This week I paid a visit to Nairobi, Kenya and had the opportunity to fly past the summit of Africa in Mt. Kilimanjaro (thank you SAA pilots!). The view is just breathtaking and one felt close and personal with the mountain. It’s called Kilima Njaro in Swahili and is completely in Tanzania. See the picture below © Yann Arthus-Bertrand/Corbis.
What was my mission all about? I have being invited to attend a conference on Cloud Computing & Virtualisation Summit East Africa held at the Hilton Hotel, Nairobi, Kenya and yesterday, Friday, the 15th June, I conducted a workshop on “Cloud Migration and Security (pdf download of the presentation)”. Please do note that I will be using the word “Cloud” interchangeably with “Cloud Computing”.
The attendees/audience involved people from different sectors:
- System managers, executives, and information officers who will make decisions about cloud computing initiatives
- Cloud service providers and owners of small medium enterprises (SMMEs).
- Information technology program managers concerned with security and privacy measures for cloud computing
- Security professionals, including security officers, security administrators, auditors, and others with responsibility for information technology security
- System and network administrators
- Government executives and advisers
Broad network access is one of the essential characteristics of the cloud. While I came across some good news about Rwanda and its connectivity to the sea cables – there was a quick reminder from this report and this press article “New Ethiopian law criminalises Skype, installs Internet filters” that African countries need to accelerate the development of policies affecting or enhancing the use of new technologies in advance rather than being reactive.
By the way, it’s National Youth Day back home in South Africa and while searching for that “popular” but sad photo of June 16 (Thanx to the cloud and the search engines like Bing), I came a across this one with a “Beetle” taken by Sam Nzima in Soweto on the 16th of June 1976 depicting Mbuyisa Makhubu carrying the body of Hector Pieterson, who was shot by police during the student protest against Afrikaans as the school language medium. This prompted me to post the following FB status: “ Youth are the future and a solid education makes them the foundation of a Nation. — at Hilton Hotel, Nairobi”. The death of these, a many black youth across the country, fighting for a better education helped to bring about this new dispensation we’re all enjoying but yet not taking full advantage of.
Back to the workshop! We started with the latest: “The NIST Definition of Cloud Computing” – “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” followed by this short introductory video — Have you ever wondered what happens when you save a photo to “the cloud” of the Internet?:
We then went into a “Speed Dating” session whereby experience with this “cloudy thing” were shared and expectations were clearly expressed. Here are some of the feelings and ideas shared:
- “Cloud computing is not new – it’s just Internet Computing”
- “Is cloud computing green? what does that mean?”
- “What are the practical application of cloud in this part of our world”
- “My experience with the cloud is through the use of Google docs, Skydrive (Microsoft), and social sites – How secure are my documents?”
- “How can I ensure control of what is in the cloud?”
- “What about legislation on/of the cloud”
- “How secure is my data”
- “At work I do cc’ to my Yahoo account every time I send my sensitive documents – Is it wise or safe?”
- “I just have a fear of moving to the cloud, how can you help?”
- “How can we bridge the gap between the business and technology? – the cloud seems so far away”
- “How do I manage bandwidth usage when everybody is accessing the cloud and affecting their work?”
- “Can we develop and host application in the cloud?”
- “Is the cloud confidential – Trust/Privacy?”
- “”What type of clients would you recommend for data storage?”
- “We are in the process of moving to the cloud – how can we do it in a progressive manner using security best practices”
- “We would like to implement a hybrid cloud solution at the university – what is the best way of doing it considering the students environment?”
- “I have worked in and with a virtualised environment – is it a cloud?”
- “Is cloud just a new business model?”
- “What about data integrity and how would you address our fear of losing control of my data?”
- “How best can we move to the cloud in a Utility type of organization when one considers line of business (LOB) and interactive customer applications?”
- “Don’t we need some sound network?”
- “What is the reliability, security and affordability – in particular storage – of the cloud?”
- “What is the impact of cloud in the health sector (e.g. eMedicine/Telemedicine) and how can we guarantee the confidentiality of patients records?”
- “How can I develop in a “normal” environment and then release into the cloud?”
- “How can we deal with the bigger challenges of Internet connectivity to guarantee availability of the cloud services?”
- “Because of convenience of access , I store sensitive documents (e.g. certificates) in the cloud – what are the security levels?”
What are your thoughts? Are you using cloud computing? Share your story by leaving a comment.
On the very important and environment green issues about the cloud, I quickly recalled that Microsoft deployed ITPAC datacenter technology critical to helping the first office of its kind for the UN in Africa to achieve its green IT goals – see “UN Secretary General Opens New Office in Nairobi Aimed at Being Energy Neutral”
Barriers of Adoption for Cloud Computing
Here are some questioned raised that are barriers to adoptions.
A recent study by Microsoft “Cloud Computing Security Benefits Dispel Adoption Barrier for Small to Midsize Businesses” showed that cloud services reduce time and money spent managing security and increase protection against cyberthreats. And NIST has recently published a documents “Cloud Computing Synopsis and Recommendations” that I found useful for dealing with this barriers proactively.
Key Cloud Security Problems (CSA)
- Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance, and the capture of real value
- Data: Leakage, Loss or Storage in unfriendly geography
- Insecure Cloud software
- Malicious use of Cloud services
- Account/Service Hijacking
- Malicious Insiders
- Cloud-specific attacks
5 Essential Characteristics of Cloud:
- On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.
- Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).
- Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.
- Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.
- Measured service. Cloud systems automatically control and optimize resource use by leveraging a metering capability1 at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.
We need to be very clear on what “self-service” mean and when it’s applicable. It only takes me minutes to setup a Hotmail account and start sending and receiving emails but it need proper planning and time to migrate an organization or a department to the cloud. The provider need to be able to plan for provisioning of resources to accommodate future rapid elasticity and guaranteed services amongst others. In contrast, you can self provision for a Small Business and Professionals Family to access and use O365 in/from South Africa in minutes too.
Which Cloud Model for What?
- Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure2. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. (see for example O365)
- Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. (see for example Cloud Services, Media and Big Data)
- Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls). (see for example Web Sites and Virtual Machines)
- Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.
- Community cloud. The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.
- Public cloud. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. See the video below for an example of a public cloud.
- Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
Now, let’s get into the details of the workshop and attempt to answer some, if not all of this concerns. We will look into five (5) key elements to consider as we plan the migration towards the cloud.
Compliance and Risk Management
Governance, Compliance and Risk (GCR)
Compliance requirements can be fulfilled by a skilled internal team and a certain level of process transparency by the cloud provider(s).
- Compliance is still the duty of the Customer
- Sound Risk Management encompassing the Cloud is needed
- Collaboration between Customer and Provider is essential
- Need of a certain level of Process Transparency
- Strong Internal Team needed
- Contract Negotiation
- Definition of Controls and Metrics
- Integration of Controls into own processes
Microsoft Security Compliance Manager (SCM) is a free tool that enables you to quickly configure and manage your computers, traditional datacenter, and private cloud using Group Policy and Microsoft® System Center Configuration Manager.
Below is the GRC Capacity Model ver. 2.1 derived from The Red Book by OCEG at http://www.oceg.org.
Identity and Access Management
In one of my early postings “Landing Microsoft Office 365 in South Africa with Security in Mind.” – there is a ~1hour video discussing this subject. Any digital identity system for the cloud has to be interoperable across different organisations and cloud providers and based on strong processes.
- Cross-Domain Collaboration requires secure identities
- People and Devices
- Based on In-Person Proofing or similar
- Based on interoperable standards
- Privacy vs. Authentication has to be balanced
- Processes have to be able to include several providers
Identity threats (cloud systems)
- Traditional threats still exist
- XSS, code injection attacks
- DNS attacks, network flooding
- Some threats are expanded
- Data Privacy (location & segregation)
- Privileged Access (system vs. provider vs. customer)
- New threats are introduced
- New Privilege Escalation Attacks (VM to host or VM to VM)
- Jailbreaking the VM boundary
- Hyperjacking (rootkitting the host or VM)
- Old threats are mitigated
- Patching is automated and instances are moved to secure systems
- Cloud resiliency improves failover across a service
Service Engineering and Development
The provider should follow a clear, defined, and provable process to integrate security and privacy in the service from the beginning and for the whole lifecycle.
- Strong and Transparent Engineering Processes Needed
- Based on Threat Models or similar
The service delivery capabilities of the provider and the security management and auditing needs of the customer must be aligned.
- Internal processes have to be able to cover multiple provider
- Security Monitoring
- Incident response
- Business Continuity
- Requirements depend on application and information needs
Consumerization is a growing challenge for IT organizations. The boundaries between work and life have blurred, and people expect consistent access to corporate services from wherever they are, on any device they’re using—desktops, laptops, smartphones, and tablets. This end point devices are increasingly being targeted by attacks designed to compromise and steal data belonging to small and midsize businesses. It is very important to include the end point in any security consideration for cloud-based services. It is part of the delivery chain often subject to social engineering attacks (and similar). Review today’s processes and policies.
It is very important to consider how different services are brought together and consumed across an entire organisation and the multiple end point systems that are in place. If end point security is shifted to the provider, this raises some important questions such as: How are security and compliance requirements enforced? How is data protected against misuse? Will the customer still have the ability to use encryption or a rights management mechanism to protect data loss or theft? Can the service be restricted to specific authorised endpoints or machines? A white paper on management and security “Flexible Workstyles and Enterprise IT: supporting the consumerization of IT with an intelligent infrastructure.” and Client management tools report from Gartner “Magic Quadrant for Client Management Tools”
Implemented Data Classification helps to decide which data is ready for the cloud, under which circumstances, and with which controls.
- Data Classification is the foundation
- Legal Needs
- Persistent Data Protection needed
- Encryption/Rights Management
- Has to cover the whole transaction
- Data in transit, Data at Rest, Data in Use
- Data Sovereignty
- Access to Information
- Data Partitioning and Processing
By the way,once you have access to every piece of data in a data stream, you can do literally anything with it. You can copy it, you can restrict it, you can control it – all at line speed – without any degradation of the signal.
You asked me to show you how Microsoft secures its own cloud. This is a blog I posted earlier: “Secure, reliable, scalable and efficient best practices at Microsoft GFS Datacentres” and here are the other links that will be helpful:
- Microsoft Global Foundation Services
- Microsoft Data Center Videos
- Microsoft Trustworthy Computing
- Microsoft Achieves SOC 2 Type II and SOC 3 for Cloud and Online Services Infrastructure
Do you want to develop your Azure skills to deal with the “next challenge” in your personal growth so as to be ready when there is a need of Azure (PaaS) expertise in your country? Here is a Windows Azure Training Kit that includes a comprehensive set of technical content to help you learn how to use Windows Azure. And please do sharpen your apps development through these best practices - Security Development Lifecycle.