nobeastsofierce - Fotolia
The drive to maintain customer data security in cloud computing environments is pushing channel partners who offer cloud services to obtain security certifications, as well as offer a variety of security software and services -- all in an effort to differentiate themselves in a crowded market.
Increasingly, channel partners are finding that building cloud platforms with hardware and security software isn't enough to alleviate customers' safety concerns. Instead, showing security credentials, sharing information about third-party audits and proving cloud security skills are as important to the cloud discussion as the channel company's ability to partner with the right technology companies and provide the right tools needed to manage a customer's data in the cloud.
As data hacking incidents become more common, and customers increasingly learn about high-profile data breaches -- such as those at Target Corp, Anthem Inc., Home Depot Inc., and at federal government agencies, such as The Office of Personnel Management -- cloud providers are obliged to help ease their clients' data security woes. This is occurring while companies continue to outsource their information to cloud providers as a way to augment existing data warehouse offerings.
Jim Reavis, co-founder and CEO of Cloud Security Alliance (CSA), an organization that offers cloud security certification programs for the industry, pointed to two security measures that he said have become "pretty popular" in cloud circles:
- Obtaining national and international data security certifications.
- Proving that a cloud partner's systems and procedures protect data requirements outlined in specific laws, regulations and mandates that customers in different vertical markets face.
"Large cloud customers have always had the ability to schedule their audit of a technology partner, but that's going away," Reavis said. "As an alternative, customers are requiring that cloud providers get certifications or something similar because they know they can't commit to an on-site inspection of a cloud provider at different data centers, which isn't useful because so much of the security controls are in the software."
In this environment, companies like Cirrity LLC, a cloud provider that bills itself as a company offering a secure cloud infrastructure, believes it's imperative to obtain the right security certifications and meet the standards necessary, which will better position them to assure their clients that they can manage data securely in the cloud.
The Atlanta-based company is one of a handful of cloud service providers to achieve ISO/IEC 27001 certification, and was the first U.S.-based company to attain the CSA Security, Trust and Assurance Registry (STAR) certification.
"We are loaded up in terms of certifications," said Dan Timko, president and CTO at Cirrity. "Information security is of paramount importance in a cloud environment, and given the multitude of certifications and third-party assessments we go through, it gives all partners and customers a lot of confidence in our platforms."
One of the benefits of engaging Cirrity, Timko said, comes from the company's enrollment in Cisco's Cloud and Managed Services Program (CMSP). Cirrity uses Cisco's network equipment, firewall security software and other technology to support the cloud platforms it provides to customers. Those platforms include infrastructure as a service (IaaS), disaster recovery as a service (DRaaS) and desktop as a service (DaaS).
Because Cirrity is a Cisco Powered cloud provider, Cisco requires third-party audits of Cirrity's technology architecture, support procedures, technical capabilities and information security posture.
Addressing customer data security in cloud settings
Even with a number of certifications and security software systems in place, cloud providers still need to work with partners and customers to implement techniques that address the mandates and legal requirements that companies in different verticals -- healthcare, retail and financial, among others -- must comply with to protect specific data sets.
Dan Timkopresident and CTO, Cirrity
"The key is understanding the customer and their requirements first, and designing solutions specific to them," Timko said. "There are inherent safeguards built into the platform itself, but we tailor environment-specific solutions, such as full disk or file-based encryption, customer key management, intrusion detection/prevention, security information and event management (SIEM), log analysis, two-factor authentication, physical isolation and many more."
Mark Cavaliero is CEO and founder of Carolinas IT, based in Raleigh, N.C., a company that provides a private hosted cloud offering that delivers private and public cloud-based applications, servers, desktops and data storage technology. Cavaliero said his company has implemented an enterprise offering that meets the criteria outlined in laws and mandates that determine how data should be protected, including:
- The Payment Card Industry Data Security Standard (PCI DSS), a proprietary information security standard for organizations protecting credit card information.
- The Sarbanes–Oxley Act of 2002 (SOX) which calls for the protection and storage of data that supports the accuracy and reliability of corporate disclosures.
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA), which sets national standards for the security of electronic protected health information.
Additionally, Carolinas IT has developed an extensive framework of standard operating procedures (SOPs) that ensure its team operates in accordance with the specific standards that are relevant to its environment. The company is audited annually for adherence to its SOP framework, which incorporates best practices from multiple standards, security guidelines and organizations, including CSA's Cloud Controls Matrix, National Institute of Standards and Technology (NIST), Department of Defense (DoD), and the Information Technology Infrastructure Library (ITIL).
The company also has an ISACA-certified information systems auditor on staff for both its client's regulatory requirements, as well as its own internal security and compliance.
Part of the job of providing cloud services, Cavaliero said, is to look for weaknesses in a customer's security operations and to offer measures that go far to differentiate them in the market.
"As an example of the type of security that sets us apart, [we provide] an automatic record [that] is kept of each time a technician accesses a password. And in the event a tech leaves our firm, we can instantly change any password he may have had access to," Cavaliero said. "We also include a program of regular password changes. These are security measures that clients may not ask about, but allow us to be confident that we are living up to the trust they place in us."
Carolinas IT is also focused on establishing a multi-layered security architecture that incorporates perimeter security, rule-based protection, port-based security, encryption, advanced authentication methods, physical security, logical and physical segmentation, threat signatures, behavior analysis, and deep packet inspection.
"We monitor traffic in and out of our cloud, and use advanced name resolution control for outbound requests," Cavaliero said. "We monitor for traffic and utilization anomalies and we proactively patch at all levels, including BIOS, hypervisor, OS and at the application level."
Data security: In cloud they trust?
Even while cloud providers ramp up their security measures, however, complaints exist about partners, customers and their security efforts.
Over at Cirrity, which doesn't have a direct sales force and relies on systems integrators and value-added resellers (VARs) to promote its cloud services to customers, Timko said many channel partners don't have specific certifications for security compliance that would help them better address data security requirements across vertical markets. This can have unintended consequences.
"A lot of the guys doing IT resale don't necessarily have competency in security compliance and don't do due diligence around that," Timko said. "What we see is a big difference at systems integrators and VARs in terms of qualifications and compliance certifications, and attestations, and all of the things that we do."
According to Timko, a lot of resellers sign up with a cloud company or a hosting company without fully understanding the implications of not having certain certifications or specializations. When they bid for cloud engagements with customers that have specific security needs, for example, a healthcare customer that needs to meet HIPAA regulations, and that customer finds out that they are far more competent in HIPAA compliance than the reseller, it becomes a problem.
"A, it makes the reseller look bad -- that's mud on their face -- and B, you're not going to win that deal," Timko said. "We see that often amongst some of the partners we work with, so there is an educational component of why these things matter."
Educating customers about their security responsibilities is another significant challenge. Nick Sanders, director of product management at Masergy, a global cloud networking provider headquartered in Plano, Texas, said the biggest risk is associated with a failure on the part of a customer to notify Masergy when personnel changes occur that might require a user account to be changed or terminated.
Sanders said his company has processes in place that allow them to minimize the potential impact to their customers in the event that such an issue might arise, but to date, that hasn't happened.
"Checks and balances exist that preclude the possibility of significant network changes occurring without appropriate authorizations, etc.," Sanders said. "We have to rely, to some extent, on both our customers and our partners to operate with the same level of care and due diligence that we practice on our own resources to ensure that customer data integrity and application performance are not subject to compromise."
As the cloud provider market becomes more complex, one trend that's emerging is the rise of cloud access security brokers -- companies that sit between customers and cloud providers and offer a layer of technology that intercepts data to ensure cloud providers enforce policy by, for example, adding encryption or other security features to augment security capability in a cloud computing environment.
"What large enterprises are telling us is if they have 800 to 1,000 cloud services, they can't manage that and have uniform security for all their cloud services," CSA's Reavis said. "Now, you are seeing a rise in the market of that intermediary that sits between the large enterprise and all of these cloud providers to help organizations have uniformity in terms of policies, encryption and identity federation."
Reavis added: "We think the emergence of the cloud access security broker is a pretty big trend."
Learn how to avoid security issues in cloud computing
Read about the bunking of four cloud security myths