Community sage tracks HP's historic dream
HP Services takes lumps, posts losses

Securely Migrating to the Cloud

HP has pushed hard to entice the enterprise to make the cloud a new home for business data. While evaluating the pros and cons of making a cost-saving move from classic HP 3000 datacenters to the cloud, this guide of what's to be managed will help. Our security analyst Steve Hardwick looks closer at the challenges a manager must resolve if their onsite storage and systems can be replaced with remote infrastructure.

By Steve Hardwick, CISSP
Oxygen Finance

CloudracksThere has been a lot of buzz around cloud-based solutions. There is a lot to be said for moving to this architecture, especially the lower operating costs. However, a lot of the press has been sourced by suppliers such as HP -- the same people who provide the cloud solutions. It is no surprise that the picture they paint is very rosy. Fortunately, if done well, a cloud transition can be a very successful endeavor. But what are some of the challenges in embarking on this adventure? Let me give you some background on the type of security challenges you are going to face. I will also offer a set of free resources that are invaluable in tackling this migration.

First of all, a little security 101. In the security world there is a very common acronym, CIA. It is not what you may think. It stands for Confidentiality, Integrity and Availability. Confidentiality is the part of security that is concerned with ensuring that only authorized users can view or copy information. This is the first thing that comes to mind when most people think about security. Integrity is concerned with the accuracy of the data, only authorized users can create and change information. Finally Availability addresses the ability of authorized uses to perform these actions upon the information.

A few examples help illustrate these concepts. Confidentiality: a password protected encrypted file. Only the user with the password can access the data. Integrity: a password protected public web side. Although many people can view the data, only authorized users can create or modify it. Availability: data is backed up to a remote storage service. If there is a drive failure, an authorized user or IT manager can still get access to data by getting a copy of the backup.

Like any journey it is important to understand your point of origin. Let's take a look at some of the inherent security controls in an on-premise solution which is already in place.

First of all there are some physical controls that are normally in place that can be easily overlooked. For example, there is a strong physical relationship between a laptop and the user. Forgetting remote access for a moment, a manager attains a measure of security from the simple fact that the authorized user must be physically present to access the machine. There are also MAC address logs which can track who accesses the network and when. 

Secondly, if I am not using my laptop I can physically secure it when not in use and provide physical measures, such as a locked filing cabinet, to further secure the data. Finally, if I want to help prevent unauthorized users from changing the data I can put users in a special area in my facility, HR or accounting for example. The physical separation provides a way of preventing unauthorized access.

Next, there is the capability to monitor who can access the data. This can either by done physically or technically. Physically involves putting in place a badging system to prevent unauthorized access to the facility. Logs are kept of who is allowed in and the failed attempts are recorded. Plus alarms can be added to signal unauthorized entry.

On a technical level, usernames and passwords are a baseline methodology for controlling virtual access to data. Again, logs are kept on authorized and failed access attempts. Logging analysis tools can be used to generate alarms based on failed attempts. To augment the logging systems, you can add intrusion controls to the mix. These solutions can detect intruders as they attempt to gain access and, in many cases, help prevent it.

Finally there is the availability of information. This varies, from the ability to restore an individual file to a user to restoring complete back-ups of the corporate email system. One of the main challenges is the speed at which data can be restored. End users expect data to be recovered in minutes to a couple of hours.

There is also a hidden challenge: How to ensure that the back-up copies are not compromised. In 2011 Science Applications International Corp. said backup computer tapes containing sensitive health information of 4.9 million Military Health Care System TRICARE beneficiaries treated in the San Antonio, Texas, area since 1992 were stolen from an employee's car Sept. 14. This is just one, albeit major, example of what can happen if backup data is not secured physically and encrypted.

In summary, an on-premise solution is a mix of different controls that help preserve confidentiality, integrity and availability. It is very important to take an inventory of these controls prior to beginning any migration to the cloud, for two reasons.

One, and somewhat obviously, the cloud solution must provide the same if not better security controls as the current system. Especially if the organization has to meet regulatory compliance requirements. Two, many controls that are currently in place may be overlooked – how to replace physical security for example. A risk assessment to catalog the security controls is a critical starting point in migrating to the cloud.

If you do not already have a risk assessment methodology -- or even if you do -- the National Institute of Standard and Technology NIST provides a free risk assessment guide “SP800 – 30 Risk Management Guide for Information Technology Systems” (you can download the PDF here). NIST provides these guides as a baseline for federal organizations to build their security programs. Using this document and running through an assessment will give you an idea of what you already have in place and what a cloud based solution will need to meet.

Looking at some these security controls, what sort of challenges occur in the cloud world? Often overlooked is the lack of physical security controls that mimic the ones in the on-premise solution. For example, my data in no longer in my control when not in use. I can't lock my piece of the cloud in my filing cabinet when I go home at night. Cloud solutions must be able to mimic the physical separation of the information by putting in place other types of controls, in this case it's typically encryption.

Similarly, with monitoring and alarms, how do my IT team get access to the logging information that they need to monitor the cloud based system? I also need to know what other systems are in place to detect and prevent unauthorized access to the data, plus let the IT staff know when there has been a security breach.

Finally there is the case of availability. In the cloud world this is handled with Service Level Agreements. Your agreement must specify how users will be assured that their data will be made available when they need it. Suddenly instead of dealing with backup solutions, this is now a contractual agreement and it needs a different skill set.

Fortunately there is one way to start getting ahead of the curve. NIST has a couple of other very useful SP800 series publications that are worth mentioning. Since cloud computing is a relatively new and fact changing technology, it is important to understand the concepts. At its website,, you'' find NIST SP800-145 “The NIST Definition of Cloud Computing.” It gives a good overview of the basic concepts of cloud computing in a few pages (3-4). If you are just getting started, then this is a great primer.

Next is its companion NIST SP800-144 “Guidelines on Security and Privacy in Public Cloud Computing” which goes into great details on how to put together a plan on addressing cloud security needs. It also outlines some of the security controls that should be in place and will be a complement to the assessment exercise I mentioned earlier. 

In addition to NIST there is one other organization that is worth a mention. Formed in 2009, the Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing. The organization produces a wealth of free information on the topic of cloud computing security. One CSA initiative is a GRC stack with a set of tools for Governance, Risk Management and Compliance. There are several components in the stack -- let's talk about two of them will be highlighted.

There are several training presentation on the site that give a good overview of the new security challenges that cloud computing brings. For example the original training documentation shows how the security requirements are changed in the cloud  Then there is the CSA Cloud Controls Matrix CCM. This tool provides a spreadsheet that maps the CSA security control definitions to several different regulatory requirements (PCI, SOX, GLBA FISMA and so on.) It gives a quick and easy way to generate a checklist of the current controls in your on-premise environment, then map them to a set of requirements for the cloud provider. Furthermore, if you have some other regulatory requirements, or your own internal set, you can easily add these to the mapping.

NIST and CSA have provided a set of tested and freely available tools to help any IT organization in their journey to the cloud world. CSA also has a wealth of information that can help to train IT professionals and get them onto a cloud based way of thinking. In both cases they are independent bodies so they are not trying to highlight a specific solution. Consider adding these organizations in your list of cloud security references.

Moving to the cloud brings with it a new set of security challenges. It is now a world of hack once and expose everywhere. Knowing where you came from is critical to understanding the impact of these challenges as you move forward. 

Steve Hardwick manages security for pre-payments provider Oxygen Financial, a Euro-founded company now extending its services to North American IT operations.