New security approach required in hybrid environments
A new approach to security in hybrid IT environments is necessary, one that is closer to the air traffic control model than it is to the legacy castle model.
That was the view shared by the presenters at the latest TechFire technology briefing which posed the question can you balance the cloud security equation.
Brian Honan, BH Consulting, said that in the most basic terms, cloud should be thought of as “someone else’s computer”. In doing so he said, the responsibility for security becomes clearer.
Honan said that the new approach should be to protect people, data and devices as they do what they do, rather like an aircraft going through the air traffic control system. Honan said that as an aircraft takes off, local ATC guides it through its airspace until it is ready to hand over to another service to guide it onwards on its journey. This model, said Honan, can inform IT as to how people, data and devices can be protected as they interact with networks and applications, with protections as they go.
“Cloud should be thought of as ‘someone else’s computer’,” Brian Honan, BH Consulting
The point was elaborated upon by Stephen Porter, senior manager, alliances and cloud partners, Trend Micro. Porter said under the new approach, within infrastructure, “smaller, more specific perimeters” could be created with the likes of local or even application specific firewalls that would prevent unfettered access to malicious elements inside networks. As had been seen with several high profile attacks, once inside a network, hackers had almost unlimited access to roam networks and steel valuables. With these distributed protections, said Porter, this would be prevented.
North/south versus east/west
James Thompson, senior manager, partner sales EMEA, VMWare, elaborated by saying that most companies tend to spend the majority of their security budget on the north/south traffic in and out of their network, despite the fact that this is often less than 30% of their overall traffic. Thompson said that the old perimeter model of security had led many to ignore the fact that 70% or more of traffic is actually east/west, or between machines and applications internally on the network. This also needed protection, and with the new approach of more specific, local protection, this would be addressed.
Questions from the floor included inquiries about certifications for cloud services for use in the public sector. Honan said many providers are spending significant amounts of time and resources ensuring that their services are certified to a high degree, with the likes of ISO 27001 and PCI DSS, and were in many cases, far more secure than many enterprises. Mark Graham, CTO, Beaumont Hospital pointed that that within the health sector here, the HSE had provided framework of approved suppliers, including cloud providers, who met the basic requirements for use. When Beaumont inquired about the use of public cloud services in relation to back-up, he was informed that there were no regulatory reasons why the service could not be employed.
Terms and conditions
One attendee commented that on examining the terms and conditions of a software as a service provider, it was discovered that they required “full, remote access” to the client’s network. Another stipulation was for notification of every network change. This was obviously seen as not only onerous, but unnecessary, and the two conditions were removed on negotiation. However, it highlighted the point that any such agreements, and their terms and conditions, must be closely examined to ensure that they do not contain anything which might impact the client’s security in favour of the service provider. The panellists agreed that this is something that is all too common, whereby service providers may push back certain responsibilities to the client, which may or may not be appropriate.
Another question asked about the use of Security Assertion Mark-up Language (SAML) based authentication platforms as the key to managing identity and access in the cloud. Honan commented that as organisations move to hybrid environments, they may be using different cloud providers, which may necessitate some kind of federated identity management. This would mitigate people’s tendency to use the same password across multiple environments, which leads to weak security, he warned.
“If you are looking at some kind of hybrid approach, stop and look at it carefully — don’t take a piecemeal approach. Be strategic, where do you see IT going in the next six, 12, 18 or 24 months? Then build a strategy around that and a support infrastructure to allow you to move safely into that environment,” said Honan.