Is Anyone In Control Of Cloud Security?

Philip Lieberman,

The government’s ‘G-Cloud’ could save the UK economy £3.2bn, but is it worth the security risk, asks Philip Lieberman

There are those who argue that the age of Cloud computing is merely in the minds of the more far-sighted IT visionaries. I have even met those whose businesses are indifferent to the Cloud. This indifference may cost them dearly – and soon.

The UK’s new Coalition Government is implementing the “G-Cloud” strategy (actually the strategy of the last Government) and there are some who claim that it will save the government £3.2bn from its annual IT budget of £16bn.

That’s not just a big saving for the Government – it’s an obvious opportunity for suppliers who can ensure it is secure.

Cloud to replace ad-hoc network

The proposal is to replace the present ad-hoc network of department – hosted systems with a dozen dedicated government secure data centres, costing £250m each. The G-Cloud plans could support everything from pooled government data centres to a communal email solution and collaboration.

By 2015 the plan is that 80% of government departments could be using this system. But will it be secure enough?

Safeguarding the IT infrastructure from unmonitored access, malware and intruder attacks grows more challenging as the operation evolves for cloud service providers.

And as a cloud infrastructure grows, so too does the presence of unsecured privileged identities – those so-called super-user accounts that hold elevated permission to access sensitive data, run programs, and change configuration settings on virtually every component of IT.

Privileged identities put organisations at risk

Privileged identities exist on all physical and virtual operating systems, on network devices such as routers, switches, and firewalls, and in programs and services including databases, line-of-business applications, Web services, middleware, VM hypervisors and more.

Left unsecured, privileged accounts leave an organisation vulnerable to IT staff members who have unmonitored access to sensitive customer data and can change configuration settings on critical components of your infrastructure through anonymous, unaudited access.

It can also lead to financial loss from failed regulatory audits such as Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance, Portability and Accountability Action (HIPAA) of 1996, and the Sarbanes–Oxley Act of 2002 standards that require privileged identity controls.

One of the largest challenges for cloud service customers inside and outside of government is attaining transparency into how public cloud providers are securing their infrastructure.

How are your identities being managed and secured? Many cloud providers won’t give their customers much more of an official answer than a SAS70 certification.

How can we trust in the cloud if the vendors of cloud-based infrastructure neglect to implement both the process and technology to assure that segregation of duties are enforced, and customer and vendor identities are secured?