Difference between revisions of "User:Shawndouglas/sandbox/sublevel1"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
The ''Flexera 2020 State of the Cloud Report'' and its associated survey found that 87 percent of respondents had already taken a hybrid cloud stance for their organization and 93 percent of respondents had already implemented a multicloud strategy within their organization.<ref name=WeinsCloud20">{{cite web |url=https://www.flexera.com/blog/industry-trends/trend-of-cloud-computing-2020/ |title=Cloud Computing Trends: 2020 State of the Cloud Report |author=Weins, K. |work=Flexera Blog |date=21 May 2020 |accessdate=21 August 2021}}</ref> A 2020 report by IDC predicted 90 percent of enterprises around the world will be relying on some combination of hybrid or multicloud with existing legacy platforms by 2022, though they may not necessarily have a sufficient investment in in-house skills to navigate the complexities of rolling out those strategies.<ref name="IDCExpects2021_20">{{cite web |url=https://www.idc.com/getdoc.jsp?containerId=prMETA46165020 |title=IDC Expects 2021 to Be the Year of Multi-Cloud as Global COVID-19 Pandemic Reaffirms Critical Need for Business Agility |author=International Data Corporation |publisher=International Data Corporation |date=31 March 2020 |accessdate=21 August 2021}}</ref> These complexities were discussed in Chapter 1; hybrid cloud reveals a greater attack surface, complicates security protocols, and raises integration costs,<ref name="CFWhatIsHybrid">{{cite web |url=https://www.cloudflare.com/learning/cloud/what-is-hybrid-cloud/ |title=What Is Hybrid Cloud? Hybrid Cloud Definition |publisher=Cloudflare, Inc |accessdate=04 March 2021}}</ref><ref name="HurwitzWhat21">{{cite web |url=https://www.dummies.com/programming/cloud-computing/hybrid-cloud/what-is-hybrid-cloud-computing/ |title=What is Hybrid Cloud Computing? |work=Dummies.com |author=Hurwitz, J.S.; Kaufman, M.; Halper, F. et al. |publisher=John Wiley & Sons, Inc |date=2021 |accessdate=21 August 2021}}</ref> while multicloud brings with it differences in technologies between vendors, latency complexities between the services, increased points of attack with more integrations, and load balancing issues between the services.<ref name="CFWhatIsMulti">{{cite web |url=https://www.cloudflare.com/learning/cloud/what-is-multicloud/ |title=What Is Multicloud? Multicloud Definition |publisher=Cloudflare, Inc |accessdate=21 August 2021}}</ref> Broadly speaking, these complexities and security challenges arise out of the fact more systems must be integrated.
Before we move on to discussing SaaS solutions, let's take a quick moment to recognize a few additional security peculiarities particular to using cloud services and developing in the cloud. These peculiarities may not apply to you and your organization, but it's useful to recognize them, if nothing else because they highlight how deeply woven security must be into the thinking of CSPs and their clients.  


As of April 2021, four providers of hybrid and multicloud technology and services stand out: Cisco, Dell, HPE, and VMware. These providers don't provide public cloud services but rather take a service-based approach to supplying hardware, software, and managed services to assist customers adopt a hybrid or multicloud approach for their business. From a security perspective, we have to ask at a minimum three questions about these companies:
First, let's look at container security. In Chapter 1, a container was referred to as "a complete runtime environment," but little else was said. In cloud computing, a container—as defined by IBM—is "an executable unit of software in which application code is packaged, along with its libraries and dependencies, in common ways so that it can be run anywhere, whether it be on desktop, traditional IT, or the cloud."<ref name="IBMContainers19">{{cite web |url=https://www.ibm.com/cloud/learn/containers |title=Containers |author=IBM Cloud Education |publisher=IBM |date=12 August 2019 |accessdate=21 August 2021}}</ref> These prove beneficial in cloud computing because containers act as a lightweight, portable way of replicating an isolated application across different environments, independent of operating system and underlying hardware. This essentially makes deployment into a cloud environment—or multiple clouds—a much more approachable task.<ref name="GoogleContainers">{{cite web |url=https://cloud.google.com/containers |title=Containers at Google |publisher=Google Cloud |accessdate=21 August 2021}}</ref>


* How do they manage your data and security in a trustworthy way?
But with convenience also comes responsibility towards ensuring the security of the container. Unfortunately, the necessary precautions don't always get taken. According to GitLab's 2020 Global DevSecOps Survey, "56% of developers simply don’t run container scans, and a majority of DevOps teams don’t have a security plan in place for containers or many other cutting edge software technologies, including cloud native/serverless, APIs, and microservices."<ref name="GLABegin">{{cite web |url=https://about.gitlab.com/topics/application-security/beginners-guide-to-container-security/ |title=A beginner’s guide to container security |work=GitLab |accessdate=21 August 2021}}</ref> As such, it would appear more implementation teams should be updating and implementing revised security plans to address the complexities of container security, including the use of container orchestration, image validation, role-based access management, security testing, and runtime security monitoring. NIST's SP 800-190 ''Application Container Security Guide'', while slightly dated, provides a useful reference for more on the topic of container security.<ref name="GLABegin" /><ref name="NIST800-190_17">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-190/final |title=SP 800-190 ''Application Container Security Guide'' |author=Souppaya, M.; Morello, J.; Scarfone, K. |publisher=NIST |date=September 2017 |accessdate=21 August 2021}}</ref>
* How are cloud technologies and services developed and audited for security?
* What public CSPs do they publicly state their technologies and services support or integrate with?


In this context of trust, these companies should have a "trust center" that helps consumers and enterprises find answers to security questions about their cloud technologies and services. A trust center was found for three of the four CSPs; HPE's trust center could not be located. Whether through internal secure development processes or external auditing practices, the security of the technology and services offered by these providers remains vital, and they should be able to demonstrate by explaining their development and auditing processes. Additionally, hybrid and multicloud providers should make clear which public CSPs are supported for or integrated ideally with the provider's hybrid and multicloud services. Not all public clouds are fully supported by these providers. See Table 6 for links to these three security and interoperability aspects for each hybrid/multicloud CSP.  
Some concerns also exist within the virtualization environment, which drives cloud computing. The virtualized environment allows containers to be implemented, but their smooth use depends on a virtualization component called a virtual machine monitor (VMM) or [[hypervisor]], which acts as the "management layer between the physical hardware and the virtual machines running above" it, managing system resource allocation to virtual machines—and by extension, containers—in the virtual environment.<ref name="BarrowcloughSecuring18">{{cite journal |title=Securing Cloud Hypervisors: A Survey of the Threats, Vulnerabilities, and Countermeasures |journal=Security and Communication Networks |author=Barrowclough, J.P.; Asif, R. |volume=2018 |at=1681908 |year=2018 |doi=10.1155/2018/1681908}}</ref> Since hypervisors are shared in a virtualized environment, a compromised hypervisor (say through a malware attack or a means of gaining root privileges) puts the virtual machines running off the hypervisor at risk, and by extension any data running on those virtual machines.<ref name="BarrowcloughSecuring18" /> Limiting the risks to a hypervisor and its associated virtualized machines means ensuring de facto encryption is in place to protect copied images and other files, migrated virtual machines are protected at all points along the migration route, and proper encryption and key management mechanisms are in place for effective access management.<ref name="BarrowcloughSecuring18" /> While the concerns of hypervisor security are largely the responsibility of the public CSPs (Microsoft, for example, touts a multi-layer approach to securing its hypervisors in Azure<ref name="SharmaHypervisor20">{{cite web |url=https://docs.microsoft.com/en-us/azure/security/fundamentals/hypervisor |title=Hypervisor security on the Azure fleet |author=Sharma, Y.; Lyon, R.; Lanfear, T. |work=Microsoft Documentation |publisher=Microsoft |date=10 November 2020 |accessdate=21 August 2021}}</ref>), those running private clouds will have to be sure their attention given to hypervisor security is similarly strong.


{|
Other areas of security concern are found in the overall networking of a cloud. There, attention to the various layers of firewalls, network traffic controls, transport-level encryption mechanisms, and encapsulation protocols is also recommended.<ref name="BoydAchieving18">{{cite web |url=https://www.sdxcentral.com/cloud/definitions/achieving-network-security-in-cloud-computing/ |title=Achieving Network Security in Cloud Computing |author=Boyd, N. |work=Cloud HQ |publisher=SDxCentral, LLC |date=20 July 2018 |accessdate=21 August 2021}}</ref>
| STYLE="vertical-align:top;"|
{| class="wikitable" border="1" cellpadding="5" cellspacing="0" width="60%"
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;" colspan="4"|'''Table 6.''' Providers of hybrid and multicloud technology and services, their trust center, their development and auditing practices, and supported public clouds
|-
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Company and offering
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Trust center
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Development and auditing practices
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Public clouds supported (U.S.)
|- 
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.cisco.com/c/en/us/products/servers-unified-computing/ucs-director/index.html Cisco CloudCenter and UCS Director]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.cisco.com/c/en/us/about/trust-center.html Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|According to a [https://www.cisco.com/c/dam/en/us/products/collateral/cloud-systems-management/cloudcenter-suite/cc-suite-saas-trust-center.pdf 2019 document], Cisco is "evaluating SOC 2 as a potential roadmap item" for CloudCenter.
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.cisco.com/c/dam/en/us/products/collateral/cloud-systems-management/cloudcenter-suite/at-a-glance-c45-741883.pdf Alibaba, Amazon, Google, IBM, Microsoft]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.delltechnologies.com/en-us/cloud/dell-technologies-cloud.htm Dell Technologies Cloud]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://corporate.delltechnologies.com/en-us/about-us/security-and-trust-center/index.htm#tab0=1 Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.dell.com/en-us/shop/secure-development/cp/secure-development Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.delltechnologies.com/en-us/data-protection/powerprotect-dd-series/cloud-tier.htm Alibaba, Amazon, Google, IBM, Microsoft]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.hpe.com/us/en/greenlake.html HPE GreenLake]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Unknown
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Unknown
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.hpe.com/us/en/solutions/cloud.html Amazon, Google, Microsoft]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.vmware.com/ VMware Cloud]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.vmware.com/trust-center Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.vmware.com/trust-center/compliance/soc Link] (Must be customer/contact sales to access)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.vmware.com/cloud-solutions/hybrid-cloud.html Amazon, Google, IBM, Microsoft, Oracle]
|-
|}
|}
 
Managing your share of security in the hybrid cloud has several challenges. Most of those challenges involve attempting to manage and control multiple distributed systems. Giving administrators the ability to see into this complex network of components, at all levels, is critical. This is typically accomplished with a centralized management tool or platform based on open standards, providing automated management and control features that limit human error. Automation is also useful when scanning for and remediating problems detected with security controls, which in turn allows for documented changes and more reproducible processes. Disk encryption and network encryption tools may also need to be more robustly employed to protect data at rest and data in motion between private and public clouds. And of course, segmentation of services based on data sensitivity may be necessary.<ref name="KasperskyWhatIs">{{cite web |url=https://usa.kaspersky.com/resource-center/definitions/what-is-cloud-security |title=What is Cloud Security? |work=Resource Center |publisher=AO Kaspersky Lab |date=2021 |accessdate=21 August 2021}}</ref><ref name="KernerFour18">{{cite web |url=https://techbeacon.com/security/4-hybrid-cloud-security-challenges-how-overcome-them |title=4 hybrid-cloud security challenges and how to overcome them |author=Kerner, L. |work=TechNeacon |date=2018 |accessdate=21 August 2021}}</ref>
 
Multicloud has its issues as well. "The challenge that multicloud presents to security teams continues to grow," said Protiviti cloud consultant Rand Armknecht in December 2020. "The number of services that are being released, the new ways of interacting, the interconnecting of services and systems, all of that continues to advance and all of these add new complexities into the enterprise security model."<ref name="PrattBuilding20">{{cite web |url=https://www.csoonline.com/article/3584735/building-stronger-multicloud-security-3-key-elements.html |title=Building stronger multicloud security: 3 key elements |author=Pratt, M.K. |work=CSO |date=14 December 2020 |accessdate=21 August 2021}}</ref> Given the differences in tools and security approaches between cloud providers, stitching together services cohesively requires strong skills, knowledge, and attentiveness. It also requires a security strategy that is well-defined and unified in its approach to data management, minimization, anonymization, and encryption when considering multiple CSPs. Middleware placed between the enterprise and the CSP—in some cases referred to as a cloud access security broker (CASB)—that can "consolidate and enforce security measures such as authentication, credential mapping, device profiling, encryption and malware detection" adds an additional layer of semi-automated security for multicloud.<ref name="PrattBuilding20" />


==References==
==References==
{{Reflist|colwidth=30em}}
{{Reflist|colwidth=30em}}

Revision as of 23:07, 3 February 2022

Before we move on to discussing SaaS solutions, let's take a quick moment to recognize a few additional security peculiarities particular to using cloud services and developing in the cloud. These peculiarities may not apply to you and your organization, but it's useful to recognize them, if nothing else because they highlight how deeply woven security must be into the thinking of CSPs and their clients.

First, let's look at container security. In Chapter 1, a container was referred to as "a complete runtime environment," but little else was said. In cloud computing, a container—as defined by IBM—is "an executable unit of software in which application code is packaged, along with its libraries and dependencies, in common ways so that it can be run anywhere, whether it be on desktop, traditional IT, or the cloud."[1] These prove beneficial in cloud computing because containers act as a lightweight, portable way of replicating an isolated application across different environments, independent of operating system and underlying hardware. This essentially makes deployment into a cloud environment—or multiple clouds—a much more approachable task.[2]

But with convenience also comes responsibility towards ensuring the security of the container. Unfortunately, the necessary precautions don't always get taken. According to GitLab's 2020 Global DevSecOps Survey, "56% of developers simply don’t run container scans, and a majority of DevOps teams don’t have a security plan in place for containers or many other cutting edge software technologies, including cloud native/serverless, APIs, and microservices."[3] As such, it would appear more implementation teams should be updating and implementing revised security plans to address the complexities of container security, including the use of container orchestration, image validation, role-based access management, security testing, and runtime security monitoring. NIST's SP 800-190 Application Container Security Guide, while slightly dated, provides a useful reference for more on the topic of container security.[3][4]

Some concerns also exist within the virtualization environment, which drives cloud computing. The virtualized environment allows containers to be implemented, but their smooth use depends on a virtualization component called a virtual machine monitor (VMM) or hypervisor, which acts as the "management layer between the physical hardware and the virtual machines running above" it, managing system resource allocation to virtual machines—and by extension, containers—in the virtual environment.[5] Since hypervisors are shared in a virtualized environment, a compromised hypervisor (say through a malware attack or a means of gaining root privileges) puts the virtual machines running off the hypervisor at risk, and by extension any data running on those virtual machines.[5] Limiting the risks to a hypervisor and its associated virtualized machines means ensuring de facto encryption is in place to protect copied images and other files, migrated virtual machines are protected at all points along the migration route, and proper encryption and key management mechanisms are in place for effective access management.[5] While the concerns of hypervisor security are largely the responsibility of the public CSPs (Microsoft, for example, touts a multi-layer approach to securing its hypervisors in Azure[6]), those running private clouds will have to be sure their attention given to hypervisor security is similarly strong.

Other areas of security concern are found in the overall networking of a cloud. There, attention to the various layers of firewalls, network traffic controls, transport-level encryption mechanisms, and encapsulation protocols is also recommended.[7]

References

  1. IBM Cloud Education (12 August 2019). "Containers". IBM. https://www.ibm.com/cloud/learn/containers. Retrieved 21 August 2021. 
  2. "Containers at Google". Google Cloud. https://cloud.google.com/containers. Retrieved 21 August 2021. 
  3. 3.0 3.1 "A beginner’s guide to container security". GitLab. https://about.gitlab.com/topics/application-security/beginners-guide-to-container-security/. Retrieved 21 August 2021. 
  4. Souppaya, M.; Morello, J.; Scarfone, K. (September 2017). "SP 800-190 Application Container Security Guide". NIST. https://csrc.nist.gov/publications/detail/sp/800-190/final. Retrieved 21 August 2021. 
  5. 5.0 5.1 5.2 Barrowclough, J.P.; Asif, R. (2018). "Securing Cloud Hypervisors: A Survey of the Threats, Vulnerabilities, and Countermeasures". Security and Communication Networks 2018: 1681908. doi:10.1155/2018/1681908. 
  6. Sharma, Y.; Lyon, R.; Lanfear, T. (10 November 2020). "Hypervisor security on the Azure fleet". Microsoft Documentation. Microsoft. https://docs.microsoft.com/en-us/azure/security/fundamentals/hypervisor. Retrieved 21 August 2021. 
  7. Boyd, N. (20 July 2018). "Achieving Network Security in Cloud Computing". Cloud HQ. SDxCentral, LLC. https://www.sdxcentral.com/cloud/definitions/achieving-network-security-in-cloud-computing/. Retrieved 21 August 2021.