IT executives and cloud planners have enough to worry about in the area of application and data security without...
hearing about new threats in the cloud. Is your information more at risk to malware in the cloud? Do you need new protection measures or tools? To decide, baseline your current risk, secure your cloud management interfaces, review the security of your cloud provider's architecture, and focus attention on special-risk cloud relationships and services. Through all of this, focus on dealing with the new or "incremental" risks the cloud creates, or you'll chase security issues forever.
Was your pre-cloud environment protected?
The first question, and one often overlooked in cloud malware threat assessment, is whether your pre-cloud environment was adequately protected against malware. The most effective way of addressing the security risks associated with a new technology or hosting option is to ask the question, "What is my incremental risk in the new application framework?" "Incremental risk" means risk that wasn't being faced (and accepted) before.
Most malware is introduced not into server application components but into client and user systems. Those systems have to be protected as your first line of defense, no matter where the applications are hosted. Take the time to do a complete audit of your measures to protect users against malware, including BYOD policies, virus scanning of systems on a regular basis, and scanning of emails and assessments of risk on websites accessed using devices also used for work. There is little point to assessing cloud malware risk if you haven't controlled your client-system risk.
The second step is to understand what cloud malware actually means and does. Many botnets and other hackers' tools are hosted in the cloud today, but those don't necessarily threaten your cloud applications any more than they would threaten the same applications running in your data center, and they can't be controlled by you in any case. You should focus instead on cloud management system security, and on "crosstalk" within the cloud that could put your applications at risk.
Helpful measures to protect against cloud malware
Anyone who can access your cloud management system's user interface can deploy something in your cloud or potentially change something already there. That means that these CMS interfaces have to be among the most secure in your business. You must limit the number of users with access and you must insist that access be made through "clean" systems used for no personal purposes and with no access to standard Internet sites or email, and that all changes to the cloud made through the interfaces be recorded and audited.
"Crosstalk" is a source of cloud malware risk that's often a concern to users. Unlike your own data center, a cloud runs applications from others, and some of those apps could be malware. To prevent this malware from infecting you within the cloud, there are three helpful measures:
- Run virus scans on your application images in the cloud, just as you'd do for applications running on your own servers.
- Make sure that your cloud provider's architecture isolates applications at the network level. A good cloud service will give your applications "private IP addresses" and map them to public addresses only where access is needed. Connections among components inside the cloud should be kept on private addresses where possible to ensure that others can't make the connections.
- Access your applications through a virtual private network, either an Internet VPN (IPsec, SSL) or a facility VPN offered by a service provider. This prevents others from creeping into your applications through an Internet link.
Your public addresses for cloud applications or components have to be subject to special monitoring and security. Most companies can detect attacks on their own data center resources because the attacks enter their own networks at some point, and traffic can be detected. Your cloud applications can be reached without entering your data center, and you may not see the traffic. Use all available statistics on your applications to assess the traffic patterns at your application access points, and watch for signs of an attack. If you see unusual activity report it to your network operator and cloud provider, but increase the rate at which you scan your cloud apps for malware as well.
When assessing cloud malware risk, beware of partners
The final point in addressing cloud malware risk is to beware of your partners. In many cases, one of the reasons for hosting an application in the cloud is to facilitate access to the application by customers or trading partners. This access is "new," and thus may not be fully secured. It will always present a risk of malware.
Technology to secure Web portals is fairly well-known, and standard measures for application security can be applied to customer and partner portals offered through Web servers. A key element in this security is to provide a Web front-end and a back-end application server that does effective transaction editing before the data is moved from the cloud into the data center, or processed by a cloud application.
If you're using any direct application link with a customer or partner -- either a formal standard like Electronic Data Interchange (EDI) or just an informal exchange of XML or JSON structures to move business information -- you should ensure all these exchanges are auditable. EDI networks will provide audit services to allow transaction sources and times to be logged and reviewed, but bilateral connections with partners will depend on your own audit trail. Be sure that both sides collect transaction data and settle and match the data at least weekly, and daily if volumes are high. That will alert you to the possibility that an intruder is accessing what's intended to be a trusted customer and partner link in the cloud.
A look at cloud malware analysis tools
The benefits of cloud-based malware analysis tools