Building a secure cloud service: 'No compromises'

Building a secure cloud service: 'No compromises'

Best practice suggests that security should consist of three pillars: Technical, organisational and physical.

Payment Card Industry (PCI) oriented companies have received plenty of attention on the topic of security in recent times, mostly as a result of high-profile system breaches such as the Target raid earlier this year and the repeat hacking of Sony’s servers in August. It’s not Sony’s first bad experience either – the 2011 hack of its Playstation servers saw the personal details of more than 77 million users stolen.

However, for all the concern about PCI hacks, the security of Personally Identifiable Information (PII) is actually a much greater concern – credit cards can easily be cancelled, your identity can’t.

For enterprise organisations “security” is often put up as an excuse for enterprise customers moving IT systems to “cloud” service providers. To be considered as a serious option, cloud providers have to be able to demonstrate that their cloud platform is likely to be more secure than internally hosted applications that a company already has in place.

Best practice suggests that security should consist of three pillars: Technical, organisational and physical.

Technical Security – personified by “the hacker” threat: This is the focus area of most IT organisations. To address this companies need to adopt an approach of “Defence in Depth” – analogous to the fence at the top of the cliff, a parachute for when the fence is not enough, and an ambulance at the bottom if all else fails.

The principles to apply here are, at a high level:

1. Do your best to keep them out – solutions such as network firewalls, intrusion prevention, strong patch management processes, privileged identity management and two factor authentication are typically the solutions that are focused on this first line of defence to prevent unauthorised access to our systems.

Read more: Training for one of the most in demand roles of the digital economy

2. Assume they will get in, sooner or later, make the explicit assumption that your systems will be compromised. As such recognise the need the systems and processes to detect them and react quickly – real time layer seven network analysis, intrusion detection, security infrastructure event management (SIEM), real time cyber threat intelligence and a security operations centre monitoring what is happening in real time and reacting to threats are essential.

3. Mitigate the risk of compromise – having assumed they will get in, further assume they will remain undetected for a period of time. So make it hard for the intruder – by encrypting data on the move (e.g. between application servers and databases sever) and at rest – making sure that sensitive data is protected (encrypted) such that no single administrative account has access to data and encryption keys. By using strong encryption you can be confident that even if the entire data set is copied nothing will be disclosed. In addition, use technology that detects and blocks unusual activity e.g. SQL copy or select statements from application and especially privileged accounts

4. Understand what happened – this is achieved with tamper-proof auditing and forensic logging. The ability to replay the activity on your systems over a period of time, to examine the extent of a compromise, and then to determine the consequences of that compromise in terms of PII and ePHI are paramount. Nothing is worse than having to report a breach without being able to be specific about the scope of the breach and the exact data that has been compromised.

Read more: Data science in the forest

The concerns of technical, organisational and physical security apply in the enterprise data centre as much as they do in the cloud world.

Greg Woolley

Organisational – personified as “the rogue DBA / system administrator” who potentially has privileged access to your sensitive data. Apply the following principles here:

1. Know your people – People are fallible – far more so than technology. It is essential that staff with privileged access understand their responsibilities and that their contracts contain appropriate clauses that reflect this, and that they appropriately trained in security. Moreover you have to know you can you trust them. Gambling, alcohol, drug and other such personal issues that could drive someone to look to exploit access to data are real and common. Pre-employment is a start, but ongoing monitoring for these factors is required.

2. Have appropriate organisational controls – Trust no one, monitor and log exactly what privileged users do when accessing client systems. The same real-time monitoring to block inappropriate actions by hackers also watches the privileged users.

3. Deal with issues effectively – A documented and tested process for initiating, classifying and appropriately managing a security incident is essential. Waiting for a compromise to figure out what to do, and what needs to be communicated to customers and regulators is leaving it too late. Being on the front foot and knowing what is going to happen next is essential to being in (or at least appearing to be in) control.

Physical – Personified by the “dodgy datacentre contractor” – someone who has physical access to your server such that they can clone your hard drives, or install a network tap to record all data passing over your network and capture the interesting content, or simply the improper disposal of that obsolete hardware and media that has been not been adequately wiped.

The concerns of technical, organisational and physical security apply in the enterprise data centre as much as they do in the cloud world. Organisational security is essentially independent of whether your systems reside in an enterprise data centre. The lack of control over physical security is often perceived as being a high risk, as there is a degree of trust placed in third-party data centre operators and cloud platforms. However, this is in fact a red herring, as the physical access and operational processes of ISO27001 compliant data centres would exceed that of most enterprises in New Zealand.

The real issue for most organisations is poorly developed technical security and security operations capabilities, coupled with a lack of understanding of what you get for your money. Cloud providers that are providing servers at a rate of cents per hour are only ever going to provide rudimentary security. If you want to use cloud infrastructure for any workloads that involve sensitive data, then the following principles apply:

Read more: Global Information Security Survey 2014: On the defence

1. There is no cheap in cheap – a dollar saved on cloud services is a dollar that needs to be spent on implementing an enterprise grade security platform; and

2. You get what you pay for.

Finally, no compromises. Once you have been compromised, you have lost your credibility. It is a very long road back.

The author is president and CEO of Portland Software. Reach him at

Send news tips and comments to

Follow Divina Paredes on Twitter: @divinap

Follow CIO New Zealand on Twitter:@cio_nz

Sign up for CIO newsletters for regular updates on CIO news, views and events.

Join us on Facebook.

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the CIO New Zealand newsletter!

Error: Please check your email address.

Tags Payment Card IndustrycybersecurityGlobal Information Security Survey 2014security

More about FacebookPlaystationSony

Show Comments