While traditional security measures—such as firewalls, antivirus programs and vulnerability assessments—are important in the cloud, additional considerations must be taken to secure these dynamic and rapidly changing environments, according to Eric Chiu, president and cofounder of HyTrust, Mountain View, Calif.
“For example, 2014 will see a rapid growth in systems and services that provide additional control over the system administrators that manage virtualized infrastructures,” Chiu said.
In addition, given the recent disclosures about government access to cloud service provider (CSP) networks, there will be further investment in key management systems that allow organizations to keep control of their encryption keys rather than entrusting that critical security measure to the same vendor that holds their data.
Cloud-based security services are offerings made by managed security service providers (MSSPs) as part of a suite of outsourced security services. Jason Bandouveres, senior product specialist for cloud and virtualization solutions at Fortinet, Sunnyvale, Calif., said that such services include firewall configuration and monitoring, log analyses and reporting, IDS/IPS configuration and monitoring, antivirus management, web content controls, virtual private network (VPN) management, spam protection, data loss prevention, and application controls.
This year should also see a big push toward advanced threat intelligence, said Mark Nunnikhoven, principal engineer of cloud and emerging technologies for Trend Micro, Irving, Texas.
“The implementation of security controls—such as malware protection, firewalls, intrusion prevention, and file integrity monitoring—are only a small piece of the puzzle,” he said.
Organizations must evaluate risks and appropriately configure controls.
With 10 percent of overall information technology (IT) security enterprise capabilities delivered in the cloud, the focus is clearly on messaging, web security, and remote vulnerability assessment.
“There’s also the expectation of more capabilities being made available, such as data-loss prevention, encryption, and authentication as the technologies that support cloud computing mature and are further adopted by mainstream companies,” Bandouveres said.
SaaS and IaaS and the cloud
Software as a service (SaaS) is a software delivery model typically supplied by application service providers (ASPs), in which software and associated data are centrally hosted on the cloud. Infrastructure as a service (IaaS), however, is a provision model in which an organization outsources the equipment—such as storage, hardware, servers and networking components—to a service provider that owns the equipment and is responsible for housing, running and maintaining it, according to TechTarget.com.
Gartner estimates that IaaS is the fastest growing segment of the public cloud, which means more companies are entrusting their applications to CSPs.
“While the cloud can offer rapid scalability and cost savings, it’s critical to ensure that any data not considered public is protected in these consolidated, virtualized infrastructures,” Chiu said.
However, once an organization has success with SaaS or IaaS projects, its willingness to accept cloud services in general increases, Nunnikhoven said.
“A lot of the preconceptions and misinformation about cloud security is starting to dissipate,” he said.
And as organizations become more comfortable sharing security responsibilities with their CSPs, they should also gain an increased understanding of the power that cloud-based security services offer.
“We’re seeing the challenges of gaining mainstream acceptance fall away as more big brand names speak publicly about the advantages of moving to the cloud,” Nunnikhoven said.
It means that companies need to know how their data is being secured and what measures the CSP will take to ensure the integrity and availability of that data.
“Companies should also have contingency plans in place and ensure that the data can be easily retrieved and migrated to a new CSP if need be,” Bandouveres said.
Enter the contractor
Electrical contractors are in a frontline position to ensure a secure physical environment for the cloud-services provider, Bandouveres said. The data center needs an EC with the expertise to ensure it has the appropriate redundant utilities, protection against fire, specially equipped ventilating and air conditioning systems, and an access-control and authentication system.
Electrical contractors also need to be aware that most smart home and neighborhood initiatives are backed by an array of cloud services, Nunnikhoven said, adding that new risks evolve as systems become more intelligent.
“The electrical contractor is on the front lines of this push. There is a lot of potential in this area, but the technologies need to be developed and deployed with security as a key component. If the contractor raises these questions during the initial design, it’s significantly easier to address cloud-based security concerns,” Nunnikhoven said.