In outsourced cloud computing services, public cloud Platform as a Service (PaaS) providers only ensure security on the outside of the cloudnot inside. For security inside the cloud, PaaS users have to take matters into their own hands. While that should concern all public cloud denizens, for managed service providers (MSPs) the issue gets magnified by the number of customers on their Software as a Service (SaaS) solutions.
Its the most important practice for security practitioners to do everything to minimize risk of SaaS infrastructure security gaps within their own organizations first, says Chris Carter, CEO, Approyo, a global SAP solution provider. Some of the most important steps can help security managers tighten cloud security and keep their organizations safe by leveraging Cloud Access Security BrokersCASB. These tools help executives find unauthorized applications and manage risk across all their clouds.
And with many MSPs responsible for a great and growing number of customer public cloud instances, it has become impossible to manually maintain security on them all. However, continually monitoring security and configuration vulnerabilities exists as a mission-critical item to cross off the MSP checklist. How to accomplish it has yet to receive an answer. Talkin Cloud reached out to industry thought leaders to ask what they think. What follows remains anecdotal and does not purport to cover all aspects of the subject. If something significant got left out, leave a comment. Lets discuss it.
The In Crowd Source
With large public cloud PaaS providers like Amazon Web Services (AWS) and Microsoft Azure busy battling for control of the internet business of governments and Fortune 500 companies, they may have overlooked prospects of the MSP marketand its ecosystem of startups. While inside-out-only security seems just fine for those large customerswho have their own legacy business IT departments to worry about internal securityit does not come close for MSPs and the Internet of Things (IoT) and billions of device events headed their way.
Even the most secure cloud providers only offer security of the cloud, says Matthew Fuller, co-founder, CloudSploit, provider of automated AWS security and configuration monitoring. The user is responsible for security in the cloud. As groups, roles and devices change, oversights and misconfigurations open vulnerabilities that can lead to outright hacks or financial DDoS.
To help solve this issue, continual monitoring of AWS instances can prove effective. For example, CloudSploit customers can run tests that they choose or want to create and as frequently as desired, according to Fuller. And if they find issues, CloudSploit alerts designees, keeping records of findings, detailed issue descriptions and likely resolutions, according to Fuller.
Security experts from around the world contribute to CloudSploit, Fuller says. It is an open source project with goal of increasing compliance with best practices to protect MSP infrastructure and customer information.
Benchmarks, Shared Responsibility and Control Planes
With MSPs overwhelmed by information technology (IT) applications duties and customers at best novices about cloud security in many cases, exactly how it must get done remains dubious. Agreement as to the course of action and who has onus for completion must take priority before establishing SaaS defenseand before a cloud exploit comes into existence.
The cloud provider shared responsibility model places a security burden on enterprises consuming services, says Dave Ginsburg, vice president, marketing, Cavirin, provider of security and compliance across physical, public and hybrid clouds. But, in some cases, IT will not have the processes or expertise to properly mitigate risk. The result may be a breach that could have been prevented or reluctance to move critical applications to the cloud, creating competitive disadvantage.
What MSPs and cloud customers need remain consensus benchmarks to properly share responsibility for their respective pieces of the security pie. The fact that cloud workloads now exist in constant fluxexacerbated by virtualization and containersmakes it even more critical, according to Ginsburg. But how do you gauge performance of how the parties divide the responsibility?
Therefore, enterprises require continuous visibility into their security postures and one set of tools designed to test against benchmarks that include NIST, CIS, PCI, HIPAA and FISMA, Ginsburg says. Tools deployed by the enterprise should support these and have full visibility into different AWS services via APIs. The same applies for Microsoft Azure, Google Cloud Platform and others.
Fortunately, many public PaaS providers including AWS have issued security best practices for hardening cloud instances that align with CIS. And MSPs can employ third party compliance solutions to help implement them. In addition, both AWS and Azure provide sophisticated tools to secure access to their control planes.
A control plane compromise is generally worse than a server compromise, as control planes provide access to servers as well as direct access to the account, says Jarret Raim, head of strategy and operations, Rackspace Managed Security. Rackspace tools like CloudTrail from AWS will surface the changes made to the control planes and should be monitored for abuse.
Points of Demarcation
Hand-in-hand with the cooperation that must exist between MSPs and customers when it comes to security, a boundary must delineate where each has total responsibility in cloud defense. And it cannot come as an afterthought. Security among MSPs and customers needs careful planning built in the beginning, with proper resource liaising a must, according to cyber infrastructure experts.
Security management is a key prerequisite for driving a cloud strategy, says Steve Hanney, chief cloud officer, Presidio, an IT solutions provider focused on digital infrastructure, cloud and security solutions. And with vendor management from the outset paramount, there must be a demarcation of responsibility defined between MSP and customer.
After creating customer security rules of engagement, MSPs can craft secure and compliant environments that protect services and data seamlessly, end-to-end throughout the relationship lifecycle, according to Hanney. This secure network access controlsecure infrastructureestablishes appropriate predefined traffic rules using firewalls, network policy engines and secure tunnels between customer on-premises data center environments and off-premises MSPs, paraphrasing Hanney, with reference link provided by Cloudscene.
Blacklisting vs. Whitelisting
As the off-premises cloud solutions concept takes hold, the trust model of internet connection must change, in the view of some IT experts. Whereas a presumed-innocent-until-proven-guilty mindset that attempted to fingerprint black hats upfront has prevailed among many security experts until now, the explosion of links in cloud computing has made more cautious practitioners dissent and opt for a trust-but-verify stance to identify white hats in advance.
The cloud is becoming a set of computing utilities and will be as essential as the electricity grid, says Amir Sharif, co-founder, Aporeto, provider of comprehensive cloud-native security for deploying and operating cloud-native applications. Like any critical service, security needs to be part of cloud infrastructure and automatic. Protecting individual data assets in the cloud requires a whitelist security model, only allowing intended connections, instead of the existing blacklist model, where all links are implicitly allowed unless explicitly prohibited.
Implementation of this security model requires a robust policy regime where application and personal intention get captured, if possible, and described easily, according to Sharif.
Password Reuse and Brute Force Attacks
As many know, the internet has become increasingly hostile, with cyber criminals targeting poorly secured hosted services. For example, at MSPs and other hosted services, applications can come under attack from old-fashioned hacking attempts like password reuse attack and bruteforce attack. This poses particular problems for MSPs that use remote monitoring and management (RMM) solutions to administer customer accounts, according to MSP security experts.
The most likely RMM compromise is a password reuse attack, says Ian Trump, global security lead, SolarWinds MSP. This scenario led to account compromise in hosted services like GitHub and others. Also, this attack is the easiest to mitigate. By simply enabling Two Factor Authentication (2FA) protection of your RMM dashboard, it easily prevents account compromise in event your password falls into hands of the bad guys from a previous data breach.
Brute forced weak passwords guessing attacks of RMM accounts remain the next most likely MSP exploit, according to Trump. But SolarWinds always offers 2FA options to customers to mitigate successful guesses by hackers, according to Trump.
And MSPs can prevent further hacking by banning IP addresses of where brute force attacks emanate, according to Trump.
Follow this link:
What MSPs Must Have for Customer Cloud Security - Talkin' Cloud
- Open source cloud computing slow to catch on, survey finds [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Oracle CFO: no acquisitions needed to compete in cloud [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- IDC Survey: U.S. Corporations Aim to Tackle IT Challenges with Cloud Computing [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Where does the ICO's new cloud guidance take you? [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- ChinaSoft International Signs Strategic Cooperation Agreement with Alibaba Cloud Computing to Develop PaaS Platform [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- IT Leaders Forum: Shedding light on cloud computing [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Oracle Public Cloud Computing [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Oracle Cloud Computing - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Cloud Computing 101 - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Lenovo Gets Into Cloud Computing - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Cloud Computing Certification Training | Cloud Computing Training By Simplilearn - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Cloud Computing - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Succeeding or Failing with Cloud Computing - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Demystifying the Cloud - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- N: Cloud Computing, Syria PM Defects, US to Clean Agent Orange and MORE! - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Cloud Computing - Tv9 - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- AWS 101 Cloud Computing Seminar-Bangalore - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Trust - The Key to Cloud Computing Growth in Europe [Last Updated On: October 6th, 2012] [Originally Added On: October 6th, 2012]
- Cloud Computing Saves Health Care Industry Time And Money [Last Updated On: October 6th, 2012] [Originally Added On: October 6th, 2012]
- Synnex CEO Kevin Murai: Tablets, Mobile, Cloud Computing (p3) - Video [Last Updated On: October 6th, 2012] [Originally Added On: October 6th, 2012]
- Enterprise computing IS the cloud [Last Updated On: October 8th, 2012] [Originally Added On: October 8th, 2012]
- 44 Percent Of US Execs To Tackle IT Challenges Through Cloud [Last Updated On: October 8th, 2012] [Originally Added On: October 8th, 2012]
- ZapThink Announces Expansion of Cloud Computing for Architects Course [Last Updated On: October 9th, 2012] [Originally Added On: October 9th, 2012]
- Euro Zone Eyes Cloud Computing to Kick Start Economy [Last Updated On: October 9th, 2012] [Originally Added On: October 9th, 2012]
- Advantages, challenges of cloud computing discussed Oct. 10 at NJIT [Last Updated On: October 10th, 2012] [Originally Added On: October 10th, 2012]
- Dell Expands Cloud Client Computing Solutions for VMware View®, Desktop as a Service and Channel Offerings to Europe [Last Updated On: October 10th, 2012] [Originally Added On: October 10th, 2012]
- Cloud West to Focus on Entertainment Delivery, Network Infrastructure, and Investment, More at Nov. 8-9th Forum [Last Updated On: October 10th, 2012] [Originally Added On: October 10th, 2012]
- IBM, AT&T Offer Secure Passage to the Cloud [Last Updated On: October 11th, 2012] [Originally Added On: October 11th, 2012]
- Cloud computing company hits new fundraising heights [Last Updated On: October 11th, 2012] [Originally Added On: October 11th, 2012]
- Cloud computing firm hits new fundraising heights [Last Updated On: October 11th, 2012] [Originally Added On: October 11th, 2012]
- Cloud computing: here we go again [Last Updated On: October 11th, 2012] [Originally Added On: October 11th, 2012]
- Chinese Want to Put Computer 'Brains' in the Cloud [Last Updated On: October 11th, 2012] [Originally Added On: October 11th, 2012]
- CenturyLink Unveils Cloud Product [Last Updated On: October 12th, 2012] [Originally Added On: October 12th, 2012]
- Cloud Security Evolves in Wellington [Last Updated On: October 14th, 2012] [Originally Added On: October 14th, 2012]
- 2X ApplicationServer XG Joins the Intel AppUp SMB Service Hybrid Cloud [Last Updated On: October 15th, 2012] [Originally Added On: October 15th, 2012]
- Piston Cloud to Exhibit and Present at the 2012 OpenStack Summit in San Diego [Last Updated On: October 15th, 2012] [Originally Added On: October 15th, 2012]
- How to get your first cloud computing job [Last Updated On: October 15th, 2012] [Originally Added On: October 15th, 2012]
- DreamHost Adds Public Cloud Computing Service: DreamCompute [Last Updated On: October 15th, 2012] [Originally Added On: October 15th, 2012]
- Aryaka Receives 2012 Cloud Computing Excellence Award [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- Making a Europe fit for the cloud [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- Cisco Execs Plumb The Limits Of Cloud Computing [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- Cloud firm invests in new network [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- AirWatch Receives 2012 Cloud Computing Excellence Award [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- Dell Extends Cloud Client Computing Portfolio with New Solutions Validated by Citrix [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- Pano Logic and Alliance InfoSystems Join Forces to Deliver Zero Client Computing [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- 5 Cloud Business Benefits [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- Alteva Receives 2012 Cloud Computing Excellence Award [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Open Text profit beats estimates on cloud services [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Cloud computing improves nurse call system [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Cloud computing: Top five tax considerations for your business [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- OKI and ISID to Provide Chemical Information System as Cloud Computing Services [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- As Mobile Grows, So Does Cloud Computing [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- IBM Analytical Decision Management SaaS - IBM Cloud TechTalk October 2012 - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- JAX London 2012: Achieving genuine elastic multitenancy with Waratek Cloud VM for Java - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Microsoft 2020 technology future vision - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Infinity Cloud Point of Sale and Complete Retail Suite.mp4 - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Small Business IT Support, Computer Support, Web Design Atlanta - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Cloud Computing - Simplified - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- How Allied Valve Used the Cloud to Expand in Bakken Oilfield - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Cloud Computing in the Public Sector - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Cloud Computing | Sacramento | Data Protection | IT Consulting | Symmetry Managed Servces - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- The Business Value of Cloud Computing - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- GYMNAZO Owner/Coach Michael Hughes is excited about edufii - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Automation in the age of cloud computing - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Cloud Computing.mp4 - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Cloud computing in 2013: a conversation with Appcore's CEO [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Cloud adoption growing in India: study [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Eastday-Microsoft picks city for cloud computing [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Towards a blue sky: How SMEs can avoid Cloud Computing confusion [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Consultancy Services - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Axxis Solutions Sponsors FIBA Technical Seminar on Cloud Computing - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- RightScale Webinar: 451 Research Webinar: Cloud Dos and Don'ts - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Apple Technology (Vishwa Bandhu Gupta) - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Mind Tree Ltd. - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- BIM Cloud Computing [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Entreda discusses cloud services for small and medium businesses - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Austin IT Company | Computer Networking [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Cloud Computing and Services - After Effects Template - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- FieldStorm App Tour - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- The Hon Brendan O'Connor's speech: AccountRight Live launch event - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]