How Checklists Can Improve Cloud Security

April 5, 2011

This article is commissioned by Microsoft Corp. The views expressed are the author’s own: Jeff Vance

Like all IT projects, one of the keys to a successful cloud migration is minimizing the potential for costly mistakes. Not to scare anyone, but there is much we can learn from other scenarios in which the costs of small mistakes can be catastrophic. For instance, consider the following example of a hospital emergency room.

A man is admitted to the emergency room on Halloween, after being stabbed at a party while celebrating a bit too enthusiastically. In the ER, everything seemed routine, the wound superficial – until the man’s blood pressure crashed.

The trauma team managed to revive him and later learned that the stab wound had “gone more than a foot through the man’s skin, through the fat, through the muscle, past the intestine, along the left of his spinal column and right into the aorta, the main artery from the heart.”

A routine stab wound? How had the knife plunged so deeply?

It turns out that the medical team, despite doing almost everything right during the exam, forgot one crucial question: They forgot to ask the man what weapon he’d been stabbed with. They assumed it was a knife. It wasn’t. This was Halloween, after all, and the injured man had been stabbed by a man dressed up like a soldier wielding a bayonet.

Atul Gawande’s The Checklist Manifesto, from which the above story is taken, suggests that an ER visit gone awry holds lessons for all kinds of situations where complexity is variable, and likely to spike. One of those situations is the effort to secure corporate data.

In his book, Gawande distinguishes between two types of failures: those resulting from ignorance—or “necessary fallibility”—and those that stem from ineptitude. The first type stems from us simply not knowing enough or striving beyond our capacities.

It’s the second kind of failure that is troubling. Inept errors result from forgetting to apply what you already know. They are preventable. Gawande proposes that we can reduce these kinds of errors through the use of checklists and to-do lists. Errors of ineptitude, despite the negative ring to the term, are often completely understandable. Too often, people find themselves in situations where processes become increasingly complex, time gets limited and pressure mounts.

In many appreciable ways, moving a data center to the cloud reduces the number of boxes CIOs and IT leaders need to check off their lists, but there are still issues to be aware of.

Eric Chiu, President of virtualization and cloud security company HyTrust asked me, “What is the biggest threat to cloud computing today?”

When I hesitated, he answered “misconfigurations.” In many cloud environments, mission-critical workloads share the same resources with less-critical applications. To lessen the risks posed by this scenario, most organizations air-gap between the two.

Air gapping means a physical separation (gap) between two environments – making sure nothing bad gets in and ensuring that nothing important gets out. In virtualized environments, of course, these gaps aren’t as clear as, say, the old “sneaker nets,” where the only physical connection between two networks was an administrator shuffling removable media back and forth. The air-gap solution, though, leaves the door wide open to misconfigurations. If the IT staff makes an inappropriate administrative change, it could expose mission-critical workloads to the world at large, or bring the system to a screeching halt and trigger serious downtime.

How many security problems could be solved with a simple checklist? Think about it. We know misconfigurations are a huge problem that could be fixed with a better process. We know we need to stay on top of patches. We know that we should encrypt data at rest. We know we shouldn’t authenticate via user names and passwords alone.

But we also know that those things slip through the cracks. A cloud security checklist, then, is a great place to start as you migrate to the cloud, but knowing you need a checklist isn’t really a first step, is it?

“I’d start with SLAs. They get too little scrutiny, and many organizations forget that security should be one of the key service provisions,” said John Magee, VP of Cloud Services for Symantec. Many organizations will need to take a step or two back, though, before they’re ready to think about SLAs.

“CSOs are finding out that their lines of business have already gone out and contracted for cloud services,” Magee said. “Business managers were seeking to bypass an IT bottleneck but ended up bypassing security best practices and established policies.”

The list below will give you a start as you begin planning for secure cloud deployments. Remember, it’s just that: a start. We’d like to hear your suggestions. Comment below the story with your own advice, and we’ll include it in a later post.

Cloud Security Checklist: Getting Started

1. Discover how many projects you already have in the cloud but don’t know about
2. Establish a cloud IT team and limit administrative rights to that team
3. Don’t skip the evaluation stage just because this is a service and not expensive equipment
4. Do a thorough risk assessment
5. Begin classifying data and identifying what can be moved to the cloud and what must reside behind on-premise security layers
6. Find a cloud-appropriate system for user authentication and access control (beyond user names and passwords)
7. Scrutinize SLAs and ask:

* What are the data privacy policies?
* What are the data retention policies?
* Where is information stored?
* If you terminate your service, how long will it take to get your data back and in what form will you get it?
* What is the disaster recovery plan?

Source of Jeff Vance article

Visit us at http;//gosecure.com soon

%d bloggers like this: