Security Enterprise Services

Overcast but Clearing as the Cloud Comes to Security

January 3, 2012
Trans

Already the darling of a growing number of enterprise information executives, going into the cloud has come to their security brethren, bringing the same business advantages but also, not surprisingly, the same risks.

Welcome to security services “in the cloud.” And the cloud will get bigger…really bigger. In its Global Cloud Index, Cisco estimates global cloud computing traffic will grow 12-fold by 2015.

Hosted, managed, software as a service, video as a service, infrastructure as a service, in the cloud computing; it’s a confusing set of labels, features and potential sources.

But generally, IT and increasingly enterprise security leaders see business advantages in sharing or shifting software, processing, or storage in a different way, often thanks to internal virtualization or, externally, the Internet.

Specific to security, electronic card access control, burglar alarms, mass notification and various levels of security video can reside in the cloud. A most recognized cloud application is Google’s Gmail, for example. As with anything, “in the cloud” has risks and benefits, complicated since many physical security professionals are not as aware of the approach.

 

CLOUD PROBLEMS ARISE

For example, recently Google modified the encryption method used by its HTTPS-enabled services including Gmail, Docs, and Google+ in order to prevent current traffic from being decrypted in the future when technological advances make it possible, said a report by IDG News Service. The majority of today’s HTTPS implementations use a private key known only by the domain owner to generate session keys that are subsequently used to encrypt traffic between the servers and their clients. This approach exposes the connections to so-called retrospective decryption attacks.

There remains a bit of confusion over the cloud. According to Mohammed Benabdallah, director, global business development and IT alliances for Tyco Security Products, “There is managed and hosted but they are not cloud application per se. There is a move, however, within certain organizations which are interested in moving to the cloud.”

One business benefit, says Benabdallah, is to overcome the failure of a security system where it crashes or is overloaded. Before the cloud, CSOs needed to work things out with more expensive redundant systems or storage. He sees the new approach appealing to expanding organizations due to mergers and acquisitions, for instance. “The cloud gives provisioning and elasticity.” In a pay-for-what-you-use plan, it is similar to how enterprises use electricity today, he points out. “It can be a measured service based on the number of readers and credentials and the amount of transactions.”

Among business risks is the potential of the impact of the cloud on privacy and corporate governance.

 

DETERMINE SENSITIVE DATA

Says Andrew Serwin, chair of the privacy, security and information management practice at law firm Foley & Lardner LLP, and a Security magazine Most Influential, “It can be a matter of how sensitive is the data and what type of cloud you are using.”

He advises that security executives “assess what they are putting up in the cloud. Meet your need for privacy and data security. There is also the growing requirement for business continuity as it relates to mission critical data.”

Andres Kohn, vice president of technology for Proofpoint, agrees with Serwin. “The evolving security landscape, including the increase in malicious attacks, consumerization of IT and complex regulations, means that traditional security architectures may not be coping. You have to stay on top of trends and their risks,” he says of security and the cloud.

Kohn points out that, no doubt, cloud computing for security applications has business benefits. “There is elasticity. You can gain more capabilities.” Proofpoint is a security-as-a-service vendor that delivers data protection solutions.

He adds the evolving cloud can provide a greater level of security and functionality. “It can save money but you need to be cynical of the cloud providers. Probe. Look for certifications. Make sure you do not lose control of security itself. Audit carefully.”

Frank Kenney, a former Gartner analyst and now vice president of global strategy and product management at Ipswitch File Transfer, emphasizes that the “cloud is as secure as someone wants it to be. You need to ensure protection of the transmission and the data. Employees often break the rules to get business done.” He suggests the need for disaster recovery plans to be adjusted when going into the cloud.

“When you add such layers of security, you need to add layers of management and auditing, governance and administration,” which may go beyond the cost savings of the cloud model itself. Know as much as you can about the details of the myriad services, says Kenney.

Among the diverse services:

  • Web-based cloud services. Security can employ certain Web service functionality, rather than using fully developed applications.
  • SaaS (Software as a Service). This involves providing a given application to multiple tenants, typically using a Web browser.
  • Platform as a Service. A variant of SaaS, security runs its own applications but on the cloud provider’s infrastructure. The provider may be internal or external.
  • Utility cloud services. These are virtual storage and server options that organizations can access on demand, even allowing the creation of a virtual data center. Such an approach is growing in the security video storage and retrieval area.
  • Managed services. The most mature approach, in this case a cloud provider uses an application as compared to the end user.

There also are layers of services and computing. In the case of Web-based offerings, once an Internet protocol connection is established, it is possible to share services within any one of the following layers.

  • Client – A cloud client consists of computer hardware and/or computer software that relies on cloud computing for application delivery and that is in essence useless without it.
  • Platform – Cloud platform services, also known as platform as a service (PaaS), deliver a computing platform and/or solution stack as a service, often consuming cloud infrastructure and sustaining cloud applications. It facilitates deployment of applications without the cost and complexity of buying and managing the underlying hardware and software layers. Rare it typical physical security, but popular in IT, cloud computing has major impact, and one of the most important parts of this change is the shift of cloud platforms. Platforms let developers write certain applications.
  • Infrastructure – Cloud infrastructure services, also known as "infrastructure as a service" (IaaS), deliver computer infrastructure – typically a platform virtualization environment – as a service, along with storage and networking. And for security with officers, after-hours guarding, or escort service needs, there are cloud offerings emerging. For example, VirSec Virtual Security from Huffmaster has services including virtual patrols and escorts.
A Four Way Cloud Approach

There are four cloud types and each can play a role in physical security.

Public cloud– A public cloud is based on the standard cloud computing model, in which a service provider makes resources, such as applications and storage, available to the general public over the Internet. Public cloud services may be free or offered on a pay-per-usage model. City and state agencies use this approach for mass notification and incident databases.

Community cloud– It shares infrastructure among organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-party and hosted internally or externally.

Hybrid cloud– A composition of two or more clouds (private, community, or public) that remain unique entities but are bound together, offering the benefits of multiple deployment models. It can also be defined as multiple cloud systems that are connected in a way that allows programs and data to be moved easily from one deployment system to another. First responders, reflecting public and private organizations, can use a hybrid approach.

Private cloud– Private cloud is infrastructure operated solely for a single organization, whether managed internally or by a third-party and hosted internally or externally.

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Bill Zalud

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

August 2014

2014 August

In the August issue of Security Magazine, read about the public-private partnerships and the future of DHS with Frank Taylor, sneak a peek at the ASIS 2014 security products, and read a special report on cyber risk and security. Also in this issue find out why America is in desperate need of a CSO and the most common mistakes in Cyber incident response. The security game has dramatically changed since September 11th, read about what enterprises are doing to keep Americans safe and sound.

Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+