What will next-generation information security look like? My guess is an omnipresent world controlling access and data protection, providing us with an interactive, navigable experience without the constraints of security mechanisms such as firewalls or even passwords.
In this utopian ideal, security threats would be met not reactively but proactively by means of intelligence-led security. One thing notably lacking is the concept of organisation-led control so perhaps what I’m describing is ultimately the emergence of the secure cloud.
Back down to reality, and it’s a sad fact that many regard the cloud as being a far from emancipating experience. Security in the cloud has long been the number one concern cited by organisations transitioning to the cloud and CSPs have done little to counteract this perception.
>See also: Keys to the castle: Encryption in the cloud
Efforts have focused on securing data and scant consideration has been given to how security itself will move to the cloud. Simply moving our existing security mechanisms into the cloud is not going to cut it. Not only is this a clumsy way of dealing with the problem, it also misses a golden opportunity to innovate and transform the way we work.
The pervasiveness of the cloud does of course bring fresh challenges. Just as we saw the network perimeter dissolve in the move to de-perimeterisation, cloud will redefine the corporate perimeter, taking it further into the ether.
The consumerisation of IT, which saw information made truly mobile for the first time through initiatives such as BYOD, has helped acclimatise us to the concept of remote access and security controls applied outside of the organisation. And secure cloud will take this a step further, with integrated cloud services becoming the model of choice, as opposed to on premise or hybrid deployments.
Secure cloud services are now available but these are currently limited to a select few CSPs accredited to provide Impact Level 0-3. Competition is limited and access to these secure services has almost exclusively been the preserve of big business or large government organisations. For secure cloud to gain ground it has to enter the mainstream. But there are a number of obstacles that need to be overcome to achieve this.
The first and most obvious barrier is fear itself. Until organisations are willing to commit wholeheartedly to the cloud and in turn create demand for secure services, reticence will cause the evolution of secure cloud to stall.
Market forces can and will help spur the evolution of cloud services so it’s important that organisations continue to question security provision when selecting a cloud service provider (CSP).
CSPs also need to provide concrete assurances in their SLAs and should be able to substantiate claims by providing evidence of accreditation and certification. For example, compliance with international standards ISO9001, ISO20000 and ISO27001 is a good place to start, but also ask for evidence of regular audits, assessments and inspections by certification bodies, regulators and accreditors such as the CESG.
The second obstacle concerns the tools to deal with information securely. Cloud-based data encryption is still in its infancy but intrinsic to solving the problem of data access and protection in the cloud.
Google, Amazon and Microsoft have all added server-side encryption capability to their existing cloud services but this should by no means be regarded as simply a tick box item. Yes, encryption provides data protection by creating a barrier but it can also impede business if badly managed. And a word of caution: don’t be tempted to retro-fit encryption to an already established cloud solution. By design, encryption should be intrinsic to the solution with the most appropriate type of encryption applied to the right parts of the infrastructure.
Finally, a major hurdle for the cloud community will be how it regulates itself. While security accreditations such as ISO 27001 and ISAE3402/SSAE16 do add value, there is still a need for cloud-specific security regulations and compliance. Why? Because we need to foster a market where users are not tied to the proprietary technology of behemoth providers.
To refer again to cloud encryption as an example, while most solutions to appear to use standard and established encryption algorithms such as AES-256, the implementation and storage of the encrypted data often result in a proprietary product that is not compatible with other provider offerings. A good example of this are the products provided by Amazon Web Services (AWS) and Microsoft Azure, and the inability to migrate data in its original raw encrypted form between the two services. At present, considerable migration planning and effort would be required to transfer data between the two platforms.
Thankfully, we are now seeing the emergence of cloud-specific regulations. CSA STAR (standing for security, trust and assurance registry) is a new international cloud security certification programme developed jointly by the CSA (Cloud Security Alliance) and BSI (British Standards Institution).
>See also: How to secure data in the cloud
Launched last year, STAR provides varying levels of assurance, from Level One Self Assessment to Level Three continuous monitoring-based certification. STAR uses a comprehensive list of cloud-centric control objectives documented in a Cloud Controls Matrix (CCM), a framework of cloud-specific security controls. STAR is working hard to ensure users ask for STAR participation and that CSPs adopt the standard to promote trust and best security practice, but whether self-regulation will be enough remains to be seen.
To date, CSPs have been somewhat reluctant to adopt compliance. But the user can influence the evolution of the market by asking the right questions at the selection and procurement stage.
Standards such as STAR will take time to become established, so seek additional assurances, from ISO27001 compliance to the unequivocal cast iron assurances of IL3. As secure cloud gains in adoption, we will then see the emergence of cloud-specific controls.
This, in turn, will pave the way for other advancements, such as intelligence-driven and threat-targeted security – as opposed to the reactive alert-driven security processes we have in place today – thus transforming information security as we know it.
Sourced from Jamal Elmellas, technical director, tolomy