Mobility and Cloud Computing and the need for a new security concept

RestrictedThe current modern way of doing business and service provisioning is based on openness and agility.
This brings the traditional security concept in which an organization is positioned as an “information fortress” strongly under pressure. The traditional perimeter is vanishing and sensitive information travel outside your organization in many ways on many different devices. Mobility and Cloud Services is the name of the game.

For the most part business information is stored as unstructured data. Unstructured data refers to information that either does not have a pre-defined data model or is not organized in a pre-defined manner and is usually stored in files instead of databases.

This context creates a strong need for other security concepts. Instead of securing a predefined and fixed “location” the focus must be shifted to the actual security of information that is mobile; information security at the file level. Or in other words file protection and control beyond the perimeters of the enterprise because the rule set is stored with the file itself.

There are security products on the market that makes it possible to achieve security at the file level. Applying this security concept will affect the current and usual roles and activities related to security.

Still it is common that a security officer in cooperation with the system administrator ensures safe work areas to which firewalls, passwords and malware scanners protect access. The user organization is consulted and her voice, the voice of the customer, is found in the general security policy but the focus is on the security of the IT infrastructure. So bottom line security is an IT issue.

By implementing a security concept based on information security on the file level, one comes in very close contact with the daily operational activities of the users and the organization. Security choices have a much more immediate and greater impact on the work and activities than in a traditional security concept.

Who has when and where access to which information? The access management can be excellently managed by using the new file access management tools. But access management is not an isolated topic. Access is granted to individuals and groups, thus the topic of Identity Management comes in sight and should be very well organized. Access management is part of the triple A; authentication (identity management), authorization (access management) and accounting. These are well-known concepts in the security world but they were mainly applied to the level of IT infrastructure. Now that it is urgently needed to shift the focus of the security of the IT infrastructure to the security of information, one comes in very close contact with the daily work of the organization. This includes authorization, as well as authentication and accounting.

In the traditional division of labor a security officer defines a security policy, based on the input from the user organization and rules and legislation, and then align with the IT organization what mechanisms will be used to operationalize this policy. Product selection, technical equipping and the daily operation are performed by the IT organization. Thus the questions about why, how and with what are satisfied. In fact the user organization is only involved with the first question and it plays no role in the implementation. Also the security officer is hardly involved in the daily operations of the IT organization and the user organization. It is a slow top-down approach.
In fact in terms of a responsibility assignment matrix (RACI), one could say that the security officer is accountable, the system administrator is responsible and the user organization is consulted and informed.

The application of information security through access management at the file level puts this traditional work under pressure. The granularity of the access rights on file level is very fine-grained, in combination with the dynamics of working processes, the needed agility, and the shortening of time to deliver, is conflicting with the traditional hierarchical top down approach.

So to solve this issue a different way of working is required, where the user organization should be much more involved in information security or better stated they should in fact take the lead. After all it affects their daily work. The security officer, the auditor, and the IT organization must be well aware about the daily work of the user organization. They should gain knowledge about what is going on in the workplace to ensure that the access management is workable, that it produces the desired result, and meets the expectations of the user organization. Additionally, identity management and accounting at this micro level should also be taken into account.

To get information security by means of access management at the file level it is advisable to take a closer look at the different roles that are involved. These are the security officer, the auditor, the system administrator and the “super user” or functional administrator of the access rules for the user organization.

• The security officer is dedicated to define the information security policy and with which mechanisms (the solution approach regarding the security organization, workflow and technology) this should be realized. On behalf of the user organization.
• The auditor is the one that shows how accounting should take place (what are the control points, which information should be captured to comply with laws and regulations, what is the audit trail) and executes audits.
• The system administrator is the one that operationalizes the access management within the framework of the security officer and the auditor, and also takes care of the relationship (in terms of technology and execution) with the work areas of identity management and monitoring (accounting).
• The “super user” or functional administrator of the user organization is the one that actually manages the access rules within the framework of the security officer and the auditor.

To support the modern way of doing business and service provisioning we need to create an agile security organization, with a transparent separation of interests and responsibilities. Instead of a hierarchical security organization, a flat organization is needed where the “super user” is accountable, the system administrator is responsible, the security officer and auditor are consulted and the end-users get informed.

Cloud Computing Contracts and geolocation

cloudsAs very well explained in the paper on negotiating cloud contracts by Stanford Technology Law Review (see also the blog Cloud Computing Contracts) cloud computing users can “have regulatory or other legal obligations and may need to demonstrate compliance to regulators”. Data location and data and data transfers are one of the most important data protection law concerns. Especially customers in the European Union and European Economic Area have these kinds of concerns. That is because “The Data Protection Directive requires controllers to choose processors providing ‘sufficient guarantees’ regarding security measures for processing, and to ensure compliance with those measures. This may be difficult without more transparency regarding providers’ systems, data center locations and transmissions.”

This leads to security and privacy concerns with allowing unrestricted workload migration to and from and within the cloud. Because the requirements of laws and/or internal regulations an organization may decide that it needs to restrict which cloud servers it uses based on their location. Determining the approximate physical location of an object (workload or a cloud computing server) is generally known as geolocation.

To fulfill the security needs of the customer Cloud computing services needs a secure geolocation that can be enforced through management and operational controls that are scalable and can be automated. The ultimate goal is to be able to use trusted geolocation for deploying and migrating cloud workloads between cloud servers within a cloud. The question is how to enforce and monitor geolocation restrictions for cloud servers.

The National Institute of Standards and Technology (NIST) recently published a draft report on this topic: ‘Trusted Geolocation in the Cloud: Proof of Concept Implementation . Based on the concept of Trusted Compute Pools the report gives a description of the requirements and the implementation of a proof of concept (a mix of Intel, VMware and RSA technology).

The NIST authors defines Trusted Compute Pools as “physical or logical groupings of computing hardware in a data center that are tagged with specific and varying security policies”, and were “the access and execution of apps and workloads are monitored, controlled, audited, etc.”

The Trusted Compute Pool is based on three principles of operation:

  1. Create a part of the cloud to meet the specific and varying security requirements of users.
  2. Control access to that cloud so that the right applications get deployed there.
  3. Enable audits of that part of the cloud so that users can verify compliance.

With this the cloud computing provider must be able to create and use trusted geolocation for deploying and migrating cloud workloads between cloud servers within a cloud.

If this concept, as proposed by NIST, is successful it would solve a huge cloud computing issue and when used it could make the negotiation and contracting of cloud computing services much easier.