systems supported include public-facing Web-based applications and internally used ERP (Enterprise Resource Planning) systems. Major technical vendors manage network services, private hosting, and cloud services for CT.

The CT IT operations team manages a large scale computing environment using an ITIL model [1]. Over the last several years CT has also developed a robust security program managed from within this operations team [2]. This program focuses on protecting company and customer information assets, reducing risk, educating users, and providing a CSIRT (Computer Security Incident Response Team) function throughout CT. This has also included establishing an Executive Governance process and the creation of a Secure SDLC (Software Development Lifecycle) which integrated OWASP coding practices, automated vulnerability scans, and more. This work was done under the guidance of a detailed security control objective framework derived from ISO 27001 standards and related sources.

Of late a significant concern facing the CT security program has been the aspects of security as they relate to cloud computing. CT currently takes advantage of a private cloud, numerous SaaS applications, and social media in Community Cloud environments (see Figure 1). CT is also engaged in migration of some applications that were designed as cloud- ready to move from a private cloud to a public cloud.

These business and technical needs drive both security and operational questions to the forefront. As a CSO it is critical to understand the implications of utilizing these environments and technologies and what judgements are required to do so.

III. THE CLOUD DEFINED

The NIST (National Institute of Standards and Technology) defines cloud computing as such:

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential

Considerations for Cloud Security Operations James J. Cusick, PMP Chief Security Officer & Director IT Operations Wolters Kluwer, CT Corporation, New York, NY j.cusick@computer.org
T Oracle CSO Advisory Board, Cloud Security Session, New York, NY, January 2016

2

characteristics, three service models, and four deployment models [3].

Figure 1 – NIST Cloud Definition Framework [4]

The essential characteristics of a cloud computing environment include:

1. On-demand self-service
2. Broad network access
3. Resource pooling
4. Rapid elasticity
5. Measured service

Naturally, some of these very characteristics open the possibility for attack, abuse, or other security issues. For example, with self-service, if not properly bounded administrative controls can leak over to other environments. This is the same for broad network access and resource pooling. These attributes both open the door to a variety of potential security issues.

An interesting characteristic which is missing from this NIST cloud model is security. While it is mentioned as a configuration item of community clouds it is not called out in any detail. What this means is that security essentially comes down to the buyer or user of these environments. It is possible that a cloud vendor may have a well secured environ

This content is AI-processed based on ArXiv data.