How to assess
the risks of cloud malware
Hosting apps in the cloud does not
necessarily create a cloud malware risk. By focusing on new interfaces a cloud
migration creates, you can make the cloud as secure as your data center.
IT executives and cloud planners have enough
to worry about in the area of application and data security without hearing
about new threats in the cloud. Is your information more at risk to malware in
the cloud? Do you need new protection measures or tools? To decide, baseline
your current risk, secure your cloud management interfaces, review the security
of your cloud provider's architecture, and focus attention on special-risk
cloud relationships and services. Through all of this, focus on dealing with the
new or "incremental" risks the cloud creates, or you'll chase
security issues forever.
Was your pre-cloud environment protected?
The first question, and one often overlooked
in cloud malware threat assessment, is whether your pre-cloud environment was
adequately protected against malware. The most effective way of
addressing the security risks associated with a new technology or hosting
option is to ask the question, "What is my incremental risk in the new
application framework?" "Incremental risk" means risk that
wasn't being faced (and accepted) before.
Most malware is introduced not into server application
components but into client and user systems. Those systems have to be protected
as your first line of defense, no matter where the applications are hosted.
Take the time to do a complete audit of your measures to protect users against
malware, including BYOD policies, virus scanning of systems on a regular basis,
and scanning of emails and assessments of risk on websites accessed using
devices also used for work. There is little point to assessing cloud malware
risk if you haven't controlled your client-system risk.
The second step is to understand what cloud
malware actually means and does. Many botnets and other hackers' tools are hosted in the cloud
today, but those don't necessarily threaten your cloud applications any more
than they would threaten the same applications running in your data center, and
they can't be controlled by you in any case. You should focus instead on cloud
management system security, and on "crosstalk" within the cloud that
could put your applications at risk.
Helpful measures to protect against cloud malware
Anyone who can access your cloud management
system's user interface can deploy something in your cloud or potentially
change something already there. That means that these CMS interfaces have to be
among the most secure in your business. You must limit the number of users with
access and you must insist that access be made through "clean"
systems used for no personal purposes and with no access to standard Internet
sites or email, and that all changes to the cloud made through the interfaces
be recorded and audited.
"Crosstalk" is a source of cloud malware risk that's often
a concern to users. Unlike your own data center, a cloud runs applications from
others, and some of those apps could be malware. To prevent this malware from
infecting you within the cloud, there are three helpful measures:
1. Run virus scans on your
application images in the cloud, just as you'd do for applications running on
your own servers.
2. Make sure that your cloud
provider's architecture isolates applications at the network level. A good
cloud service will give your applications "private IP addresses" and map them to public addresses
only where access is needed. Connections among components inside the cloud
should be kept on private addresses where possible to ensure that others can't
make the connections.
3. Access your applications
through a virtual private network, either anInternet VPN (IPsec, SSL) or a facility VPN offered by a
service provider. This prevents others from creeping into your applications
through an Internet link.
Your public addresses for cloud applications
or components have to be subject to special monitoring and security. Most
companies can detect attacks on their own data center resources because the
attacks enter their own networks at some point, and traffic can be detected.
Your cloud applications can be reached without entering your
data center, and you may not see the traffic. Use all available statistics on
your applications to assess the traffic patterns at your application access
points, and watch for signs of an attack. If you see unusual activity report it
to your network operator and cloud provider, but increase the rate at which you
scan your cloud apps for malware as well.
When assessing cloud malware risk, beware of partners
The final point in addressing cloud malware risk is to
beware of your partners. In many cases, one of the reasons for hosting an application in the cloud is to facilitate
access to the application by customers or trading partners. This access is
"new," and thus may not be fully secured. It will always present a
risk of malware.
How
does your company assess cloud malware risks?
Technology to secure Web portals is fairly
well-known, and standard measures for application security can be applied to
customer and partner portals offered through Web servers. A key element in this
security is to provide a Web front-end and a back-end application server that
does effective transaction editing before the data is moved from the cloud into
the data center, or processed by a cloud application.
If you're using any direct application link
with a customer or partner -- either a formal standard like Electronic Data Interchange (EDI) or just an informal exchange of XML or JSON structures to move
business information -- you should ensure all these exchanges are auditable.
EDI networks will provide audit services to allow transaction sources and times
to be logged and reviewed, but bilateral connections with partners will depend
on your own audit trail. Be sure that both sides collect transaction data and
settle and match the data at least weekly, and daily if volumes are high. That
will alert you to the possibility that an intruder is accessing what's intended
to be a trusted customer and partner link in the cloud.
No comments:
Post a Comment