If your organization decides to put their corporate files – or their customers’ files – onto someone else’s computer, i.e., implement cloud computing, what security effort should those organizations undertake to ensure the safety of their data? That is the question that we find our customers looking to Tripwire to help them answer. As a Tripwire field sales engineering manager, I am increasingly being asked to help our customers migrate their environments securely to cloud providers’ platforms, and with that I decided to distill some of the challenges and solutions into a short white paper to help address some of the concerns around the security aspects of the cloud. The document describes the security responsibilities a customer of cloud computing has to consider and how that largely depends on the cloud model adopted, that is, whether it is ‘Platform as a Service (PaaS)’ or ‘Infrastructure as a Service (IaaS)’. Depending on the model chosen, the organization will need to place varying levels of trust in the cloud provider. Different models might also require additional work on the part of the customer to properly secure their part of the outsourced cloud environment. With the dynamic nature of the cloud, this adds additional security challenges. Being able to accurately monitor for security vulnerabilities, authorized and unauthorized configuration changes, while dynamically growing and shrinking your cloud platform environment due to consumer demand is a difficult challenge to address. When putting your files on someone else’s computer, it is important to implement a secure and hardened server platform. Equally as important is the ability to be able to detect configuration and file deviations from the base build of that platform. Security steps include server hardening to reduce the risk profile, building a known good "gold image," which is used as a baseline for new server instances, and adding additional breach detection evidence and event workflow to your monitoring capabilities where there are such deviations from the gold build. In isolation, detecting configuration and file changes to your cloud server instances is important, but recording whom made those changes and what the files actually contained before and after the change can also help with remediation steps. Where data requires classification and that data is also impacted by specific legal requirements, the ability to detect data accessed by unauthorized users or administrators, as well as that which may have crossed geographic boundaries, can prove helpful in light of these constraints. Some of our customers are also looking to the cloud for their customer facing portal, which includes accepting payments by credit card, and so are required to follow and measure themselves against PCI DSS 3.1 requirements. As organizations' IT departments continue to attempt to control their costs and try to deliver the flexibility required to address their internal and external customers’ demands, cloud services will be researched and adopted where appropriate. The smart organizations will do this with one eye on the security implications and requirements. Title image courtesy of ShutterStock
