SlideShare a Scribd company logo

Understanding Cloud Security Challenges

Cognizant
Cognizant

Using encryption, obfuscation, virtual LANs and virtual data centers, cloud providers can deliver trusted security even from physically shared, multitenant environments, regardless of whether services are delivered in private, public or hybrid form.

1 of 5
• Cognizant 20-20 Insights Understanding Cloud Security Challenges Using encryption, obfuscation, virtual LANs and virtual data centers, cloud providers can deliver trusted security even from physically shared, multitenant environments, regardless of whether services are delivered in private, public or hybrid form. Executive Summary This means building security and trust architec- tures that ensure each company’s applications The need to reduce costs and enable IT respon- and data are isolated and secure from those of siveness to business change is driving more other customers in a multitenant environment. and more applications, including critical ones, By adhering to emerging security standards and to various types of cloud platforms. While cloud leveraging encryption, obfuscation, virtual LANs providers can implement many of the same and virtual data center technologies, service security measures required of an internal IT providers can not only provide security services group, many companies are still wary. This is that meet or exceed internal SLAs, but also especially true for less expensive, multitenant provide trusted security, even from physically public cloud environments that are inherently less shared, multitenant environments. Companies secure than in-house IT environments, assuming should understand that public cloud providers that the onsite, internal IT environments follow must also adhere to the stringent security regula- proper security procedures and have the right tions of the countries in which they operate. technology and standards in place. If not, then public cloud service providers often provide a Whether adopted in public, private or hybrid form, more secure IT environment than local IT groups. or delivered as IaaS, PaaS or SaaS, the cloud imposes unique and stringent security demands. Providing security for cloud environments that But with appropriate levels of security, trust and matches the levels found in internal data centers governance, service providers can provide a is essential for helping modern organizations secure environment for company data and appli- compete and for allowing service providers to cations. meet their customers’ needs. However, to match the levels of security that customers experience Cloud Security Concerns internally, service providers must make the proper investments in providing, proving and The cloud — especially the public, multiten- ensuring appropriate levels of security over time. ant cloud — raises new and significant security cognizant 20-20 insights | november 2012
concerns for companies that are accustomed to • Legal and regulatory compliance. hosting their data and applications within their own four walls. • Trusting data to the people and processes employed by the provider. Within a traditional internal IT infrastructure, it • The threat of confidential data mingling with is comparatively easy to ensure proper security that of other customers. mechanisms, such as authorization, authenti- cation, privacy, confidentiality and nonrepudia- • Achieving legal redress in the case of a cloud security violation. tion. These mechanisms must be accompanied by proper security policies and processes that • The viability of the cloud vendor. are followed by employees. Although some users All of this makes it more challenging to create (such as customers and partners) are outside the trustworthy controls for the monitoring, organization’s control, the IT staff has physical governance and auditing of the cloud provider control over and direct visibility into the IT infra- environment. structure. It can make changes relatively easily to the authorization policies determining which Cloud Security Requirements users can take which actions, deciding on the Before moving mission-critical data to the cloud, physical locations of servers organizations require not just security but robust Before moving and databases, and validating security that they can trust and monitor. Security mission-critical the trustworthiness of their individuals managing the is not always a feature offered by cloud providers; sometimes providers require customers to bring data to the cloud, systems. their own. Here is a closer look at all three organizations require Data stored and processed requirements: not just security outside the enterprise firewall • Robust security: Meeting the first require- but robust security involves an inherent level of ment — providing robust security — means risk, due to a number of factors. that they can trust For one, third-party services moving beyond a traditional perimeter-based approach to a layered model that ensures the and monitor. often bypass the physical, proper isolation of data, even in a shared, mul- logical and personnel controls titenant cloud. This includes content protec- that IT shops have over their in-house resources. tion at different layers in the cloud infrastruc- However, according to local and federal laws, the ture, such as at the storage, hypervisor, virtual end user organization can specify the zone of the machine and database layers. It also requires data center in which its data will reside. Making mechanisms to provide confidentiality and ac- changes to the service provider’s authorization or cess control. These may include encryption, access control policies may require going through obfuscation and key management, as well as the provider’s systems and processes. In public, isolation and containment, robust log manage- multitenant environments, companies must trust ment and an audit infrastructure. the provider to safeguard their data even though it shares physical hardware with other customers. • Trust and assurance: To meet the second requirement — providing trust or assurance And lastly, providers may impose limitations on — the company needs to have confidence in the liability they will accept for security lapses, the integrity of the complete cloud environ- and there may be a need to work out proper ment. This includes the physical data centers, notifications of security- and compliance-related hardware, software, people and processes em- events. ployed by the provider. The service provider The loss of control in moving applications and needs to establish an evidence-based trust data out of the enterprise to a cloud provider, architecture and control of the cloud environ- and the resulting challenges in monitoring and ment, through adequate monitoring and re- governing those resources, create wider security porting capabilities to ensure the customer of concerns that service providers must address. transparency around security vulnerabilities These include: and events. This should include audit trails that help the customer meet internal and ex- • The protection and confidentiality of data ternal demands for provable security, as well as it moves over the Internet to and from the as automated notification and alerts that sup- cloud. port the customer’s existing problem or inci- cognizant 20-20 insights 2
dent management protocols so it can manage • Isolation: To ensure isolation within a mult- its total security profile. itenant environment, service providers often employ multiple virtual data centers, each Collectively, these capabilities can assure on its own virtual LAN, to maintain customer the customer of the operational quality and data separation. For further security, each security of the cloud provider. Companies also virtual data center can be configured into need to take an active role in governing their one or more trust clusters (each including, for cloud implementations and taking action on example, separate Web servers, application the information delivered by the provider. servers and database • Monitoring and governance: This is where the zones), separated by de- While obfuscation third requirement — cloud governance — comes militarized zones (DMZs) in: utilities that allow customers to monitor and virtual firewalls has traditionally been the environment for security, as well as en- to ensure multitenancy used as a one-way sure compliance with other KPIs, such as per- formance and reliability. Using these utilities, security. masking technology, • Confidentiality: Confi- using obfuscation in customers should be able to perform these dentiality is provided by activities almost as well as they could in their encryption and/or obfus- the cloud to protect own data centers. Just as importantly, these cation based on business data requires the use utilities allow customers to take appropriate requirements. Encryp- of new architectures action based on the security information re- tion might seem like ceived from the provider. These actions might the most complete and and approaches that include shutting down an application that ap- foolproof protection, but enables access to the pears to be under attack or forcing the provid- by completely obscuring original non-obfuscated er to tighten its procedures if critical updates the characteristics of or patches are not being applied on time. the data, it can defeat in- data as needed under Governance also includes risk management, dexing and search capa- tight security control. allowing companies to tailor their security bilities and increase the spending to both the likelihood and possible expense of filtering, querying or consolidation. impact of various threats. Doing so requires Obfuscation retains enough properties of the knowledge of how the service provider monitors data to allow these operations, as well as any for breaches, how security events are detected that rely on the semantics of the data, while and reported, and the protection the provider obscuring the data sufficiently to destroy its offers from a legal and financial perspective. value if compromised. Well-drafted contracts and a legal framework that While obfuscation has traditionally been defines liability — including whether the provider used as a one-way (nonreversible) masking will reimburse the customer for business losses or technology, using obfuscation in the cloud to just for service interruptions — are all issues the protect data requires the use of new architec- provider must address. tures and approaches (such as tokenization) that enables access to the original non-obfus- Cloud Security Controls cated data as needed under tight security Cloud security controls can be classified in a control. tiered model. Front-end security handles authen- tication and authorization. The middle layer deals • Access control: Identity management and provisioning platforms ensure that only au- with VM (virtual machine) security, OS security, thorized users can see the appropriate appli- etc. Back-end security handles storage security, cations and data. This needs to be backed by data and database security, network security, etc. compliance and audit and log management, so Delivering assured and verifiable security in the that customers have a record of which users cloud requires separate architectures for security accessed (or tried to access) which resources, and trust, as well as a framework for governance. when. In a cloud environment, access and iden- Security Architecture tity management (which proves users are who they claim to be) is often provided through The security architecture provides the isolation, federated identity management that allows confidentiality and access control required to customers to use their existing IT manage- protect company data and applications. Here is a ment systems in the cloud. Authentication, au- look at these three requirements: cognizant 20-20 insights 3
thorization and validation processes also help concern in cloud security. ensure access and identity control. Governance Framework Providers may also need to ensure the integrity This record of information will be used in the of data and messages (whether in transit or governance and risk control framework, where resident in the cloud) through strong authen- customers make use of data from the provider to tication or other means to make sure data has ensure ongoing security. This framework should not been compromised in transit. provide: Trust Architecture The trust architecture demonstrates the cloud • The monitoring and control of the provider’s performance against the SLAs (service level provider’s level of security through a variety of agreements) that govern security perfor- monitoring, reporting and alert functions. These mance. include: • Shared responsibility and accountability • Continuous monitoring and automated between the company and service provider. compliance and reporting protocols, such as (The customer, for example, must update the Security Content Automation Protocol (SCAP). provider about the existence of new data or applications that require certain levels of • The Cloud Trust Protocol (CTP), the Security, protection.) Trust and Assurance Registry (STAR) and Cloud Trust Authority (CTA), which show • Identification, assessment and agreement the provider’s commitment to industry best on how to manage ongoing security-related practices and pave the way for trust to develop functions. These include assessing, monitoring over time. and reporting of liability and legal risks; managing disaster recovery and business • A proven track record of integrity of the continuity, risks to compliance, IP and business provider’s cloud environments and processes. reputation; and providing compliance audits These range from strong patch management and centralized, policy-driven log management. and the use of only digitally signed code, to automated notification and alerts of security Raising Cloud Confidence breaches, attacks and vulnerabilities. The cost and agility benefits of the cloud will • A real-time feed of information to an executive continue to drive organizations to migrate dashboard about the number of breaches more critical applications and services to these detected, the amount of unauthorized activity platforms. As they do so, they will choose cloud in the customer’s environment and the actions providers that deliver not only the required taken to thwart it. Over time, future metrics security but also the assurance of robust security can be developed based on the initial reports and the governance capabilities to manage and the historic record used to provide a ongoing security needs in a cost-effective way. foundation of trust. Companies that choose to work with service To further elevate their trust architecture, providers offering robust security, assurance and companies can turn to organizations such as governance architectures will have powerful first- the Cloud Security Alliance (CSA) that work to mover advantage as competitors of all sizes move establish and standardize protocols such as CTP more of their business to the cloud. and CTA. In addition, Gartner and other industry analysts have identified and classified areas of cognizant 20-20 insights 4
About the Authors Dr. Jean-Claude Franchitti has 29 years of experience in the information technology industry, including 15 years working for leading IT consulting firms. He is an experienced Enterprise/Solution Architect and Senior Manager with a track record of technical leadership on large programs. Jean-Claude held senior management, consulting and technical leadership roles in many large IT strategy, modernization and implementation projects for Fortune 500 corporations. He was involved in planning and developing all facets of architecture solutions in a myriad of industries and was exposed to various types of complex business transformation involving EA, SOA and cloud computing. He teaches as a Professor of Computer Science at New York University and is the author and co-author of several books and publications. Jean- Claude holds Ph.D. and M.S. degrees in computer science and an M.S. degree in electrical and computer engineering from University of Colorado at Boulder. He can be reached at Jean-Claude.Franchitti@ cognizant.com | Linkedin: www.linkedin.com/in/jcfranchitti Purna Roy is a Consulting Principal and Architect with 24 years of industry experience. Purna has held leadership and management positions with firms in Silicon Valley, startup companies and corporations such as Charles Schwab and Morgan Stanley. He consults across multiple industry value chains, including financial, pharmaceutical, retail and manufacturing, and works across business and technology domains. Purna has been a leading contributor to Cognizant’s cloud consulting assets and a subject matter expert. Purna holds a master’s degree in computer science from Pennsylvania State University. He can be reached at Purna.Roy@cognizant.com | Linkedin: www.linkedin.com/in/purnaroy Anant Bardhan is the Chief Technology Architect within Cognizant’s Advanced Solution Group in North America. He is actively engaged with many Fortune 500 clients, helping them achieve business agility and competitive advantage through a series of business transformation initiatives. These include large- scale business transformation strategy and planning, complex program management and delivery and enterprise architecture. Anant has 22 years of IT experience and has held architecture leadership positions, both within the company and at many top-tier enterprises. He holds a master’s degree in computer science from the University of Illinois and an overseas MBA. Additionally, he is a professional IT Security Expert with CISA and earned his CISM certification. He can be reached at Ananta.Bardhan@ cognizant.com | Linkedin: www.linkedin.com/in/anantbardhan About Cognizant Cognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process out- sourcing services, dedicated to helping the world’s leading companies build stronger businesses. Headquartered in Teaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep industry and business process expertise, and a global, collaborative workforce that embodies the future of work. With over 50 delivery centers worldwide and approximately 145,200 employees as of June 30, 2012, Cognizant is a member of the NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world. Visit us online at www.cognizant.com or follow us on Twitter: Cognizant. World Headquarters European Headquarters India Operations Headquarters 500 Frank W. Burr Blvd. 1 Kingdom Street #5/535, Old Mahabalipuram Road Teaneck, NJ 07666 USA Paddington Central Okkiyam Pettai, Thoraipakkam Phone: +1 201 801 0233 London W2 6BD Chennai, 600 096 India Fax: +1 201 801 0243 Phone: +44 (0) 20 7297 7600 Phone: +91 (0) 44 4209 6000 Toll Free: +1 888 937 3277 Fax: +44 (0) 20 7121 0102 Fax: +91 (0) 44 4209 6060 Email: inquiry@cognizant.com Email: infouk@cognizant.com Email: inquiryindia@cognizant.com © ­­ Copyright 2012, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.

Recommended

New Doc 17Page 2
New Doc 17Page 2New Doc 17Page 2
New Doc 17Page 2Karina MendezLara
 
Estate Planning Basics
Estate Planning BasicsEstate Planning Basics
Estate Planning BasicsFraser Trebilcock Lawyers
 
1
11
1Kecamatan Makale
 
Art Alert oktober 2015
Art Alert oktober 2015Art Alert oktober 2015
Art Alert oktober 2015Art Alert
 
Quantifying ROI from Insurance Mobility Initiatives
Quantifying ROI from Insurance Mobility InitiativesQuantifying ROI from Insurance Mobility Initiatives
Quantifying ROI from Insurance Mobility InitiativesCognizant
 
Art Alert december 2015
Art Alert december 2015Art Alert december 2015
Art Alert december 2015Art Alert
 
Kl library lapsit 2011
Kl library lapsit 2011Kl library lapsit 2011
Kl library lapsit 2011lisafiona
 
Art Alert november 2015 artalert.nl
Art Alert november 2015 artalert.nlArt Alert november 2015 artalert.nl
Art Alert november 2015 artalert.nlArt Alert
 

Recommended

New Doc 17Page 2
New Doc 17Page 2New Doc 17Page 2
New Doc 17Page 2Karina MendezLara
 
Estate Planning Basics
Estate Planning BasicsEstate Planning Basics
Estate Planning BasicsFraser Trebilcock Lawyers
 
1
11
1Kecamatan Makale
 
Art Alert oktober 2015
Art Alert oktober 2015Art Alert oktober 2015
Art Alert oktober 2015Art Alert
 
Quantifying ROI from Insurance Mobility Initiatives
Quantifying ROI from Insurance Mobility InitiativesQuantifying ROI from Insurance Mobility Initiatives
Quantifying ROI from Insurance Mobility InitiativesCognizant
 
Art Alert december 2015
Art Alert december 2015Art Alert december 2015
Art Alert december 2015Art Alert
 
Kl library lapsit 2011
Kl library lapsit 2011Kl library lapsit 2011
Kl library lapsit 2011lisafiona
 
Art Alert november 2015 artalert.nl
Art Alert november 2015 artalert.nlArt Alert november 2015 artalert.nl
Art Alert november 2015 artalert.nlArt Alert
 
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Cognizant
 
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingData Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingCognizant
 
It Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesIt Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesCognizant
 
Intuition Engineered
Intuition EngineeredIntuition Engineered
Intuition EngineeredCognizant
 
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...Cognizant
 
Enhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital InitiativesEnhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital InitiativesCognizant
 
The Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility MandateThe Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility MandateCognizant
 
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...Cognizant
 
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Cognizant
 
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Cognizant
 
Green Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityGreen Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityCognizant
 
Policy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersPolicy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersCognizant
 
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalThe Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalCognizant
 
AI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueAI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueCognizant
 
Operations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachOperations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachCognizant
 
Five Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudFive Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudCognizant
 
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedGetting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedCognizant
 
Crafting the Utility of the Future
Crafting the Utility of the FutureCrafting the Utility of the Future
Crafting the Utility of the FutureCognizant
 
Utilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformUtilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformCognizant
 
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...Cognizant
 

More Related Content

More from Cognizant

Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Cognizant
 
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingData Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingCognizant
 
It Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesIt Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesCognizant
 
Intuition Engineered
Intuition EngineeredIntuition Engineered
Intuition EngineeredCognizant
 
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...Cognizant
 
Enhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital InitiativesEnhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital InitiativesCognizant
 
The Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility MandateThe Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility MandateCognizant
 
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...Cognizant
 
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Cognizant
 
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Cognizant
 
Green Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityGreen Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityCognizant
 
Policy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersPolicy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersCognizant
 
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalThe Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalCognizant
 
AI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueAI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueCognizant
 
Operations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachOperations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachCognizant
 
Five Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudFive Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudCognizant
 
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedGetting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedCognizant
 
Crafting the Utility of the Future
Crafting the Utility of the FutureCrafting the Utility of the Future
Crafting the Utility of the FutureCognizant
 
Utilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformUtilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformCognizant
 
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...Cognizant
 

More from Cognizant (20)

Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
 
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingData Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
 
It Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesIt Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
 
Intuition Engineered
Intuition EngineeredIntuition Engineered
Intuition Engineered
 
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
 
Enhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital InitiativesEnhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital Initiatives
 
The Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility MandateThe Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility Mandate
 
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
 
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
 
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
 
Green Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityGreen Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for Sustainability
 
Policy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersPolicy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for Insurers
 
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalThe Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
 
AI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueAI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to Value
 
Operations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachOperations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First Approach
 
Five Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudFive Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the Cloud
 
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedGetting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
 
Crafting the Utility of the Future
Crafting the Utility of the FutureCrafting the Utility of the Future
Crafting the Utility of the Future
 
Utilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformUtilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data Platform
 
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
 

Understanding Cloud Security Challenges

  • 1. • Cognizant 20-20 Insights Understanding Cloud Security Challenges Using encryption, obfuscation, virtual LANs and virtual data centers, cloud providers can deliver trusted security even from physically shared, multitenant environments, regardless of whether services are delivered in private, public or hybrid form. Executive Summary This means building security and trust architec- tures that ensure each company’s applications The need to reduce costs and enable IT respon- and data are isolated and secure from those of siveness to business change is driving more other customers in a multitenant environment. and more applications, including critical ones, By adhering to emerging security standards and to various types of cloud platforms. While cloud leveraging encryption, obfuscation, virtual LANs providers can implement many of the same and virtual data center technologies, service security measures required of an internal IT providers can not only provide security services group, many companies are still wary. This is that meet or exceed internal SLAs, but also especially true for less expensive, multitenant provide trusted security, even from physically public cloud environments that are inherently less shared, multitenant environments. Companies secure than in-house IT environments, assuming should understand that public cloud providers that the onsite, internal IT environments follow must also adhere to the stringent security regula- proper security procedures and have the right tions of the countries in which they operate. technology and standards in place. If not, then public cloud service providers often provide a Whether adopted in public, private or hybrid form, more secure IT environment than local IT groups. or delivered as IaaS, PaaS or SaaS, the cloud imposes unique and stringent security demands. Providing security for cloud environments that But with appropriate levels of security, trust and matches the levels found in internal data centers governance, service providers can provide a is essential for helping modern organizations secure environment for company data and appli- compete and for allowing service providers to cations. meet their customers’ needs. However, to match the levels of security that customers experience Cloud Security Concerns internally, service providers must make the proper investments in providing, proving and The cloud — especially the public, multiten- ensuring appropriate levels of security over time. ant cloud — raises new and significant security cognizant 20-20 insights | november 2012
  • 2. concerns for companies that are accustomed to • Legal and regulatory compliance. hosting their data and applications within their own four walls. • Trusting data to the people and processes employed by the provider. Within a traditional internal IT infrastructure, it • The threat of confidential data mingling with is comparatively easy to ensure proper security that of other customers. mechanisms, such as authorization, authenti- cation, privacy, confidentiality and nonrepudia- • Achieving legal redress in the case of a cloud security violation. tion. These mechanisms must be accompanied by proper security policies and processes that • The viability of the cloud vendor. are followed by employees. Although some users All of this makes it more challenging to create (such as customers and partners) are outside the trustworthy controls for the monitoring, organization’s control, the IT staff has physical governance and auditing of the cloud provider control over and direct visibility into the IT infra- environment. structure. It can make changes relatively easily to the authorization policies determining which Cloud Security Requirements users can take which actions, deciding on the Before moving mission-critical data to the cloud, physical locations of servers organizations require not just security but robust Before moving and databases, and validating security that they can trust and monitor. Security mission-critical the trustworthiness of their individuals managing the is not always a feature offered by cloud providers; sometimes providers require customers to bring data to the cloud, systems. their own. Here is a closer look at all three organizations require Data stored and processed requirements: not just security outside the enterprise firewall • Robust security: Meeting the first require- but robust security involves an inherent level of ment — providing robust security — means risk, due to a number of factors. that they can trust For one, third-party services moving beyond a traditional perimeter-based approach to a layered model that ensures the and monitor. often bypass the physical, proper isolation of data, even in a shared, mul- logical and personnel controls titenant cloud. This includes content protec- that IT shops have over their in-house resources. tion at different layers in the cloud infrastruc- However, according to local and federal laws, the ture, such as at the storage, hypervisor, virtual end user organization can specify the zone of the machine and database layers. It also requires data center in which its data will reside. Making mechanisms to provide confidentiality and ac- changes to the service provider’s authorization or cess control. These may include encryption, access control policies may require going through obfuscation and key management, as well as the provider’s systems and processes. In public, isolation and containment, robust log manage- multitenant environments, companies must trust ment and an audit infrastructure. the provider to safeguard their data even though it shares physical hardware with other customers. • Trust and assurance: To meet the second requirement — providing trust or assurance And lastly, providers may impose limitations on — the company needs to have confidence in the liability they will accept for security lapses, the integrity of the complete cloud environ- and there may be a need to work out proper ment. This includes the physical data centers, notifications of security- and compliance-related hardware, software, people and processes em- events. ployed by the provider. The service provider The loss of control in moving applications and needs to establish an evidence-based trust data out of the enterprise to a cloud provider, architecture and control of the cloud environ- and the resulting challenges in monitoring and ment, through adequate monitoring and re- governing those resources, create wider security porting capabilities to ensure the customer of concerns that service providers must address. transparency around security vulnerabilities These include: and events. This should include audit trails that help the customer meet internal and ex- • The protection and confidentiality of data ternal demands for provable security, as well as it moves over the Internet to and from the as automated notification and alerts that sup- cloud. port the customer’s existing problem or inci- cognizant 20-20 insights 2
  • 3. dent management protocols so it can manage • Isolation: To ensure isolation within a mult- its total security profile. itenant environment, service providers often employ multiple virtual data centers, each Collectively, these capabilities can assure on its own virtual LAN, to maintain customer the customer of the operational quality and data separation. For further security, each security of the cloud provider. Companies also virtual data center can be configured into need to take an active role in governing their one or more trust clusters (each including, for cloud implementations and taking action on example, separate Web servers, application the information delivered by the provider. servers and database • Monitoring and governance: This is where the zones), separated by de- While obfuscation third requirement — cloud governance — comes militarized zones (DMZs) in: utilities that allow customers to monitor and virtual firewalls has traditionally been the environment for security, as well as en- to ensure multitenancy used as a one-way sure compliance with other KPIs, such as per- formance and reliability. Using these utilities, security. masking technology, • Confidentiality: Confi- using obfuscation in customers should be able to perform these dentiality is provided by activities almost as well as they could in their encryption and/or obfus- the cloud to protect own data centers. Just as importantly, these cation based on business data requires the use utilities allow customers to take appropriate requirements. Encryp- of new architectures action based on the security information re- tion might seem like ceived from the provider. These actions might the most complete and and approaches that include shutting down an application that ap- foolproof protection, but enables access to the pears to be under attack or forcing the provid- by completely obscuring original non-obfuscated er to tighten its procedures if critical updates the characteristics of or patches are not being applied on time. the data, it can defeat in- data as needed under Governance also includes risk management, dexing and search capa- tight security control. allowing companies to tailor their security bilities and increase the spending to both the likelihood and possible expense of filtering, querying or consolidation. impact of various threats. Doing so requires Obfuscation retains enough properties of the knowledge of how the service provider monitors data to allow these operations, as well as any for breaches, how security events are detected that rely on the semantics of the data, while and reported, and the protection the provider obscuring the data sufficiently to destroy its offers from a legal and financial perspective. value if compromised. Well-drafted contracts and a legal framework that While obfuscation has traditionally been defines liability — including whether the provider used as a one-way (nonreversible) masking will reimburse the customer for business losses or technology, using obfuscation in the cloud to just for service interruptions — are all issues the protect data requires the use of new architec- provider must address. tures and approaches (such as tokenization) that enables access to the original non-obfus- Cloud Security Controls cated data as needed under tight security Cloud security controls can be classified in a control. tiered model. Front-end security handles authen- tication and authorization. The middle layer deals • Access control: Identity management and provisioning platforms ensure that only au- with VM (virtual machine) security, OS security, thorized users can see the appropriate appli- etc. Back-end security handles storage security, cations and data. This needs to be backed by data and database security, network security, etc. compliance and audit and log management, so Delivering assured and verifiable security in the that customers have a record of which users cloud requires separate architectures for security accessed (or tried to access) which resources, and trust, as well as a framework for governance. when. In a cloud environment, access and iden- Security Architecture tity management (which proves users are who they claim to be) is often provided through The security architecture provides the isolation, federated identity management that allows confidentiality and access control required to customers to use their existing IT manage- protect company data and applications. Here is a ment systems in the cloud. Authentication, au- look at these three requirements: cognizant 20-20 insights 3
  • 4. thorization and validation processes also help concern in cloud security. ensure access and identity control. Governance Framework Providers may also need to ensure the integrity This record of information will be used in the of data and messages (whether in transit or governance and risk control framework, where resident in the cloud) through strong authen- customers make use of data from the provider to tication or other means to make sure data has ensure ongoing security. This framework should not been compromised in transit. provide: Trust Architecture The trust architecture demonstrates the cloud • The monitoring and control of the provider’s performance against the SLAs (service level provider’s level of security through a variety of agreements) that govern security perfor- monitoring, reporting and alert functions. These mance. include: • Shared responsibility and accountability • Continuous monitoring and automated between the company and service provider. compliance and reporting protocols, such as (The customer, for example, must update the Security Content Automation Protocol (SCAP). provider about the existence of new data or applications that require certain levels of • The Cloud Trust Protocol (CTP), the Security, protection.) Trust and Assurance Registry (STAR) and Cloud Trust Authority (CTA), which show • Identification, assessment and agreement the provider’s commitment to industry best on how to manage ongoing security-related practices and pave the way for trust to develop functions. These include assessing, monitoring over time. and reporting of liability and legal risks; managing disaster recovery and business • A proven track record of integrity of the continuity, risks to compliance, IP and business provider’s cloud environments and processes. reputation; and providing compliance audits These range from strong patch management and centralized, policy-driven log management. and the use of only digitally signed code, to automated notification and alerts of security Raising Cloud Confidence breaches, attacks and vulnerabilities. The cost and agility benefits of the cloud will • A real-time feed of information to an executive continue to drive organizations to migrate dashboard about the number of breaches more critical applications and services to these detected, the amount of unauthorized activity platforms. As they do so, they will choose cloud in the customer’s environment and the actions providers that deliver not only the required taken to thwart it. Over time, future metrics security but also the assurance of robust security can be developed based on the initial reports and the governance capabilities to manage and the historic record used to provide a ongoing security needs in a cost-effective way. foundation of trust. Companies that choose to work with service To further elevate their trust architecture, providers offering robust security, assurance and companies can turn to organizations such as governance architectures will have powerful first- the Cloud Security Alliance (CSA) that work to mover advantage as competitors of all sizes move establish and standardize protocols such as CTP more of their business to the cloud. and CTA. In addition, Gartner and other industry analysts have identified and classified areas of cognizant 20-20 insights 4
  • 5. About the Authors Dr. Jean-Claude Franchitti has 29 years of experience in the information technology industry, including 15 years working for leading IT consulting firms. He is an experienced Enterprise/Solution Architect and Senior Manager with a track record of technical leadership on large programs. Jean-Claude held senior management, consulting and technical leadership roles in many large IT strategy, modernization and implementation projects for Fortune 500 corporations. He was involved in planning and developing all facets of architecture solutions in a myriad of industries and was exposed to various types of complex business transformation involving EA, SOA and cloud computing. He teaches as a Professor of Computer Science at New York University and is the author and co-author of several books and publications. Jean- Claude holds Ph.D. and M.S. degrees in computer science and an M.S. degree in electrical and computer engineering from University of Colorado at Boulder. He can be reached at Jean-Claude.Franchitti@ cognizant.com | Linkedin: www.linkedin.com/in/jcfranchitti Purna Roy is a Consulting Principal and Architect with 24 years of industry experience. Purna has held leadership and management positions with firms in Silicon Valley, startup companies and corporations such as Charles Schwab and Morgan Stanley. He consults across multiple industry value chains, including financial, pharmaceutical, retail and manufacturing, and works across business and technology domains. Purna has been a leading contributor to Cognizant’s cloud consulting assets and a subject matter expert. Purna holds a master’s degree in computer science from Pennsylvania State University. He can be reached at Purna.Roy@cognizant.com | Linkedin: www.linkedin.com/in/purnaroy Anant Bardhan is the Chief Technology Architect within Cognizant’s Advanced Solution Group in North America. He is actively engaged with many Fortune 500 clients, helping them achieve business agility and competitive advantage through a series of business transformation initiatives. These include large- scale business transformation strategy and planning, complex program management and delivery and enterprise architecture. Anant has 22 years of IT experience and has held architecture leadership positions, both within the company and at many top-tier enterprises. He holds a master’s degree in computer science from the University of Illinois and an overseas MBA. Additionally, he is a professional IT Security Expert with CISA and earned his CISM certification. He can be reached at Ananta.Bardhan@ cognizant.com | Linkedin: www.linkedin.com/in/anantbardhan About Cognizant Cognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process out- sourcing services, dedicated to helping the world’s leading companies build stronger businesses. Headquartered in Teaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep industry and business process expertise, and a global, collaborative workforce that embodies the future of work. With over 50 delivery centers worldwide and approximately 145,200 employees as of June 30, 2012, Cognizant is a member of the NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world. Visit us online at www.cognizant.com or follow us on Twitter: Cognizant. World Headquarters European Headquarters India Operations Headquarters 500 Frank W. Burr Blvd. 1 Kingdom Street #5/535, Old Mahabalipuram Road Teaneck, NJ 07666 USA Paddington Central Okkiyam Pettai, Thoraipakkam Phone: +1 201 801 0233 London W2 6BD Chennai, 600 096 India Fax: +1 201 801 0243 Phone: +44 (0) 20 7297 7600 Phone: +91 (0) 44 4209 6000 Toll Free: +1 888 937 3277 Fax: +44 (0) 20 7121 0102 Fax: +91 (0) 44 4209 6060 Email: inquiry@cognizant.com Email: infouk@cognizant.com Email: inquiryindia@cognizant.com © ­­ Copyright 2012, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.