Editor’s Note: As of January 2022, iland is now 11:11 Systems, a managed infrastructure solutions provider at the forefront of cloud, connectivity, and security. As a legacy iland.com blog post, this article likely contains information that is no longer relevant. For the most up-to-date product information and resources, or if you have further questions, please refer to the 11:11 Systems Success Center or contact us directly.
In their report “CISO Playbook: How to Retain the Right Kinds of Control in the Cloud,”* Gartner addresses the need for security and risk management leaders to embrace a new mindset when moving to the cloud. In the playbook, Gartner highlights a number of recommendations across identity and access management, encryption, demonstrating governance and compliance and measuring cloud service provider SLAs. We’ll cover how 11:11 Systems helps customers address each of these areas in this blog.
With over a decade of experience helping customers adopt cloud computing across IaaS, DRaaS, and cloud backup use cases, we have witnessed the evolution of customer concerns about cloud security first-hand. In response, we’ve adapted our cloud platform and services to meet these everchanging customer priorities.
Who takes responsibility for cloud security?
IT teams are all too familiar with managing the resources that make up their IT infrastructures, from the buildings they are housed in, to the electricity and cooling supply, through to the server, and all the way down to the storage and networking infrastructure. Gartner makes the analogy that moving to the cloud is a bit like driving your own car on a journey as compared to being flown somewhere in a plane. You are relinquishing control of the maintenance and driving of the car to the flight crew of a plane. Whereas you might check the oil, tires, and windshield washer fluid on your car once in a blue moon, the plane will be checked rigorously every flight.
Much like the flight crew on a plane, 11:11 has included all the security features that on-premises environments have built up over time in our 11:11 Cloud Console. This includes best-of-breed edge firewalling, load balancing and VPN capabilities, as well as anti-virus/anti-malware, intrusion detection, vulnerability scanning, log inspection, file integrity monitoring, and suggested remediation for security issues.
Another observation Gartner makes in the report is that with the advent of distributed systems networking, we are no longer responsible for (or concerned with) the physical aspects of wide-area networking. We believe this is where the first concept of a “cloud” came from the field of networking. You are no longer concerned with how traffic gets from A to B from a physical networking and cabling perspective, you are just concerned about the fact that it does in a suitable period of time.
This idea extends nicely to cloud computing where you no longer have to worry about physical infrastructure lifecycles: servers, storage, local area networking, power, UPS, cooling, or rack space. You are just consuming resources.
This then brings us to the concepts of the shared responsibility model of cloud computing. Where is the demarcation line between different layers of cloud infrastructure? In the on-premises world, IT departments are responsible for the entire IT stack. In the “as a service” world, service providers become responsible for different aspects of the stack as you move from IaaS, to PaaS, and to SaaS – leaving the customers with SLAs covering the various service offerings.
Identity and Access Management
With the new shared responsibilities in the cloud, it is extremely important, as Gartner recommends in the report, to instill an effective Identity and Access Management (IAM) strategy. The 11:11 experience is that, in cloud environments, it is so easy for people to simply all log in as “root” or “administrator” and have access to all aspects of the platform. We’ve found that this can be dangerous for a number of reasons:
- While everyone can create stuff, they can also change or delete it.
- There is no real audit capability when everything is done by the same user name.
- If the password falls into the wrong hands, bad things will happen.
It is fine if someone wants to do some short-term testing of a cloud platform and needs to be unhindered in their capabilities. However, it is far better (and safer) to start with a “least privilege” methodology. In this way, individual users are given just enough privileges or capabilities appropriate for their role. If they need additional capabilities, these can be added for a short time and then removed again unless it can be shown that they need to keep those additional privileges. Everything they do will be audited with their user name. Clearly, this strategy will apply to the different capabilities or functionalities provided by the cloud platform.
It is also important to apply the IAM strategy on the cloud platform and the applications and services that the cloud platform is presenting to the outside world. A simple example might be email.
- The email server might be running within a virtual machine on the cloud platform. Its storage and networking might be administered by a cloud platform administrator with a particular set of permissions. Additionally, the email application might be accessed over the internet, so the edge firewall settings to allow access to the email application will also need to be administered.
- The email application itself, running inside the virtual machine, will be managed using another set of permissions. This might also include a database.
- At the highest level, users will be accessing the email server from their email client on a desktop or phone using their own credentials.
Aside from identity and access management, the topic of encryption of data at rest and in transit is often seen as yet another way to secure, segregate, and isolate data on a public cloud platform. It is highly unlikely that anyone would be able to break into a public cloud data center and physically steal a disk drive containing your data, even if they could find the actual drives that your data resides on.
However, it is highly recommended to consider using encryption in the following areas:
- Data at rest – is the storage encrypted at rest to mitigate against physical data theft?
- If using virtual machines, can the virtual disks be encrypted? Who holds the private keys?
- Encrypt data in transit between application and user at a minimum, perhaps using HTTPS/TLS.
- Site-to-site VPNs should use strong encryption.
- Consider the use of encryption in database applications.
Monitoring and Instrumentation
As discussed earlier, in addition to implementing a strong IAM strategy, it is equally important to enable logging for auditing purposes. Who did what to what and when?
In a global cloud strategy, the question of location can also come in. Particular users might only be allowed access to certain locations for data sovereignty control purposes.
Monitoring the cloud infrastructure is also important to ensure rapid alerting and diagnosing of issues, including:
- Monitoring performance statistics within the VMs or PaaS applications running
- Monitoring of network components, such as firewalls, routers, and load balancers
- Logging of user logins, failed attempts, firewall issues, intrusion detection
To enable this, 11:11 has taken advantage of the rich APIs offered by our technology partners including, VMware, TrendMicro, Tenable, Zerto, and Veeam, to surface relevant monitoring information into the 11:11 Cloud Console, via a market-leading Cassandra database. Not only is real-time information available but data can be retrieved and viewed for up to a year. A higher-level API makes this information available to authenticated and authorized external users.
Adherence to Compliance Regulations:
Here at 11:11, we have always focused on delivering secure and compliant cloud services to our customers. In addition to providing all the security features that businesses have been used to in their on-premises environments, we have also led the way in terms of compliance and certification to relevant industry best practices and emerging standards.
Additionally, as customers continue to face an increasingly regulated environment, 11:11 has established an in-house certified compliance team to work with customers to provide documentation and expert compliance assistance to fulfill audit requirements across the US, EMEA, and APAC.
Contracts and Service Level Agreements (SLAs)
The final recommendation is around cloud service provider contracts and SLAs. As with any commercial agreement, there will be contracts, master service agreements, and the SLAs within them to understand and contract to.
Many CSPs, especially the hyperscale providers, can be extremely rigid with their SLAs and can be very inflexible when asked to change them. Where do they stand on different aspects of compliance? Are they able to share their certifications and attestations? How flexible are they with their SLAs on subjects such as availability? Will they pay out service credits if service is not available according to the SLA?
In a previous blog article, we’ve discussed how 11:11 delivers a 100 percent availability guarantee backed by service credits and how we use the features of a VMware-based cloud platform to achieve this with cloud-to-cloud DR for additional resiliency.
To summarize, with security risks and compliance regulations only increasing along with the adoption of cloud services, it’s important to understand shared responsibility with regard to cloud security. Striking the right balance between relinquishing and maintaining control in the cloud will enable your business to securely leverage the many benefits of cloud services.
*Gartner, “CISO Playbook: How to Retain the Right Kinds of Control in the Cloud,” Steve Riley, 21 March 2017.