Those of us who make our living from information security carry with us a dark secret: We are fighting a losing...
battle and giving up ground in the form of data breaches at an alarming rate. This is not due to the lack of effort on our part in protecting our organization's assets. It comes down to the simple fact that the attackers have more time and tools for offense than we have for defense. Some organizations simply can't afford to invest the resources necessary into a proper information security program, while others build half-hearted infosecurity programs with minimal staffing and budgets just to meet regulatory compliance. So the fact that we are losing the battle is not really a secret to anyone.
However, times are changing and security professionals have a new weapon available for their arsenal to combat the ever-increasing risk of cyberattacks. The cloud has been quickly adopted by enterprises in order to reduce costs, increase agility and provide business expertise. These same types of advantages also apply to using cloud-based security services. This emerging model of Security as a Service offers the potential to level the playing field between cyber-offense and cyber-defense as never before. Still, it's important to understand that the same risks involved with deploying enterprise cloud solutions also apply to deploying cloud-based security services. So how do you know when Security as a Service is right for your organization? Organizations need to consider both the advantages and risks associated with cloud-based security services.
Security as a service benefits
1. Staff augmentation
Information security is a labor-intensive activity. We can automate many of the activities, but in the end a human being is almost always required to make a judgment call. We collect logs from servers, network devices, firewalls and intrusion detection systems, which all require our undivided attention. Labor is the one resource no security program I have ever encountered has had in abundance. Breaches can occur and the systems continue dutifully recording the information until someone actually has the time to interpret the logs. There have been many recent breaches involving system penetration that wasn't identified by the security team until months later. The reporting of these breaches often comes from an external party because no one internally has had the time to interpret the log data.
This is where Security as a Service can shine. The cloud is primarily about sharing resources to achieve an economy of scale. Security as a Service solutions can dedicate teams to a specific activity, such as monitoring logs, and spread the cost across many different customers, lowering the unit cost for everyone. Security programs can now afford a dedicated log monitoring team where they could not have previously without the cloud-based model. This raises the effectiveness of the security program and frees in-house staff to focus on higher level risk management activities.
2. Access to advanced security tools
We have all done it: downloaded an open source security tool that required a large investment of time in order to mitigate a security risk. The tool was free and there was no budget to acquire anything else. There is nothing wrong with open source technologies; they can be incredibly useful. Unfortunately, they can also consume a lot of time in order to install and maintain in a production environment. How many hours have you spent trying to find that one Snort rule that keeps your IDS service from starting?
This is another area where implementing Security as a Service can be beneficial. Your security program may be able to acquire advanced security tools using the cloud computing concept of economies of scale. The quality and variety of the available security tools is as good as any other internally hosted commercial offerings, but won't cost nearly as much. More importantly, they will be maintained by the cloud provider so you will actually have the time to benefit from using the tools.
3. Access to contextual expertise
Information security is a broad subject; there is no practical way for anyone to know every detail on each aspect. Some security professionals focus on forensics, while others focus on Web application security, for example. Others try to maintain knowledge that is an inch deep but a mile long because there is a lack of human resources available in the organization's security program. This knowledge gap can cause serious blind spots where risk is not easily observed nor mitigated.
Security as a Service can help address this problem. The vendors providing cloud-based security are focused on a particular aspect of information security. There are cloud-based vulnerability scanners that are maintained by experts in detecting exploitable systems on the Internet. Other cloud providers have built their entire network around protecting against denial-of-service (DoS) attacksden. Security as a Service offers organizations the benefit of access to these contextual experts and resources they otherwise could not afford to maintain in-house. This allows the internal security staff to focus less on technical details and more on strategically managing the organization's information security risks.
4. Position information security as a business enabler
The information security department is often perceived as putting up roadblocks in the way of organizational initiatives. This can happen for a variety of reasons that may or may not actually be the fault of the information security department. Some people in the organization may not understand the need for encryption or firewall technologies to protect confidential data. Even if they do understand the reasons behind the implementation, they certainly do not understand the time required to implement security technology.
Security as a Service may help resolve this issue as well. It can't help educate the rest of the organization on security requirements, but it can allow much faster implementation of security technologies, which can reduce the perceived organizational project impact. This is one key advantage of any cloud-based security service that security programs must embrace. For example, virtual servers can be configured with identical firewall rules quickly and automatically. This allows the information security department to develop a different relationship with the organization's leaders and could change the perception of information security to that of a business-enabling partner instead of a necessary evil.
A fresh approach
Beyond the broad benefits of Security as a Service, there are specific advantages with some of the newer types of cloud-based security. There are several new services beyond the traditional email and Web filtering Security as a Service solutions that organizations should evaluate. They can help address age-old problems the security industry has been trying to solve with limited success. The introduction of the cloud-computing model provides a fresh approach that could help find some answers to these difficult problems.
Passwords are one of these age-old problems that began at the same time as multi-user computing. A movie from the 1980s depicted a hacker stealing a system password off of a Post-it note. Today, employees continue to leave Post-it notes with passwords under their keyboards. Users have trouble managing a single password, never mind the 10 passwords they are often burdened with in modern environments.
Provisioning these accounts is often just as difficult for system administrators and human resources departments. New employees find themselves waiting for access to the systems they need to do their job. There also are times when accounts are not disabled in a timely manner after an employee leaves. The complexity of the manual system creates security risk on both sides of the process.
There are several solid Security as a Service options that can speed the provision process and provide single-sign-on capability. They can tie together systems that live in the cloud as well as systems that live on the internal network. These services utilize open standards protocols such as SAML, and even allow federation with internal Microsoft Active Directory infrastructures. The hybrid approach, in which internal and external services authenticate from the same source, is where an organization can save both time and money by simplifying the password process while still reducing the overall risk.
Virtual machine management
The development of the capability to run multiple virtual servers on a single hardware server has been one of the most disruptive changes in information technology. Organizations have rapidly deployed private, public and hybrid clouds as they rushed to replace the physical hardware bursting out of their data centers. This technology has been disruptive for information security as well, offering a host of new challenges.
One of the challenges of managing virtual servers in a public or private cloud is configuration management. Configuration management includes the process used to configure and maintain the server with the appropriate security options based on organizational policy. This could include options such as firewall policies, file system permissions and installed services. The technologies to support this process were already complex inside the data center. A cloud-based configuration management system needs to be able to provide this capability across multiple cloud service providers plus the internal data center.
Cloud-based security services available for configuration management provide this capability. They offer complete control over Linux with growing capabilities for Windows-based servers. They can also function just as well with servers hosted at GoDaddy.com as they can with servers hosted at Linode. The surprise is these new cloud-based configuration management systems are easier to configure and just as powerful as their old internally hosted predecessors. This is another area where security professionals should focus on cloud-based options even if they only have internal server resources to manage.
Network layer protections
Protecting the network connections to Internet-based assets has become more urgent in the last several years. Websites are now under attack from both cybercriminals and cyber-vigilante groups alike. Anonymous has continued to make headlines for DoS attacks against a variety of companies using low-tech tools such as Low Orbit Ion Cannon. These types of attacks come at a time when organizations are relying even more on the Internet for other cloud-based applications.
The best defense for these types of attacks against cloud-based assets surprisingly is the cloud itself. There are Security as a Service solutions that offer protection from DoS attacks by using large amounts of bandwidth and intelligent protocol routing. These services can also hide Web servers behind their own front-line servers, disguising the target from drive-by attacks. Other types of cloud-based security include PCI DSS, data tokenization, Web application firewalls and hidden DNS servers..
Security as a service risks
There is no perfect tool for mitigating security risk and Security as a Service is no exception. The risks with cloud-based security services are the same as any other cloud service and fall into these general categories:
- The cloud provider will have some level of access to your data. Security-based data should be treated carefully as a leak could lead to multiple data breaches. The more-comprehensive cloud services use encryption, but there are still issues with vendor key management. Organizations with applications requiring the highest level of data confidentiality may want to look at internal solutions.
- The Security as a Service will be accessible from the Internet. This is a risk that security professionals have not had to consider with internal systems; it was never an accepted practice to expose internal firewall management tools to the Internet in the past. Authentication into these services needs to provide strong, multi-factor options in order to provide the appropriate level of protection. You also need to consider potential DoS attacks; without strong protection, criminals could make modifications to the services or prevent an organization from managing or accessing the services.
- There is little in the way of open standards for the purpose of exporting services between Security as a Service providers. Organizations using these services will need to assume any switching between providers will be a completely manual process, and include rebuilding firewall rules, virtual machine configurations and authentication methods in the new provider.
- An organization should perform a detailed vendor due-diligence audit, treating Security as a Service providers just like any other cloud provider. It's critical to choose a provider carefully and review their financial status to verify they will be around in the future. Thoroughly examine the service provider's information security posture, starting with SAS-70 or SSAE-16 audit reports as well as any vulnerability assessment reports. The organization needs to be able to fully trust the cloud provider, so this audit is crucial.
- Compliance can be another issue that may be difficult to solve with cloud-based security services. A service could provide top-notch audit reports and meet all of the due diligence technical requirements. However, there may still be contractual or legal agreements that cannot be met, such as the Business Associate Agreement that is required under HIPAA. This situation is improving, but it's important for an organization to understand how the Security as a Service provider will meet its specific compliance needs.
Many information security professionals harbor anxiety around implementing any type of outsourcing, which is what Security as a Service should be considered. The economy has created a level of defensiveness for many types of employees, including security professionals who fear being replaced with a cloud service. However, these new services have the capability to allow security pros the time and energy to focus on higher level, strategic security projects instead of daily maintenance routines. This will help security programs reach a new level of effectiveness that could actually increase job security. Besides, who really wants to spend all night compiling yet another updated version of Snort?
About the author:
Joseph Granneman, CISSP, has over 20 years in information technology and security with experience in both health care and financial services. He has been involved in the Health Information Security and Privacy Working Group for Illinois, the Certification Commission for Health Information Technology (CCHIT) Security Working Group, and is an active InfraGard member. Send comments on this article to [email protected].