The Cloud Security Alliance recently issued an update to its Cloud Control Matrix, a set of guidelines that promotes best practices for cloud computing. The CSA, which is a nonprofit coalition of businesses, providers and independent experts associated with cloud technologies, typically casts a wide net in terms of its prescriptions for cloud security and data governance. Past CCMs have featured recommendations for hardware security, application control, business continuity and vulnerability assessment.
While the cloud usually provides businesses with a rapid, cost-effective way to deploy applications and address many different device types, the impetus for cloud security is stronger than ever thanks to mobility and bring-your-own-device initiatives. Companies must wrestle with cloud implementations that handle record amounts of data and access requests and ferry sensitive information between numerous locations. Moreover, this responsibility is shared by employees, IT administrators and service providers. Does the latest CCM provide an appropriate framework that enables all parties to work together on creating a safe cloud environment?
BYOD necessitates new cloud security guidance
The newest iteration represents a clear shift in CSA attention toward mobile devices. Writing for Virtualization Review, editor Jeffrey Schwartz stated that version 3.0 of the CCM features “five new control domains that address information security risks over the access of, transfer and securing of cloud data.” The new categories include mobile security, supply chain management, transparency and accountability, interoperability and portability and encryption and key management.
This renewed focus on mobility has been driven by the growing prevalence of BYOD initiatives, which have diversified IT hardware fleets and enhanced the move toward cloud services that can reach devices of all kinds. After gaining popularity among consumers, smartphones and tablets quickly transformed into a way for employees to access corporate data from anywhere, sometimes even without the IT department’s approval.
Help Net Security compiled research showing that mobile hardware now accounts for 25 percent of all workplace devices in the U.S. The advent of cellular networking and Wi-Fi that rivals Ethernet for speed could mean that these devices will continue to constitute a growing share of the IT hardware pie.
Specific issues at the intersection of BYOD and the cloud
Mobile assets equipped with Long Term Evolution and 802.11ac Wi-Fi radios will be not only excellent tools for browsing the Web, but also highly efficient ways to access cloud-based applications and services. This combination of mobility and speed makes mobile devices almost unprecedented in the power that they give employees to stay productive around the clock – or cause a security incident by accessing an unsafe cloud service or using a data-mining application alongside corporate software.
According to IDG News Service, the new CCM is in large part a response to these employee-initiated trends. Workers tap into more software via the cloud, while organizations respond with mobile device management solutions that are delivered via software-as-a-service models.
“This has really sprung up from the organic growth of BYOD,” said CCM Working Group co-chair and Cloud Watchmen consultancy president Sean Cordero. “An executive wants to use an iPad, but then all of a sudden there are questions.”
A specific issue in this regard is how to safely integrate new devices into enterprise networks. Each time an organization permits another endpoint to access company Wi-Fi, it creates a potential vulnerability.
For example, devices running the Android operating system may be vulnerable to applications that leak data or harbor malicious code capable of bringing down IT infrastructure. Unsecured rogue access points, as well as man-in-the-middle attacks that leverage seemingly legitimate SSID names to coax users into handing over sensitive credentials, are threats that could do particular harm in the context of a highly mobilized, cloud-connected organization.
Nirvanix: A cautionary tale for cloud data management
The latest CCM has also highlighted the responsibility of cloud providers in safely handling clients’ data. It advises any organization thinking about shifting mission-critical applications and storage to a public cloud to first get a firm sense of how assets will be managed.
However, such transparency can be difficult to attain from providers in light of how convoluted and multilayered many clouds have become. The expanding array of cloud technologies like platform-as-a-service and infrastructure-as-a-service means that enterprises often rely on clouds nominally managed only by contracted providers, yet in truth depend upon resources from a separate third-party organization. These arrangements can create legal and security issues, making it imperative for cloud customers to have full visibility of who is handling which parts of the stack.
The recent shutdown of cloud storage provider Nirvanix demonstrated the risks for companies that fail to perform due diligence on cloud providers. In a piece for CRN, Kevin McLaughlin and Joseph Kovar stated that Nirvanix, a startup with a pay-as-you-go business model and large partner network targeting enterprise users, would be shutting down by the end of September 2013. Customers were given no easy way to migrate data from Nirvanix to another cloud, highlighting the importance of following CCM recommendations regarding business continuity.
“When you have, say, a petabyte of data in a cloud, it is not easy to get it out,” an anonymous source told CRN. “It takes time to federate the data. It might still take a year to move it all electronically.”
Toward a better model for mobily policy and data management
In addition to vetting providers for reliability, security and partner networks, companies must also take to heart the CCM’s recommendations for mobile device policies. A sound BYOD usage policy is essential to having a safe cloud, and it should be regarded not as a small-bore imperative for hardware, but as a vital component of company-wide security.
More specifically, organizations must be careful to define and implement BYOD policies that lay out the stakes of using employee-supplied hardware to access the cloud. Workers and administrators must find a way to balance the convenience of quickly logging in to cloud-based apps with the myriad compliance obligations predicated upon securing every endpoint.
“The [mobile] policy can dictate how the device is secured, what information it stores and what data on the device the business has access to,” wrote Cloud Times’ Saroj Kar about CCM 3.0. “It also addresses the threats and concerns IT professionals in regards to mobile computing. With an introduction to each of the main components of mobile computing, including trends such BYOD authentication, application stores, MDM and security, many users lack a fundamental policy to control which services they can access from their mobile devices.”
The combination of sensible in-house BYOD policies and clearly defined arrangements with cloud providers means that enterprises can maximize the value of their cloud and mobility projects. Security is the responsibility of employees, administrators and providers alike, and the latest CCM gives businesses proper guidance to address it as such.