Directors Report June 2017: Cloud Security Analysed For Management (£)

Synopsis

Companies around the world are moving core enterprise systems to the Cloud. What was quite recently a complicated and expensive in-house IT system can now be outsourced and the implementations now appear relatively simple and less expensive in the Cloud. 

This reduction in cost and complexity is causing an explosion of Cloud services and Cloud service providers.

With multiple cloud services, many companies are losing track of the who, what, where, when and why of their data. 

With multiple environments and services, it is easy to lose track of what data goes into which environment, and who has access to the data. Not all cloud services are the same — failure to monitor and enforce security levels and access limitations could lead to disastrous results.

Below, we outline potential issues involved in having multiple cloud services and service providers, along with a proposed action plan to stay on top of your growing cloud services environments.

Worldwide spending on public Cloud services and Infrastructure will reach $124.5 billion in 2017, representing an increase of 25.4% over 2016.

In terms of company size, nearly half of all public cloud spending will come from large businesses (those with more than 1,000 employees) while medium-sized businesses (100-499 employees) will represent more than 20% of cloud expenditure.

Sixty-four percent, of enterprises are using different types of Cloud and aspects of the Internet of Things (IoT) without properly and continually securing sensitive data.

Cloud Computing defines a model of networked computer power where an application, or electronic program, runs on a series of connected servers outside of your organisation’s boarders, rather than on your local system and computing devices. 

In the simplest terms, Cloud Computing means storing and accessing data and programs over the Internet instead of via your own computer's hard drive. The Cloud is just a metaphor for the Internet.

The Cloud has the potential to not only become a defining technology of the twenty-first century, but also as defining utility, just as electricity was for the twentieth. This involves the sale of computer software and hardware as services, which an organisation can rent instead of purchase. 

There are many reasons to switch to Cloud Computing, including the ability to save considerable amounts of money while improving productivity and efficiency. However, there are some security issues that need to be recognised and monitored and this Report will discuss and analyse these Cloud Security issues. 

Security Issues with the Cloud

However, organisations often engage with the Cloud without taking sufficient management understanding and security precautions. 

Perhaps the biggest concerns about Cloud Computing are still the security and privacy issues. The idea of handing over important data to another company rightly concerns some managers. 

Therefore, corporate executives are often hesitant to take advantage of a Cloud Computing System because they feel unsure of their company's information security.

  • Some of the security questions regarding Cloud Computing are more philosophical. 
  • Does the user or company subscribing to the Cloud Computing service own the data? 
  • Does the Cloud Computing system, which provides the actual storage space, own it? 
  • Is it possible for a Cloud Computing company to deny a client access to that client's data? 

Many companies, law firms and universities are debating these and other questions about the nature of Cloud Computing and some of these discussions and arguments can be found by searching the Web.

There's a growing concern in the IT industry about how Cloud Computing could impact the business of computer maintenance and repair. If companies switch to using streamlined computer systems, they'll have fewer IT needs but less understanding of the results. 

Some other industry experts believe that the need for IT jobs will migrate to the back end of the Cloud Computing System.

The pressure on the IT Directors, and CIO, not only to deliver a successful migration, but also to accurately predict the financial benefits of the move, is enormous. 

As the cloud evolves these important new capabilities, what IDC calls 'Cloud 2.0', the use cases for the cloud will dramatically expand.

Cloud Security

What you need to know when choosing Cloud Storage Services

Most cloud storage breaches were actually facilitated by users who gave away their passwords, often as the victims of phishing. The most common terms you’ll see when shopping for a cloud storage or backup provider.

HTTPS

HTTPS stands for Hypertext Transfer Protocol Secure. HTTP (without the “secure”) is a standard of messaging that all Web servers use to transfer Web pages to browsers. HTTPS adds a layer of security to these procedures and it is the bedrock of ecommerce. It’s the system that protects your credit card details when you pay for things online.

SSL and TLS

SSL means Secure Socket Layer and this protocol contains the procedures that put the “S” in HTTPS. In 2008, after running for a while, SSL was discovered to have some security weaknesses.

The protocol was open to “spoofing,” which means that hackers were able to forge the security certificates that formed the heart of the SSL verification system. These certificates contain the encryption key that the client is supposed to use in order to secure connections. Soon after, Transport Layer Security (TLS) protocol was designed to replace SSL.

Further weaknesses were discovered over the years and they caused the International Engineering Taskforce to “deprecate” the protocol in 2015, which effectively told everyone not to use SSL for security. Although no one implements SSL any more, the term is still often used: in reality, services that say they use SSL actually use TLS.

Two-Factor Authentication

Although banks used to rely on HTTPS for security when they provide online banking, most have kicked their privacy features up a notch with two-factor authentication, which you often will see written as 2FA.

As with most logins, you need a username and a password, but 2FA requires some other method of identification on top of that. This should be something that only the user has and it can be a physical possession, or a secret piece of information. Some banks give clients a special card reader which generates a second pass code, while others will send you an access code by SMS.

iCloud uses a keychain device that generates a code. However, that keychain fob quickly disappeared when Apple integrated 2FA code generation into their standard products.

The Advanced Encryption Standard (AES)

The US National Institute of Standards and Technology commissioned the creation of the Advanced Encryption Standard, or AES, to create a secure method of encryption that could be used by government agencies.

The encryption process involves transforming blocks of numbers by organising them into a series of grids and then adjusting each number in the grid by applying a cryptographic key. The specifications for AES allows for different lengths of encryption keys. The shortest key used for encryption is 128 bits long and is often used for encryption on mobile devices. The most common length of key for cloud storage data encryption is 256 bits.

The length of the encryption key is important because the specifications of AES are publicly available. That means that anyone who knows the formula could crack the encryption simply by guessing the key.

Blowfish

Those who worry about an encryption system that was created for the US government should look out for cloud storage systems that use the Blowfish security standard. This is older that AES and it had never been cracked until 2016 when the Sweet32 birthday attack was created. Even now, Blowfish is still thought to provide strong enough security for files smaller than 4GB.

The encryption system specification was published in 1993. As with AES, the definition allows for a range of key lengths, which each developer can choose from. The key specs range from 32 bits to 448 bits in length. As with AES, the longer the key, the stronger the security, so check out this stat when selecting a cloud storage provider, like CrashPlan, that uses Blowfish.

RSA

Both AES and Blowfish are symmetrical key systems. That means that the cipher used to encrypt the data is also needed to decrypt it. You may already have thought of a flaw with these methods when used for communicating data. How do both sides in a connection get the same key? If one sends the common key to the other, then that message cannot be encrypted because until it has the key, the corresponding computer would not be able to decrypt it.

The answer to this problem lies with asymmetric key systems, such as RSA. These encryption methods are also known as “public key.” The key that decrypts the protected message is not the same as the one that encrypts it.

It does not matter if a hacker gets hold of the encrypting key because all they will be able to do with it is encrypt messages that only the holder of the corresponding private key could ever decrypt. You cannot derive the private decryption key from the public encryption key.

RSA is named after its creators, Rivest, Shamir and Adelman. Most Internet encryption systems use a public key system to distribute the encryption ciphers needed for symmetric key systems, such as AES and Blowfish. RSA is the most frequently used private key system used for key exchange and it is used for key distribution in TLS methods, including HTTPS.

RSA has a 1,024-bit key, which is four times longer than the most commonly used AES key length of 256 bits and eight times longer than the minimum-length AES key of 128 bits.

Perfect Forward Secrecy

Internet-based encryption systems rely on client software that communicates with the server. The server is the remote computer that holds the files, the cloud storage facility. The client is at the other end of the connection. In the case of your access to cloud storage, the client is your computer.

When you sign up for a service such as Dropbox, the first thing that will happen is that the website will download an installer file for you to run. This installs the client software. Some Internet security systems will include the key for communication with the server in this download.

A potential problem with keys that are reused is that once someone learns that key, they can decrypt all the communications that your computer has with the server and get access to your private files. Perfect Forward Secrecy (PFS) is a methodology by which a new encryption key is used for each session.

If anyone out there has a system to snoop on your connection and capture the encryption key, they would be wasting their efforts because the next time you connect they would have to start their tasks all over again to get the new key.

Perfect Forward Secrecy adds an extra layer of protection to your privacy because it limits the amount of disclosure that any single security breach can deliver.

Zero-Knowledge Encryption

The specialist storage providers now operate zero-knowledge encryption. You may search the Web and discover information on the Zero Knowledge Protocol. That is something else: zero knowledge encryption simply means that all of the encryption of your files takes place on your computer before they are uploaded to the cloud.

The client software uses a separate process to scramble the files using a key that is resident on your computer. Files are then transferred using a standard method, such as TLS.

The employees of a zero-knowledge provider can never get to the raw files, only the encrypted version. As they also could not get access to the key, you are better off with zero-knowledge encryption than with ciphers that are applied during the transfer or when the files reach the server.

Further Security Measures

Zero-knowledge encryption is still not good enough for some. The security-conscious argue that the encryption software and keys all originate from the cloud storage provider, so there is still one central location that is vulnerable to attack.

If anyone wanted to get into all the files on a server that operates a zero-knowledge system, they would just need to hijack the key distribution stage.

If the software on your computer uses an encryption key that the hacker knows, then it really doesn’t matter where the encryption takes place, he can still get access to all the files on that cloud storage server.

If you install encryption software from another company on your computer, you increase your privacy. You can encrypt all of your files manually and then let the cloud storage client software re-encrypt and transfer the data. That way, if some miscreant has got into the cloud storage server’s encryption system, all she can do is decrypt a file to reveal another layer of encryption beneath.

Cracking a security system like that would entail breaking into every encryption software company in the world and manipulating their key distribution procedures. No one has the resources to achieve such a feat.

Final Thoughts

The degree of privacy that you need for your files greatly depends on the type of information you are storing. There is a wide range of cloud storage options out there and they vary from consumer-friendly free services, such as Dropbox, through to business systems that even the NSA could not crack.

Hybrid Cloud

Of all the challenges facing businesses today, two rise above the rest: increasing profits and increasing agility. Cloud computing, whether private, public or hybrid, is helping to do both. 

When considering implementing cloud-based solutions, it is prudent to ask whether the timing is right, which applications to migrate first and which aspects concern IT managers. These questions were answered recently by IT and business man- agers who participated in a survey conducted by IDG Research.

According to the respondents, the hybrid cloud model offers the most flexibility and scalability, and the time for implementing cloud solutions is now. Respondents also stated that the challenges businesses face in moving to the cloud, while considerable, can be overcome by working in partnership with the right cloud services provider.

Cloud Overview

Three cloud “types” exist: private, public and hybrid. In a private cloud, the entire physical IT infrastructure and data store lie inside the corporate firewall (regardless of physical location), providing the highest degree of control. In a public cloud, servers, storage and applications from one or more third-party providers are offered on a pay-per-use or subscription basis, with infrastructure usually shared by multiple subscribers. A hybrid cloud combines two or more clouds, private or public, into a custom solution that provides scalability and agility while allowing the business to maintain selective control over data, operations and other components.

The hybrid cloud model continues to grow in popularity, offering the best combination of agility, flexibility and security. Servers and other resources can be provisioned and spun up in minutes, rather than the months it often takes to acquire, install and deploy resources in a traditional IT infrastructure. 

Of the IT and business managers surveyed, 21 percent already have implemented a hybrid cloud. More than half (53 percent) plan to do so within the next 12 months. According to a recent NTT Communications report, cloud budgets within the Information and Communications Technologies (ICT) sector are expected to increase 20 percent by 2018. 

But even with that substantial increase in cloud spending, the report found that up to 10 per- cent of applications, primarily in highly regulated and mechanized sectors, may not be candidates for migration. 

As migration to the cloud broadens, it is inevitable that a corresponding scaling back of traditional corporate IT infrastructures takes place. Nearly half (45 percent) of the IDG survey respondents indicated they currently operate on-premises, non-cloud, physical servers, but expect that level to drop to just 36 percent within a year. In the process, a variety of services are moving to cloud- based infrastructures. Those most likely to be migrated include groupware (cited by 52 percent), database and Web servers (48 percent), directory services (39 percent) and mail servers (35 percent). Groupware, by its very nature a collaborative experience, is an ideal match for the cloud, itself a platform designed for collaboration and sharing. 

Implementing a cloud platform, often complemented with mobile apps for smartphones and tablets, provides businesses with new avenues for reaching customers and employees. To lever- age that capability, nearly half of survey respondents plan to expand their cloud e orts globally, with the European Union and South America being targeted first. 

Conquering Concerns

No major technology transformation comes without challenges, and cloud computing is no exception. Profoundly different from traditional centralized IT with its on-premises data centres, the road to cloud migration is not always smooth. Recognizing these impediments is the first step in overcoming them. 

Of the ICT decision-makers surveyed by NTT, 38 percent believe cloud has not yet lived up to its potential within their organization. This result is likely a misalignment of perception with expectation. While many organisations vastly reduce their server footprint, others attain a more-modest success. 

“In some cases, organisations have tried to migrate their applications to the cloud and not had much success,” says Indranil Sengupta, Senior Director of Cloud Service Development at NTT America. 

“One reason for this is the age of the application. Many applications as recently as three to five years back were written as ‘stateful’ applications, which means the application code directly inter-faces and interacts with the physical environment. These are very difficult to migrate. One has to convert these applications into ‘stateless’ applications first.” 

Three other challenges stand out, according to survey respondents. Half of those surveyed cited the initial integration and design of the hybrid cloud environment as either extremely or very challenging. Once beyond that point, 40 percent noted challenges regarding the transfer of data to the new environment. Finally, 33 percent said that operation with multiple contact points is a concern. Certainly in IT, where multivendor infrastructures and services have long been the norm, this is a familiar challenge. Navigate beyond these three impediments with a knowledgeable cloud services provider, and the journey quickly eases. 

Partner Choice Is Key 

As the migration of existing on-premises infrastructure and applications to a flexible hybrid cloud platform becomes increasingly mainstream, the challenges and critical criteria faced by IT are clearly defined. To surmount these factors, the choice of an experienced cloud service provider that functions as partner, technical facilitator and advisor is essential for success in businesses both large and small. With operational effectiveness and cost optimisation cited by respondents as key criteria when considering cloud-based IT, a provider with demonstrable process maturity is best-positioned to create a comprehensive, cohesive overall experience. 

NTT Communications is the long-distance and international communications and ICT solution provider of NTT, one of the top three telecom companies in the Fortune® Global 500 NTT’s approach to providing cloud-based solutions is built on a foundation of five key considerations: security, compliance, migration, integration and change management. 

Whether it is enterprise- class Infrastructure as a Service, cloud-migration, Backup/Recovery as a Service, global virtualization or content delivery, NTT offers system consultation that includes a survey of the current system, design of a cloud ICT infrastructure, and clear implementation plan and execution. 

__________

References

Computerworld

Infosecurity

Computerworld:

Cloudwards

CloudRealityCheck:

For further information or Cloud assistance please contact Tim Heath at Cyber Security Intelligence.                     

_____________

 

 

« What We Know About The WannaCry Cyberattack So Far
Attitudes To Facebook Are Changing »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Lynx Software Technologies

Lynx Software Technologies

Lynx provide secure software and operating systems for use in mission critical applications such as aerospace, medical, transportation and IoT.

MKD-CIRT

MKD-CIRT

MKD-CIRT is the national Computer Incident Response Team for Macedonia.

Data Resolve Technologies

Data Resolve Technologies

Data Resolve offer a mechanism through which customers can detect and tackle various kinds of sensitive activities pertaining to data loss and data theft.

KayHut

KayHut

KayHut is a young, innovative company engaged in cyber research and security solutions.

CloudAlly

CloudAlly

CloudAlly provides online cloud to cloud backup and recovery solutions, which backs up daily changes in your SaaS to unlimited Amazon S3 storage and makes it available for restore or export.

Zen360Consult

Zen360Consult

Zen360Consult provides Advisory and Training services in the field of Cyber Resilience, which includes Cyber Security /ISMS and Business Continuity.

British Blockchain Association (BBA)

British Blockchain Association (BBA)

British Blockchain Association (BBA) is a not-for-profit organisation that promotes evidence-based adoption of Blockchain and Distributed Ledger Technologies (DLT) across the public and private sector

e.Kraal Innovation Hub

e.Kraal Innovation Hub

e.Kraal is a Cybersecurity Innovation Hub whose mission is to secure the future of Cybersecurity in Kenya by accelerating innovation and creativity in the cyberspace ecosystem.

elfGROUP

elfGROUP

elfGROUP Cyber Security Services specializes in corporate cybersecurity assurance.

Korn Ferry

Korn Ferry

Korn Ferry is a global organizational consulting firm, synchronizing strategy and talent to drive superior performance for our clients in key areas including cybersecurity.

BoldCloud

BoldCloud

BoldCloud's award winning Cybersecurity Advisory services and Layered Security approach adds new critical layers of protection for your data and your business.

spriteCloud

spriteCloud

spriteCloud is an independent software testing, test automation and cybersecurity services provider.

Qrator Labs

Qrator Labs

Qrator Labs is a leader in DDoS attack mitigation, helping organizations protect their websites from the most harmful, sophisticated DDoS attacks.

Stealth Software Technologies

Stealth Software Technologies

Stealth Software Technologies is focused on the generation of research and software products focused on applied cryptography and cybersecurity.

Binary Security

Binary Security

Binary Security's mission is to protect organisations and individuals from cyber-threats by providing quality, adaptive solutions using cutting edge knowledge and technologies.

Revere Technologies

Revere Technologies

Revere Technologies is a pure-play cyber security solutions and services provider in Sub-Saharan Africa.