Trend Micro has been talking to many data center security folks and Infrastructure-as-a-Service (IaaS) providers to understand the dynamics of cloud security. Something that strikes me is their frequent (mis)perception that the Infrastructure-as-a-Service provider will take care of security in the public cloud.
IaaS providers are doing a decent job of baseline security (physical security, perimeter firewall, load balancing, perhaps a network IDS/IPS, etc) and have to provide a basic ante to the game. While the occasional IaaS vendor strives to differentiate themselves with higher degrees of security, many (if not most) are focused on providing aggressive prices and flexibility that the IaaS concept promises relative to the on-premise data center.
While IaaS vendors strive for a secure environment, the security responsibility and accountability lies with the business using the service. The Amazon Web Services Customer Agreement is quite clear in this regards:
7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications.
You can visit your favorite IaaS vendors to read their Terms of Service or Service Level Agreements to see that they typically do not take responsibility for more than physical security, security personnel, and basic perimeter security of the computing environment that you might use. This is probably because many of the IaaS providers are located in the litigious USA where people are known to sue one another(Frank Gens at IDC mentioned during a recent IDC webinar that in the near term, 75% of the cloud computing services market was in the US). IaaS providers need to clearly limit their legal liability to stay in business, and that means the security burden falls to the cloud computing customer (e.g. the enterprise) to ensure that their data and applications are safe.
I spoke with one corporate lawyer about this (note: I am a lay person, this is not legal advice, please consult qualified legal counsel before making any decisions about anything) who made the point that if someone gets sued because of a data breach, the plaintiff will go after the party with the deepest pockets. I tried finding a pithy quote from a lawyer to articulate this point and came up empty, but try googling “lawyer sue deep pockets” and you’ll understand what I’m talking about. In cloud computing, the deep pockets are typically with the IaaS consumer and not the IaaS provider.
Note that we have not seen IaaS-related data breaches to date. Distributed Denial of Service (DDoS) and lost data, but no data breaches of sensitive data. Given that compelling cloud economics and flexibility are expected to draw in applications, and those applications will eventually include sensitive data, a data breach is only a matter of time. When the s—t hits the fan due to a data breach, look for the lawyers to knock on the enterprise door, not the IaaS data center door.
Enterprises can offload security responsibilities to their parties by relying on the IaaS vendor security, or managed security service providers (MSSPs), but if something goes wrong, the owner of the data is the one who is accountable.
How can you mitigate the risk when deploying applications involving sensitive information into the cloud? When considering where to deploy applications in the cloud, the “security” answer to your application developers can be “Yes, deploy into the public cloud (IaaS), as long as you take these steps…” rather than a knee-jerk “No.” Those “yes steps” involves protecting the individual host inside the IaaS perimeter. That protection includes host-based technologies providing functionality including deep packet inspection for IDP/IDS and firewall along with file integrity checking and log inspection (like OSSEC). And now comes my shameless sales pitch! Check out the new Trend Micro Deep Security 7.0 that addresses many cloud security and compliance issues.