Wrangling in the Cloud: Tactics for Avoiding a Data Stampede
By Paul South
In television's early days, cowboy shows like Rawhide galloped across a black and white landscape. Every third episode or so featured a stampede, triggered most often by a gunshot at a rattlesnake, an unexpected thunderstorm or a disgruntled cowhand.
And it was left to the cowboys to wrangle in the wayward herd.
These days, IT security professionals face similar troubles when it comes to wrangling in their organization's cloud computing initiatives. Many organizations rushed to be part of the "next big thing" in technology, and cloud service providers (CSPs) seemingly popped up everywhere, just as construction firms appear after a natural disaster to offer bargain basement service.
In the rush, proper plans, policies and procedures weren't always considered, and more than one information security professional was left to stem a potential data stampede. Here are some suggestions for how to do just that from experts in the field.
Start with a bit more optimism
Rather than point fingers, a better approach is for everyone in the organization to come together - including security professionals - and see the glass as half full.
"I'd say the idea of something being a problem or an opportunity is in the eye of the beholder," says Jim Reavis, founder and CEO of the non-profit Cloud Security Alliance, which forged a partnership with (ISC)² and helped develop the Certified Cloud Security Professional program.
"Organizations are always trying to innovate, and business units are always trying to find faster, more efficient ways to meet business objectives with technology," Reavis says. "A lot of times, they are adopting a cloud-based service to solve a pressing problem. On our side, we often see anything that happens as a problem - and it is a problem. But we have to understand the other side of it; that business is trying to solve a problem."
But whether problem or opportunity, what do you do when it comes time to rope and wrangle an organization's assets being stored within a cloud? Communication and teamwork are at the heart of the matter. Security needs to work hand in hand with the other functions of the business - from human resources to marketing - to determine what they're doing, why their doing it, and help them do it in the most secure way possible, Reavis advises.
It helps to educate everyone on different types of cloud services, since some may not think of them as such. There are the more obvious like Dropbox, Box, Google Drive and Office 365. But there are also backup services like Carbonite and Mozy; password vaults like LastPass; proxy filtering services; and DNS services like OpenDNS and SecureSurf.
There are far more examples, of course, but the point is cloud services are increasingly important as business enablers as far as an organization's leadership is concerned.
Consider the gentler 'egress monitoring'
"We have to be mindful that there can be malicious people inside the business that are trying to do these things to maybe exfiltrate or steal data. But usually it's a matter of the business trying to be more productive," Reavis explains. "We just need to have some gentle oversight to help that [productivity] be done in the most secure way possible."
That "gentle oversight," he says, would take the form of what he termed "egress monitoring."
"That means looking at the traffic that's leaving an organization and being able to easily examine that to be able to determine what the uses are, to be able to categorize that to see if that falls into the area of sanctioned use."
When it comes to policy, it goes without saying that these guidelines and edicts have to protect the organization and meet regulatory requirements. But Reavis adds that well-crafted policies are flexible and realistic to meet business needs. He calls it "gentle policing."
"The business unit may stumble on something that may be the easiest way to do it, but it's not the most secure. And if you take a more rigid approach of 'It's just not allowed; go figure it out' to the business unit, then you run the risk of them finding ways to go around that prohibition, maybe with their own devices. So, you've got to work with them."
On the enforcement side, the most effective security policies combine gentle policing with an effort to help the business move to a safer option, Reavis says.
"There's almost always a more secure option that will meet the security policy requirements. It may cost a little more. It may cost a lot more. But there are solutions and options to investigate that. So, that's gaining awareness and being on the reactive side of things," he adds.
Enforcing without alienating
Dr. Dallas Snider, an assistant professor of computer science at the University of West Florida, spent 18 years in the private sector. The rules must be enforced he says, but not in an Orwellian, "Big Brother" style.
"You want to keep an eye out for the obvious, you want to make sure people aren't putting passwords on the bottom of their keyboards," he says. "You want to look for unusual patterns of querying…[such as] maybe they're going into places they shouldn't."
There is a fine line to walk, Snider says. Rules must be enforced, but without alienating colleagues from another side of the organization.
"I've seen situations where people were firm, but respectful. I've also seen situations where people were just called out in front of their co-workers. It would depend on how egregious the violation was. Again, you have to enforce it. It all depends on the situation. It all depends on the organization. It all depends on the violation."
Snider offers some tips on how to craft effective cloud policy. Much of it involves asking a cloud service provider the same questions that should be asked internally as part of any organization's due diligence.
"First of all, for any CSP, you're going to have to get references on them," Snider says. "Look at their service level agreement. It's more than 'I'm paying X amount of dollars for X amount of service.' What is their backup policy? How do they store your data? Is it being encrypted on their storage media? Is it encrypted when the data is in motion? What are the encryption options? Where are the backups? What's the disaster recovery plan?"
He adds, "A lot of people look at it as dollars per gigabyte or whatever the rate may be. But you've got to look at more than that. You have to look at their reputation. What does their organization look like? It's about CIA -- confidentiality, integrity and availability. You want to make sure that your cloud provider provides that confidentiality. You have to make sure the integrity is there, that there will be no unauthorized changes to your data. And then there is availability. Will it be available when you need it?"
Due diligence and due care
Cloud security and regulations mandate due diligence and due care, says Jim Nitterauer, a CISSP and a senior systems administrator for AppRiver. The Gulf Breeze, Fla.-based cloud security provider is one of the world's fastest-growing firms. Anticipation and strong internal policies are critical, Nitterauer says.
Those policies come into play, for example, when employees bring prohibited outside devices into the organization, or download applications that are prohibited by policy.
"I don't know that having cloud-based services is necessarily a big security risk, because I don't think most companies are allowing it - at least people that have some sort of idea what's going on. They shouldn't be allowing people to just willy-nilly install their own accounts on their corporate computers," he says.
While companies as a matter of course generally allow employees to use their own cell phones, that can present another challenge. Policies have to be in place to govern the use of those phones.
"If you've got 100 employees and they've all got their corporate email on their private cell phone and they're not encrypted, and those cell phones get lost and you don't have the ability to remotely wipe them, there's sensitive data that could be on those cell phones that someone could have access to. That's probably a bigger issue than having cloud accounts installed on computers here and there," Nitterauer says.
And even something as seemingly harmless as Facebook downloaded on an office computer can pack risk, in part because it uses cloud-based centralized authentication.
"A lot of people now are using that centralized authentication for all their authentications. So, that means if somebody compromises that one central database of usernames and passwords, then every username and password that person has is compromised," Nitterauer says. "Whoever's hacked them has the keys to their kingdom."
While a cattle stampede may be a good analogy for out-of-control cloud data use, cloud security is more like a medieval castle, with an organization's data at its heart.
"In all of the studies I've done, everyone talks about defense-in-depth, multiple layers of defense. Look at the castle," Nitterauer explains. "First, around the castle, you've got a forest. Then once you get up to the castle, you've got a moat to get across. Then you've got a tall wall. Then you've got guys throwing rocks and arrows and stuff at you. These are all levels of defense you have to get through. But if all you had was a moat, you haven't done your due diligence and protected your data.
"You've got to know how secure that company is that's storing that data."
That task, along with tactics outlined earlier, such as solid communications within an organization, monitoring and policy enforcement, are key to getting a better handle on cloud-based data sprawl. Now, go get 'em, cowboy.
Paul South is a freelance writer based in Florida.