Overcast but Clearing as the Cloud Comes to Security
Already the darling of a growing number of enterprise information executives, going into the cloud has come to their security brethren, bringing the same business advantages but also, not surprisingly, the same risks.
Welcome to security services “in the cloud.” And the cloud will get bigger…really bigger. In its Global Cloud Index, Cisco estimates global cloud computing traffic will grow 12-fold by 2015.
Hosted, managed, software as a service, video as a service, infrastructure as a service, in the cloud computing; it’s a confusing set of labels, features and potential sources.
But generally, IT and increasingly enterprise security leaders see business advantages in sharing or shifting software, processing, or storage in a different way, often thanks to internal virtualization or, externally, the Internet.
Specific to security, electronic card access control, burglar alarms, mass notification and various levels of security video can reside in the cloud. A most recognized cloud application is Google’s Gmail, for example. As with anything, “in the cloud” has risks and benefits, complicated since many physical security professionals are not as aware of the approach.
CLOUD PROBLEMS ARISE
For example, recently Google modified the encryption method used by its HTTPS-enabled services including Gmail, Docs, and Google+ in order to prevent current traffic from being decrypted in the future when technological advances make it possible, said a report by IDG News Service. The majority of today’s HTTPS implementations use a private key known only by the domain owner to generate session keys that are subsequently used to encrypt traffic between the servers and their clients. This approach exposes the connections to so-called retrospective decryption attacks.
There remains a bit of confusion over the cloud. According to Mohammed Benabdallah, director, global business development and IT alliances for Tyco Security Products, “There is managed and hosted but they are not cloud application per se. There is a move, however, within certain organizations which are interested in moving to the cloud.”
One business benefit, says Benabdallah, is to overcome the failure of a security system where it crashes or is overloaded. Before the cloud, CSOs needed to work things out with more expensive redundant systems or storage. He sees the new approach appealing to expanding organizations due to mergers and acquisitions, for instance. “The cloud gives provisioning and elasticity.” In a pay-for-what-you-use plan, it is similar to how enterprises use electricity today, he points out. “It can be a measured service based on the number of readers and credentials and the amount of transactions.”
Among business risks is the potential of the impact of the cloud on privacy and corporate governance.
DETERMINE SENSITIVE DATA
Says Andrew Serwin, chair of the privacy, security and information management practice at law firm Foley & Lardner LLP, and a Security magazine Most Influential, “It can be a matter of how sensitive is the data and what type of cloud you are using.”
He advises that security executives “assess what they are putting up in the cloud. Meet your need for privacy and data security. There is also the growing requirement for business continuity as it relates to mission critical data.”
Andres Kohn, vice president of technology for Proofpoint, agrees with Serwin. “The evolving security landscape, including the increase in malicious attacks, consumerization of IT and complex regulations, means that traditional security architectures may not be coping. You have to stay on top of trends and their risks,” he says of security and the cloud.
Kohn points out that, no doubt, cloud computing for security applications has business benefits. “There is elasticity. You can gain more capabilities.” Proofpoint is a security-as-a-service vendor that delivers data protection solutions.
He adds the evolving cloud can provide a greater level of security and functionality. “It can save money but you need to be cynical of the cloud providers. Probe. Look for certifications. Make sure you do not lose control of security itself. Audit carefully.”
Frank Kenney, a former Gartner analyst and now vice president of global strategy and product management at Ipswitch File Transfer, emphasizes that the “cloud is as secure as someone wants it to be. You need to ensure protection of the transmission and the data. Employees often break the rules to get business done.” He suggests the need for disaster recovery plans to be adjusted when going into the cloud.
“When you add such layers of security, you need to add layers of management and auditing, governance and administration,” which may go beyond the cost savings of the cloud model itself. Know as much as you can about the details of the myriad services, says Kenney.
Among the diverse services:
- Web-based cloud services. Security can employ certain Web service functionality, rather than using fully developed applications.
- SaaS (Software as a Service). This involves providing a given application to multiple tenants, typically using a Web browser.
- Platform as a Service. A variant of SaaS, security runs its own applications but on the cloud provider’s infrastructure. The provider may be internal or external.
- Utility cloud services. These are virtual storage and server options that organizations can access on demand, even allowing the creation of a virtual data center. Such an approach is growing in the security video storage and retrieval area.
- Managed services. The most mature approach, in this case a cloud provider uses an application as compared to the end user.
There also are layers of services and computing. In the case of Web-based offerings, once an Internet protocol connection is established, it is possible to share services within any one of the following layers.
- Client – A cloud client consists of computer hardware and/or computer software that relies on cloud computing for application delivery and that is in essence useless without it.
- Platform – Cloud platform services, also known as platform as a service (PaaS), deliver a computing platform and/or solution stack as a service, often consuming cloud infrastructure and sustaining cloud applications. It facilitates deployment of applications without the cost and complexity of buying and managing the underlying hardware and software layers. Rare it typical physical security, but popular in IT, cloud computing has major impact, and one of the most important parts of this change is the shift of cloud platforms. Platforms let developers write certain applications.
- Infrastructure – Cloud infrastructure services, also known as "infrastructure as a service" (IaaS), deliver computer infrastructure – typically a platform virtualization environment – as a service, along with storage and networking. And for security with officers, after-hours guarding, or escort service needs, there are cloud offerings emerging. For example, VirSec Virtual Security from Huffmaster has services including virtual patrols and escorts.
|A Four Way Cloud Approach|
There are four cloud types and each can play a role in physical security.
Public cloud– A public cloud is based on the standard cloud computing model, in which a service provider makes resources, such as applications and storage, available to the general public over the Internet. Public cloud services may be free or offered on a pay-per-usage model. City and state agencies use this approach for mass notification and incident databases.
Community cloud– It shares infrastructure among organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-party and hosted internally or externally.
Hybrid cloud– A composition of two or more clouds (private, community, or public) that remain unique entities but are bound together, offering the benefits of multiple deployment models. It can also be defined as multiple cloud systems that are connected in a way that allows programs and data to be moved easily from one deployment system to another. First responders, reflecting public and private organizations, can use a hybrid approach.
Private cloud– Private cloud is infrastructure operated solely for a single organization, whether managed internally or by a third-party and hosted internally or externally.