Next

reports
Repor ts.InformationWeek.com

Monitoring Security
In Cloud Environments
The use of cloud technology is booming, often offering the only way to
meet customers, employees and partners rapidly rising requirements.
But IT pros are rightly nervous about a lack of visibility into the security of
data in the cloud. In this Dark Reading report, we put the risk in context
and offer recommendations for products and practices that can increase
insight and enterprise security.
By Michael Cobb

Sponsored by:

Report ID: S7431013

March 2015 $99

Previous

Next

CONTENTS

reports

TABLE OF

reports.informationweek.com

3
4
5
5
6
6
7
8
9
9
10
11
11
12
12
13

Authors Bio
Executive Summary
Monitoring Security in Cloud Environments
Figure 1: Biggest Cloud Concern: Security
Regaining Insight
Figure 2: Security Responsibilities in Cloud
Computing Environments
Monitoring a Dynamic Cloud Environment
Figure 3 : Data Security Life Cycle
Maximum Visibility, Maximum Security
Figure 4: Most Important Cloud Service
Capabilities
The Privilege Is All Mine
Cloud Data Will Be Unavailable
Dont Lose Your Data in the Small Print
A Hybrid Cloud Strategy
Bring Your Own Cloud
A More Secure Environment

Monitoring Security in Cloud Environments

Find all of our reports at

reports.informationweek.com
Visit Dark Reading's website at
darkreading.com.

March 2015 2

Previous

Next

Table of Contents

Monitoring Security in Cloud Environments

reports

Michael Cobb
InformationWeek Reports

Michael Cobb, CISSP-ISSAP, is 20-year veteran of IT security with a passion for making
industry best practices easier to understand and implement. As an advisor on security
controls and information-handling practices to companies and government agencies large
and small, Cobb has helped numerous organizations achieve ISO 27001 certication and
successfully migrate data and services to the cloud. Cobb has also worked with CESG, the
information security arm of the United Kingdoms GCHQ (Government Communications
Headquarters), to promote security best practices in government. A renowned author
and presenter, Cobb has written numerous technical articles and webcasts for leading IT
publications, as well as a book on IIS security. He also has been a Microsoft Certied
Database Manager and a registered consultant with the CESG Listed Advisor Scheme (CLAS).

Want More?

Never Miss
a Report!
Follow

Follow

Follow
reports.informationweek.com

2013 InformationWeek, Reproduction Prohibited

March 2015 3

Previous

Next

Table of Contents

SUMMARY

reports

Monitoring Security in Cloud Environments

One of the major reasons enterprises have been hesitant to embrace cloud computing
technologies is a lack of visibility. Enterprises need ways to track their data as it travels
back and forth to the cloud, as well as a way to ensure that their data is safe in a shared
infrastructure.
To benet from cloud computing and minimize risks to your organizations data, several
key components are required: visibility across infrastructures and applications, isolation
of critical services, and regularly audited automated processes for threat detection and
mitigation. Working closely with cloud providers, administrators can deliver accountability and audit trails for data events in and out of the cloud so enterprises know exactly
what is happening with their data. Cloud providers will have their own monitoring tools
to track the performance, continuity and security of all of the components that support
service delivery, but organizations must invest in their own systems to monitor physical,
virtual and cloud environments. Responsibility for security and monitoring of data critical
to daily business operations is ultimately your responsibility, not the providers.
In this Dark Reading report, we examine tools and practices that enterprises can use to
monitor the security of cloud environments and receive notications when their data
might be at risk.

EXECUTIVE

reports.informationweek.com

March 2015 4

Previous

Next

Table of Contents

Monitoring Security in Cloud Environments

reports

Monitoring Security in Cloud Environments

The cloud is no longer outlying technology.
Indeed, any organization that isnt using cloud
computing technology is probably considering it. The benets can be enormous: exible,
on-demand access to superior resources
but only when and where needed usually
with lower unit costs and reduced complexity.
But concerns over the security of data held in
the cloud remain a barrier to adoption.
According to research rm Forrester, recent
revelations about the National Security
Agencys PRISM surveillance program have increased cloud paranoia and fears about data
privacy. An Insight Enterprises study of IT leaders carried out at the end of 2014 revealed that
many businesses and organizations want to
leverage the cloud, but most still lack trust in
cloud security. In addition, 53% of respondents
to KPMGs 2014 Cloud Survey Report cited data
loss and privacy risk as the clouds most signicant challenge (see Figure 1).
Security has lagged behind advances in other
cloud features, even though numerous laws
and industry standards mandate the safeguardreports.informationweek.com

ing of information. Issues such as reliability, uptime and disaster recovery have seen signicant
improvement, but initiatives to address monitoring, auditing and corporate governance

have been less noticeable. For example, security

monitoring is far less developed than operational performance monitoring.
The perceived loss of visibility into events is

Figure 1

Biggest Cloud Concern: Security

Data loss and privacy risks are the most challenging areas when adopting cloud.

Data loss and privacy risks

53%
Risk of intellectual property theft

50%
Impact on IT organization

49%
Measuring on ROI

48%
High cost of implementation

48%
Legal and regulatory compliance

46%
Integration with existing architecture

46%
Lack of clarity of total cost of ownership

46%
Data: 2014 KPMG Cloud Survey Report

March 2015 5

Previous

Next

Table of Contents

Monitoring Security in Cloud Environments

reports

a resistance point for many administrators because they cant see whats happening or
whether safeguards are working. Understandably, many administrators question how they
can achieve an adequate level of security
monitoring for data in the cloud comparable
to that of data stored on-premises when a
third party owns the hardware and network.
Regaining Insight
Despite these reservations, the pressure to
adopt some form of cloud computing technology often becomes overwhelming. Given
the exponential increase in data and the
number and variety of connected users and
devices in use today, often the only way to
meet customers, employees and partners expectations of personalization and access to
real-time information is by harnessing cloud
services. A rst step is to decide which type of
cloud environment best suits the organizations security requirements and capabilities.
To ensure that data is correctly protected in
cloud environments, organizations need to
understand what data is going to be cloudreports.informationweek.com

based, how access to it can be monitored,

what types of vulnerabilities exist and how to
demonstrate that controls are in place to
meet regulatory obligations (see Figure 2).
Cloud computing can ease certain security issues while increasing others, but it will never
eliminate the need to follow traditional security
principles data in the cloud still needs the
same treatment as that located on-premises
(see Figure 3).
Classifying data assets is essential to know-

ing what level of security is required in the

cloud, so its worth revisiting and updating security policies so that they reect changes
made to the existing infrastructure to incorporate cloud technologies. For example, policies that cover the following ISO 27001
clauses should all be reviewed:
>> A.6.2.1: Identication of risks related
to external parties
>> A.6.2.3: Addressing security in
third-party agreements

Figure 2

Security Responsibilities in Cloud Computing Environments

Moving applications and data to a cloud environment can move some day-to-day security activities to the cloud
vendor, but this requires a robust third-party management policy to define who is responsible for what.

Software-as-a-service (SaaS)

Managed application/service where customers consume

application resources as needed.

Basic security provided by cloud vendor.

Platform-as-a-service (PaaS)

Organization builds and manages its own custom

applications on top of a platform provided by the cloud
vendor.

Application and data security managed by

cloud customer.

Infrastructure-as-a-service (IaaS)

Cloud vendor provides storage, network and other basic

computing resources, while customers can deploy and
run software and the operating system of their choice.

Cloud vendor protects infrastructure, but

operating system, applications and data are
managed and secured by cloud customer.

Data: InformationWeek Reports

S7431013/2

March 2015 6

Previous

Next

Table of Contents

reports

Building a Security
Analytics Initiative
To identify sophisticated attacks,
infosec teams must correlate a
huge range of data from
internal systems, threat intelligence services, cloud and network service providers, digital
forensics and attribution
services, and others. One way
to cope: big data tools and
practices.

Download
reports.informationweek.com

>> A.7.2.1: Classication guidelines

>> A.7.2.2: Information labeling and
handling
>> A.8.1.1: Roles and responsibilities
>> A.8.1.2: Screening
>> A.8.3.3: Removal of access rights
>> A.9.2.6: Secure disposal or reuse
of equipment
>> A.10.1.3: Segregation of duties
>> A.10.2.1: Service delivery
>> A.10.2.2: Monitoring and review
of third-party services
>> A.10.2.3: Managing changes to
third-party services
>> A.10.10.1: Audit logging
>> A.10.10.2: Monitoring system use
>> A.10.10.3: Protection of log information
>> A.10.10.4: Administrator and
operator logs
>> A.10.10.5: Fault logging
>> A.12.3.2: Key management
>> A.14.1.13: Developing and
implementing continuity plans
Security fundamentals may not change

Monitoring Security in Cloud Environments

when data is moved to the cloud, but visibility

into the network does. Monitoring will probably represent the biggest challenge: adjusting to the changes in the boundaries of control and the need to modify existing practices.
The lack of security monitoring of assets that
the enterprise has placed in the cloud is
where most problems arise. Many organizations believe that the loss of control that occurs when moving data assets to the cloud
just has to be accepted that the benets
and security provided by on-premises intrusion-prevention systems, data loss prevention
(DLP) tools, and security information and
event management (SIEM) tools have to stop
at the corporate perimeter.
Monitoring a Dynamic Cloud
Environment
The outsourced nature of the cloud and the
inherent loss of control that goes along with
it means that extra eorts have to be made to
continuously monitor access to both structured and unstructured data to ensure privacy and integrity. By security monitoring we

mean collecting and analyzing logs, as well as

sending alerts about security-related system
and application events so administrators
know when something unexpected has happened and can look back at past events in
short, forensics. So how do you achieve this
when a servers underlying hardware can
change over the course of the day?
Software-as-a-service (SaaS) vendors usually
oer monitoring as a fully managed service
option. FireHost, for example, provides realtime action-oriented reports every time a vulnerability is detected. The service provider
also oers certied cloud infrastructure packages that meet specic compliance requirements, such as the Health Insurance Portability and Accountability Act (HIPAA) and
Payment Card Industry Data Security Standard (PCI DSS). Some cloud service providers
make SIEM data available for self-analysis.
With Amazon Web Services, for example, its
possible to collect logs and copy them back
to an on-premises SIEM. This can provide a
unied view of both cloud and on-premises
environments using tools familiar to network
March 2015 7

Previous

Next

Table of Contents

Monitoring Security in Cloud Environments

reports

administrators. Check rst that your SIEM system is cloud-ready and can handle data that
may be in dierent formats.
Some SIEM tools are able to make use of specic SaaS APIs to collect logs from public cloud
services. Tools from IBM and HP ArcSight, for example, can collect and monitor logs and data
from a wide range of sources to provide universal log management. Events across multiple
platforms can be correlated to produce dashboard views and audit reports that combine internal and cloud-based applications.
In platform-as-a-service (PaaS) environments, customers have the option of installing monitoring agents locally to push
trac and logs to an in-house server for processing. Be aware that in a multitenant environment, it may not be possible to reboot
whenever agents need installing or updating,
and that there may be limitations on the installation of software requiring certain privileges. In either case, network bandwidth, latency and data transfer costs can make
sending every transaction to a remote server
for analysis inecient and may prevent timely
reports.informationweek.com

interruption of malicious activity. With that

said, performance can be improved using various compression techniques.
An option for security monitoring assets in an

infrastructure-as-a-service (IaaS) environment

is to load a SIEM tool directly into the IaaS using
a distributed monitoring system where each instance in the cloud has a sensor or agent run-

Figure 3

Data Security Life Cycle

When evaluating data security in the context of the cloud, the problems are far more similar to those with on-premises
systems than they are different. There are differences, though, which necessitates a review of data security practices.

Data: InformationWeek Reports

S7431013/3

March 2015 8

Previous

Next

Table of Contents

Monitoring Security in Cloud Environments

reports

ning locally. Theres no high-bandwidth requirement, and tools of choice can be deployed.
However, the log storage costs in the cloud may
be substantial, and theres no unied view of
on-premises and on-IaaS monitoring.
This type of system must have the ability to
be provisioned automatically on new servers
without requiring time-consuming administrator involvement. It should encrypt all trac
between the management console and sensors to limit exposure of sensitive data. Oerings such as CloudPassages Halo can provide
continuous security monitoring for any cloud
environment using an agent that attaches to
virtual machines in a cloud or virtual infrastructure. Automated provisioning ensures
that critical security controls are deployed
across all environments, while a REST API enables integration with tools such as vCloud.

To assess and monitor pre- and post-cloud

migration business transaction service levels,
the AppDynamics Cloud Application Management product graphs application dependencies to aid in planning communication and ar-

chitecture for cloud migration. Comprehensive

transaction volume, service level and throughput monitoring can pinpoint bottlenecks as
transactions progress across distributed tiers
and services. Code diagnostics can identify

Figure 4

Most Important Cloud Service Capabilities

Data security and privacy top the list of sought-after attributes when it comes to cloud adoption.

Security

82%
Data privacy

81%
Cost/price

78%
Functionality

76%
Cost of ownership

74%
Ease of integration into existing environment

74%

Maximum Visibility, Maximum Security

Understandably, business owners are as
concerned about the performance of their
cloud-based applications as they are about
their security.
reports.informationweek.com

Congurability

74%
Additional services oered by provider

67%
Data: 2014 KPMG Cloud Survey Report
March 2015 9

Previous

Next

Table of Contents

reports

holdups in code execution, and the Agile Release Comparison feature helps developers understand the business impact of each release.
To optimize visibility, look for a monitoring
system that centrally logs all activity and ags
suspicious events across all servers wherever
they reside. Also look for a product that has
the ability to keep track of business transactions as theyre happening. A transaction in a
virtualized environment can span multiple
physical servers as virtual machines spin up
Monitoring the activities of database
and down, so individand system administrators is crucial
ual server metrics arent
as relevant as those for
in any environment given the higha transaction when it
level privileges theyre granted to
comes to security. Busicarry out their duties.
nesses developing their
own applications that
are to be hosted in the cloud should ensure
that their developers code key events to generate log entries, particularly data-related
events, as required by auditors.
For organizations using third-party online
services, CipherCloud oers various informareports.informationweek.com

Monitoring Security in Cloud Environments

tion-protection products tailored for particular

industries and cloud-based services, including
Salesforce, Chatter, Amazon Web Services,
Gmail and Oce 365. Security can be set on a
eld-by-eld basis for structured and unstructured data, and encryption keys always remain
on-premises. This oers some protection from
unauthorized users trying to access data once
in the cloud or government agencies obtaining keys without the knowledge of the data
owners. Another so-called cloud-access security broker is Perspecsys. Its AppProtex Cloud
Data Protection Gateway Server secures data
in SaaS and PaaS provider applications by intercepting sensitive data while it is still onpremises and replacing it with a random tokenized or encrypted value. This renders the
data meaningless should anyone outside of
the company access it while it is being
processed or stored in the cloud.
Enterprises running big data environments
such as Hadoop or other hybrid variants of
physical, virtual and cloud infrastructures will
need tools such as IBMs Info Sphere Guardium
or Solutionarys cloud-based ActiveGuard Se-

curity and Compliance platform. Both systems

can collect logs from virtually any device or application capable of producing log les in IaaS,
PaaS and SaaS environments. Solutionarys
clients can also choose from service levels ranging from self-service to SIEM in the cloud, to
full-service, depending on individual customer
needs. Guardium not only provides virtualized
database activity-monitoring capabilities, but
also database vulnerability assessments, data
redaction and data encryption. It also features
automatic discovery and classication of data
in the cloud, an essential tool for ensuring that
any data that makes its way into the cloud is
kept within compliance requirements.
The Privilege Is All Mine
Monitoring the activities of database and system administrators is crucial in any environment
given the high-level privileges theyre granted
to carry out their duties. In a cloud environment,
role-based monitoring takes on greater importance because unknown personnel at unknown
sites will have privileged access rights. Ensure
that your own sta monitors third-party activiMarch 2015 10

Previous

Next

Table of Contents

reports

Like This Report?

Share it!
Tweet

Like
Share

reports.informationweek.com

ties, particularly attempts to access high-value

data assets such as credit card tables. Triggers
that can detect inappropriate database access
without relying solely on query analytics should
be in place. This is important because privileged
users can create new views or insert stored procedures that compromise information without
the SQL command necessarily looking suspicious. Separation of duties is another crucial
control that needs to be in place to prevent
abuse of privileges.
Vendors like Okta oer identity-and-accessmanagement-as-a-service (IDaaS) solutions
that can make authenticating and managing
users in the cloud a lot simpler and less prone
to oversight by integrating with existing HR
systems. Look for services that oer identity
governance and administration, single signon and authorization enforcement, with good
audit capabilities.
Cloud Data Will Be Unavailable
Sooner or later, your cloud providers system
will go down. This is true when it comes to
small cloud providers, and its true when

Monitoring Security in Cloud Environments

youre dealing with big guys such as Google,

Amazon and Microsoft. Data and applications
wont be accessible, and in some instances
data may disappear for good. In 2014, highprole services like Adobes Creative Cloud
and Googles Talk, Hangouts and Voice all suffered outages or slowed to a crawl as did Microsofts Azure, Amazon Web Services and
AOLs email service.
Business continuity planning is always best
done prior to a security event occurring. Stale
policies and unprepared sta will undoubtedly increase the severity of any security
event. Check that the cloud providers own
disaster recovery and business continuity
plans meet your requirements, and take into
account how its plans may aect your own
continuity of operations and access to data.
Dont Lose Your Data in the Small Print
Confusion over roles and responsibilities,
particularly if a crisis hits, will only make matters worse. This is why a providers servicelevel agreement (SLA) needs to be examined
closely. Roles and responsibility matrices are

an important part of your relationship. Look

to contractually specify which party is responsible for ensuring compliance with any relevant policies or standards so there are no surprises or misunderstandings about whats
covered. Post-contract monitoring and a
right-to-audit clause are also important.
Dont make the mistake of having the legal
or procurement teams carry out pre-contract
due diligence without guidance from the IT
team, which will better appreciate the implications of certain conditions and provisos. In
addition to checking the business continuity
and disaster recovery plans of any provider
you will be working with, examine and assess
the providers supply chain relationships and
dependencies. Check also its security practices and procedures, such as encryption of
data at rest and in motion.
In addition, to avoid running afoul of data
protection laws, you must know where your
data will be located geographically. It may be
necessary to segment data geographically by
using providers with a choice of international
hosting facilities to keep sensitive data within
March 2015 11

Previous

Next

Table of Contents

reports

specic jurisdictions and then move processing functions to the data (and not the other
way around).
Reviewing the providers security controls is
as important as understanding the security
packages that are available for your own protection and monitoring. Many cloud vendors
rely on tools and systems from third-party partners to deliver best-of-breed security capabilities. Certainly check that clients and servers are
congured to use cipher suites that provide
Perfect Forward Secrecy (PFS) so if a servers private key is compromised, it cant be used to decrypt past communications.
The Cloud Security Alliance Security, Trust &
Assurance Registry is a free, publicly accessible registry of self-assessment reports submitted by various cloud providers that document
compliance with CSA-published best practices. Providers should be compliant with
other important certications, assessments
and security frameworks, such as ISO 27001,
Statement on Standards for Attestation Engagements 16 (SSAE 16) and HITRUST.
Finally, your SLA should address what levels
reports.informationweek.com

Monitoring Security in Cloud Environments

of support are available. You need to make

sure that the provider oers not only support
for tackling critical issues, but also accessible
advice you can tap into when building, managing and monitoring your infrastructure. A
good relationship with a provider that understands your data is invaluable.
A Hybrid Cloud Strategy
Enterprises that arent yet ready to move all
their applications and data to a public cloud
should consider establishing a hybrid cloud
strategy. This will enable them to take advantage of cloud benets where possible. Data security requirements will determine where specic processes and data types are best located:
>> Public cloud for maximum exibility and
eciency
>> Private cloud for maximum control
>> On-premises for compliance and privacy
Data in each environment can be synced
and monitored using tools such as Informaticas Cloud, which features prebuilt connectors to on-premises and cloud-based applica-

tions, databases, at les, le feeds and social

networks. Compliant with SSAE 16, ISO 27001,
PCI DSS and Salesforce.com AppExchange
certications, Informatica Cloud gives administrators ne-grained access controls to determine user and group-level permissions.
RightScale provides a dashboard to manage
access to and usage of public, private and hybrid cloud resources, and server logs can be
pushed to your own compliance systems if required. Companies such as Software AG and
MuleSoft also oer integration and connection systems for hybrid infrastructures.
Bring Your Own Cloud
Enterprises arent the only ones making use
of cloud services, of course. Project teams will
often share documents using Google Docs,
and many employees have their own Dropbox or Google Drive accounts and will happily
use them to shift work les and documents to
home PCs or mobile devices. While mostly set
up and used with good intentions, these personal clouds represent a real threat to data
control and security, not to mention the
March 2015 12

Previous
Table of Contents

Monitoring Security in Cloud Environments

reports

added risk of third-party monitoring and access. Although services like Google Cloud
Storage, SkyDrive, Dropbox and Windows
Azure have introduced or plan to introduce
automatic encryption for all data at rest and
in transit, they still hold the encryption keys,
so it's still possible that they can access data
or provide the keys to government agencies
who request them.
Acceptable-use policies for social media and
other cloud services have to be in place, listing banned or restricted services and procedures for using those that are approved. Companies must ensure that such policies are
actually being adhered to monitoring employee access and activity, with disciplinary
action for noncompliance, is essential. DLP
systems will also be required to catch unintentional lapses. But beyond looking for and
punishing lapses, companies can deal with
the issue of personal clouds by oering employees secure in-house alternatives. The exposure of PRISM teaches us that in-house encryption is far more preferable than using
unauthorized third-party services located
reports.informationweek.com

outside the company rewall.

A More Secure Environment
Cloud computing does have the potential
to be more secure than traditional environments, since delivering resilience and security
24/7 is a providers main business. For example, most cloud providers are better placed to
keep services online while mitigating and
dealing with denial-of-service attacks that
would take out most enterprise defenses. Best
practices for delivering reliability, accountability, transparency and condentiality in
cloud computing are still a work in progress,
but progress is being made.
About the Sponsor
CloudPassage Halo is an agile security and
compliance platform that works in any cloud
infrastructure: public, private, hybrid or virtualized data center. Were unique because the
platform moves comprehensive security to the
workload itself and is delivered as a service, so
its on-demand, fast to deploy, fully automated
and works at any scale.
March 2015 13