Secure Multi-Tenancy for Private, Public, and Hybrid Clouds

“As organizations adopt cloud services, the human element takes on an even more profound importance. It is critical therefore that consumers of cloud services understand what providers are doing to detect and defend against the malicious insider threat.”

—Cloud Security Alliance, Top Threats to Cloud Computing V1.0

It seems as if every business and IT executive that we talk to lately literally has their “head in the clouds.” Every conversation about current or impending strategies for information assets almost universally contains some mention of a public, private, or hybrid cloud deployment. A more interesting observation of these conversations is that the lure of liberating ourselves from the burden of managing applications and data shouldn't mean we stop having high expectations about how those applications and data are managed.

If you want to use the public cloud and need to do it in a secure and compliant way, it's a matter of shared responsibility. If you want your cloud vendors to be secure enough to protect your corporation's most sensitive data, then you have to insist on it, and communicate your requirements and oversee the controls. That leaves the final piece of the cloud security puzzle—the often ignored or misunderstood case of the privileged users in the cloud. The cloud is no different from any other domain that requires authorized access. Where there are privileged users, you also need least privilege in order to mitigate the insider threats we have discussed at length throughout this book.

All Clouds Are Not Created Equal

It goes without saying that operating in the cloud is the latest trend in the technology world, and as is the case with every emerging technology, the playing field is not yet clearly defined; “cloud computing” can mean different things to different people.

To some, it is a way of describing commercial services available over the Internet in real-time from outsourced storage and computing capacity to software as a service (SaaS). To others, it is an architecture and set of technologies that facilitate real-time access to information and applications from anywhere via the Internet. Cloud deployments can take three primary approaches:

• Public Cloud: This is a computing model whereby a service provider outside of your enterprise will provide the infrastructure and associated management of specific IT resources, usually computing and storage but can also extend to applications and specific information-related services. The primary value is one of “pay for usage” and the ease of access since everything is available via the Internet. It is known and accepted that in most cases, multiple companies are sharing the same physical resources owned and managed by the public cloud vendor but are partitioned into logical or virtual servers for protection across company boundaries.
• Private Cloud: Also called corporate cloud or internal cloud, this is really just a new name for an architecture and set of solutions that have already been deployed throughout your enterprise for years. In this computing model, all of the infrastructure and management is physically inside your enterprise, but all of the access is in real-time via the Internet instead of distributed to local desktops or servers.
• Hybrid Cloud: Taking advantage of the best of both the public and private cloud architectures is an emerging concept called the hybrid cloud. In this model, some of the infrastructure and services are provided by outside vendors and are linked to infrastructure and services managed inside the physical enterprise, but the ultimate user is oblivious to what is going on “behind the curtain” of their data and application access.

Whether it's the private or public or somewhere in between (hybrid) cloud, it's where we are heading. Just because information and applications are available in such a convenient way does not mean that boundaries should be let down to make all things convenient. The principle of least privilege applies here more than ever before.

The Elusive Unicorn

The ultimate question of security in the cloud revolves around whether or not multiple tenants can coexist without one having any access to the other's data or applications. Truly guaranteed, secure multi-tenancy has been labeled as both somewhat unattainable and the basis by which every cloud vendor's security should be measured. What's interesting about the secure multi-tenancy discussion is that it isn't exclusive to separate companies sharing the same public cloud infrastructure. It turns out that this is as big an issue for private cloud implementations where cross division or department privacy is required either for governance or compliance reason.

Why is secure multi-tenancy in the cloud the elusive unicorn? The short answer centers on the observation that the cloud's greatest strength is also potentially its greatest weakness. Sharing under-utilized resources and paying on a metered or “as-used” basis is a fantastic way to leverage existing investments, control costs, and handle the natural ebbs and flows in capacity planning that usually plagues IT. The challenge comes in when two different organizations with different compliance and security policies are sharing the same resource. How does the cloud provider, even internally for private clouds, ensure that nothing spills from one virtual environment into the other on the physical intersection point, the server?

The sheen of sophistication, the wow factor of something new, dazzles our senses somewhat, and subsequently we invest way too much faith in something—we not only put the cart before the horse, we turn it into a hand cart that we think we can push ourselves. Again we see how human nature is the weak link.

According to Gartner, the private cloud will be introduced primarily as a new way to interface with customers (a self-service catalog of standard services), and a new way to deliver services (automated, giving the user the choice on when to use the service and how much)—it requires a fundamental change in the relationship between business and IT, and the way they do business together. Unlike virtualization, the private cloud must be preceded by changes in organization, processes and business models. It starts with a shift in focus from technologies (servers, virtual machines [VMs] and storage capacity) to services (see “Getting Started With Private Cloud: Services First”). With all these changes, the ultimate question that keeps coming up is “How possible is secure multi-tenancy in public and private cloud environments?”

Figure 7-1. Cloud challenges and issues

While cloud computing removes the traditional application silos within the data center and introduces a new level of flexibility and scalability to the IT organization, the support for multi-tenancy computing environments also introduces additional security risks, the most insidious of which is data theft.

The administrative tools used to access the hypervisor/VMM layer a cloud vendor manages must be tightly controlled to maintain a strong security posture. Organizations need to carefully analyze business and security requirements, and must evaluate the depth and reliability of security features and cloud service levels. A privileged identity management (PIM) solution is the only tool that can limit these administrators to specific policy-driven actions as well as provide the granular audit trail to determine actions if remediation is required delivering on the promise of a “more secure” multi-tenant cloud environment.

Top Ten Reasons to Implement Least Privilege For Private, Public & Hybrid Clouds

Taking a more tongue-in-cheek approach to highlighting the types of privilege misuse that occurs daily in cloud environments, we thought that a top-ten list approach might appeal to you as well. How many of these have you seen throughout your organization?

#10—Andy, the admin at <insert your public cloud provider name here>, won't be able to use his admin privileges to your instantiation of a public cloud for data theft.

#9—Clara, your server admin, can't instantiate a new server used for private cloud applications that will facilitate one business unit admin from poking in on the data from other business units' instantiation of a cloud app on the same server.

#8—Sid in development won't be able to code in a back door for privileged access to your hybrid cloud architecture.

#7—Harry, the industrious business unit admin, won't be able to “tune” your private cloud to what he read was “optimal” on Seth Grodin's latest blog.

#6—Ted in Tech Support won't be able to change cloud file permissions without the proper policy-driven permissions just because it made his job easier today.

#5—Barney, the new business unit manager, won't be able to blame “mistaken identity” for missing his quarterly goal because he read that was something that happens when cloud security goes bad.

#4—Sam, the CSO, won't continue to lose sleep at night fretting over who can hijack admin privileges for any public, private, or hybrid instantiation of their corporate infrastructure.

#3—John, the CEO, won't get called out in the press for a data breach after moving all data to what he thought was a secure, lower-cost private and hybrid cloud.

#2—Vito, a member of the hacker's guild, won't be able to take advantage of the cloud streamlining the efficiency of identity theft.

#1—Bill, the chairman of the board, won't have to explain why he needs to spend $1 million to fix a cloud data breach problem with the statement “at least it's not as much as Sony had to spend for its breach.”

Is the Cloud Inherently Secure or Insecure?

The report by the Ponemon Institute in March 2011 on the Security of Cloud Computing Providers offered what appear to be some surprising results. According to the study, “the majority of cloud computing providers do not consider security as one of their most important responsibilities.”

Given that most studies show security as one of the primary barriers to cloud adoption, this is indeed disappointing news and one might conclude that it's going to be a long time until clouds are appropriate for running enterprise applications. But let's look a little deeper into the data.

The survey was based on responses from 103 providers, so it's a pretty diverse group covering SAAS, PAAS, and IAAS. Many of these cloud providers may be targeting such applications as hosting a blog where security isn't a top priority. In fact, the survey showed that providers believe most of their customers are looking for reduced cost, faster deployment, and improved customer service when they use clouds.

And the study didn't say that cloud providers don't think security is important, but that “the respondents overwhelmingly believe it is the responsibility of the users of cloud computing to ensure the security of the resources they provide.” On the other hand, “only 35% of users believe they are most responsible for ensuring security.”

So to get the level of security needed to run enterprise applications, we need to clear up the confusion about who should do what.

Who's in Charge of Cloud Security?

Usually, the way we define and implement security is driven by compliance. But despite a wide number of frameworks from the Information Systems Audit and Control Association's (ISACA) Control Objectives for Information and related Technology (COBIT) to Payment Card Industry Data Security Standards (PCI DSS), those compliance standards aren't very clear, leaving ample room for every auditor to interpret them differently.

When you dive deeper into the Ponemon study data, it shows that “cloud providers are most confident about their ability to ensure recovery from significant IT failures and ensure the physical location of data assets are in secure environments.” These are two areas where best practices and the compliance standards are well-defined.

On the other hand, cloud providers are “least confident in their ability to restrict privileged user access to sensitive data.” At least part of that lack of confidence can surely be attributed to the lack of a clear definition of privileged access and what the appropriate controls are. Since many of the privileged users of a cloud system are the customer's employees, it makes sense that this has got to be an area of shared responsibility between the cloud vendor and the customer. But who should do what and, ultimately, who's in charge?

To the Cloud, or Not

While we can debate the relative security of clouds versus most corporate data centers, there is one area where using a cloud vendor will always represent greater risk—the threat posed by insiders with administrative privileges. We have to quote the Ponemon Institute study that cloud providers are “least confident in their ability to restrict privileged user access to sensitive data.”

Now part of that lack of confidence is because their customers control privileged access to the operating system of whatever is running in a cloud-computing environment. So as a customer, you need to take control of that part of the cloud environment and, as many of your peers are doing, use the same tools they do in their data centers to protect privileged account credentials. An effective least privilege solution can be configured to run in a public cloud or in a hybrid mode as an extension of the system in your data center.

That leaves the cloud providers privileged users who administer their hypervisor and control plane environments. Encryption of data is a vital protection and can address a number of concerns about malicious insiders particularly with unstructured data. Database encryption in the cloud is tricky and requires a well-thought-out architecture and key management system.

We don't know of any confirmed breaches by cloud insiders, but that doesn't mean there isn't risk. Most customers don't have deep insight into their cloud provider's technology stacks and operating procedures. So ask them! Some recommendations to become better informed and thus better protected include:

• Review their SAS 70 certifications
• Agree on standards and audit them
• Go onsite and check their controls and look at their logs

Once you make your needs known, we think you will quickly see which cloud providers understand the enterprise customer and want to deliver the security required. In the meantime, caveat emptor.

Security in Public Clouds

As stated earlier, you need to take ownership and responsibility for overseeing and requiring compliance and security policies of your chosen cloud vendors. But, how can you do this effectively?

The National Institute of Standards and Technology (NIST), part of the US Department of Commerce, published their Guidelines on Security and Privacy in Public Cloud Computing in January 2011. This 60-page report can be best summarized by the quote “accountability for security and privacy in public clouds remains with the organization,” a blatant statement of the obvious if we've ever heard one. The report expands on this thought by stating, “assessing and managing risk in cloud computing systems can be a challenge. Throughout the system lifecycle, risks that are identified must be carefully balanced against the security and privacy controls available and the expected benefits from their utilization. Too many controls can be inefficient and ineffective, if the benefits outweigh the costs and associated risks.”

John Storts, a blogger over at IT Business Edge, wrote in January 2011 that “cloud service providers, generally, are unaware of the specific security and privacy needs of an organization”—Yes! Ding, ding, ding! And this particular blog goes on to say “so it's wise to have these needs explicitly documented before engaging with them.”

We've covered how security is the top issue related to the cloud according to numerous surveys and reports, yet only 23% of cloud customers require proof of compliance from their cloud vendors and only 20% of organizations regularly involve the security team in their cloud choices. With cloud security being such an issue, why aren't we doing more about it?

Organizations that outsource to a cloud vendor seem to make their choices based on price, instead of security. Often this transition involves multiplying the number of IT admins with access to the company's data several-fold and without proper admin controls. So ask your cloud vendor! Ask them how many admins will have access to your data and what policies are in place to protect it. We stated this time and again throughout this book: “trust alone” is not a proper security measure. When human nature is involved at the intersection of technology, whether it is physical, virtual, or cloud-based, you need to take into consideration the obvious uncertainty principle.

Trusted Digital Identities

The US Commerce Department, which just launched an initiative to help create more trusted digital identities. Details were in short supply and there is lots of skepticism and questions about the role of government in any sort of national ID program.

But what is important is that the Commerce Department initiative embraces a model that allows companies to “pull credentials” when required from a centralized policy-managed repository instead of relying on individual credentials being “pushed” by the user. According to Bob Blakley, Vice President & Distinguished Analyst at Gartner, “we see this public identity infrastructure approach as central to a new emerging architecture where vendors compete in market for identities that provides high-quality identities at lower cost and enterprises focus their Identify and Access Management efforts on developing governance policies that determine what sources of identities are appropriate for their different business processes.”

“While Gartner doesn't see these consumer repositories replacing Active Directory anytime soon, and we wouldn't bet on this or any model until it has market traction, in a more diverse world of SaaS, public, private, and hybrid clouds, companies need to anticipate the changes this new model will require in the identity management infrastructure, policies, and controls,” states Blakley.

Public Clouds Need Least Privilege

If you want to use the cloud and need to do it in a secure and compliant way, you're going to need to think about who is responsible for what. As numerous studies and articles have highlighted, most cloud vendors today don't provide a platform that's fully up to enterprise security standards.

Cloud vendors need to do their part by providing a good foundation of such security technologies as firewalls, anti-virus and anti-malware, encryption of data in motion, patch management, and log management. Cloud customers also need to do their part by using this foundation to secure their operations and ensure the proper policies and procedures are in place. So that leaves the complicated stuff—shared responsibilities and the special case of the privileged users in the cloud.

Vendor priorities will be aligned with those of their customers. Today for most cloud users those priorities are reducing cost, workload, and deployment time while providing new levels of scalability. Some of these priorities are at odds with the time and resources required to do proper security.

However, if customers demand it and show they will pay for it; vendors will step up and provide the security that's needed. As a recent report by the Ponemon Institute on the Security of Cloud Computing Providers showed, “while security as a true service from the cloud is rarely offered to customers today, about one-third of cloud providers in our study are considering such solutions as a new source of revenue sometime in the next two years.”

Many cloud vendors have large-scale operations that offer the potential for more resources and expertise to protect your data. But that potential will only be fully realized if customers provide the oversight, funds, and service-level requirements to make sound security processes a good business decision for the vendors. This entails security teams getting more involved, companies allowing security to influence buying decisions, and insisting on regular reporting on security processes and service-level agreements.

If you want your cloud vendors to be secure enough to protect your corporation's most sensitive data, then you have to insist on it, communicate your requirements, oversee the controls, ask for reports, and ultimately take shared responsibility for the security of the cloud. If your cloud provider doesn't implement least privilege within their infrastructure, then you can still protect yourself by implementing that portion on your premise.

A Rose by Any Other Name

When Shakespeare wrote this line in Romeo and Juliet, it set the benchmark for quotes representing that what really matters is what something is and not what something is called. So, we find it kind of fun when we hear talk of private clouds representing it as a new and bold IT initiative. As stated earlier, a private cloud is really just a new marketing label for a set of technologies and an architecture that was marketed as “network computing” in the 1980s, “portals” in the 1990s, and “intranets/extranets” at the turn of the millennium.

So, even though private clouds are really just a “marketing wash” of existing concepts, that doesn't mean it shouldn't be any less important to you and your strategy for deployment and management of enterprise information assets. Sometimes it takes good marketing to actually get a smart technical concept more widely accepted across the enterprise, especially by the usually technically illiterate business and finance types who can control the ultimate success or failure of specific IT solutions.

Case Study: Secure Multi-Tenancy in a Private Cloud

A very large multinational bank decided strategically to move to a cloud infrastructure globally for governance and cost reasons in late 2010. In evaluating specific business unit requirements, the lead IT executives discovered concerns regarding confidentiality, security, and the ability to prove compliance.

The complications arose in the uncovering of how difficult it was to segregate the private cloud infrastructure (built on VMware) by business unit while ensuring authorization levels across business units were in line with specific compliance mandates. Each business unit had specific privacy concerns regarding cross-department information access as well as unique compliance reporting requirements. IT needed to manage the authorizations based on corporate-level governance mandates and had their own level of compliance reporting requirements.

Ultimately, a decision was made to make a least privilege solution a mandatory requirement as part of their private cloud stack. In this way, they were able to realize:

• Unified protection from host to guest operating systems.
• Centrally governed privilege delegation for guest VMs.
• Centrally governed privilege delegation for ESX hypervisors.
• Discrete business units could produce compliance reports that included logging and auditing down to the keystroke level.
• Discrete business units could also interrogate event data for ad-hoc drill-down validation of Sarbanes-Oxley (SOX), PCI-DSS, and Federal Financial Institutions Examination Council (FFIEC) compliance.

Logs in the Cloud

As you can see from the previous case study, logs are an important part of compliance. The heart of the matter really is: are logs in the cloud any different than traditional logs? A matter raised by Misha Govshteyn, co-founder of Alert Logic and suggested standard for logging that's specifically for the cloud called CloudLog. He discusses how logs in the cloud are the same, but also different—an oxymoron we support.

We've covered how cloud security is the top issue in the cloud, yet few organizations are doing much about it, and how the cloud requires new models for the same security best practices.

Nothing's changed about privileged access, but now you need to extend that to the hypervisor; nothing's changed about setting and enforcing policy, but now you need to do that across cloud vendors; nothing's changed about logs, but now we need to do keystroke logging and log privileged activity across cloud vendors, hypervisors, and organizations.

Part of the reason there's so much insecurity (pardon the pun) about security in the cloud is this idea that we need to start over from scratch; that security needs to be reinvented for the cloud. But in most cases, we just need to extend what was already in place to the cloud and, as much as we can, to our cloud vendors.

So when you start thinking about cloud security and whether the organization is doing everything they should be, just start with this: are we doing everything we used to but in the cloud?

Implementing Least Privilege in the Cloud

Since this architecture contains elements both on-premise and at your cloud provider, special attention needs to be made to the intersection points. Figure 7-2 shows how to implement a least privilege solution where all elements exist in the hosted environment, while the users on-premise are protected by the least privilege policies.

Figure 7-2. Architecture of least privilege

Figure 7-2 shows an example architecture implementing key elements of least privilege on–premise, while still accessing a public cloud infrastructure and using that infrastructure to host the policy files and logs. In this way, you take responsibility for your portion of the security equation.

Weighing In

Establishing least privilege for public, private, and hybrid clouds is necessary to protect the integrity of sensitive information. If the cloud owners and cloud users ensure that PIM solutions are implemented correctly, then the first step to truly secure multi-tenancy has been taken. Without it, insiders could take advantage of the open nature of these environments and the ever-precious data being kept safe could be compromised. Let's hear what our experts have to say.

Secure Sam:

One of the strongest arguments for moving data to the cloud is that it reduces cost, workload, and deployment time. One of the strongest counter arguments is that the time and resources required for properly securing the cloud are often more intensive than the benefits that come from using it. As more and more technology is pointing toward that platform, however, it's obvious that's where we're heading. I think the most important thing to realize when discussing this is that a certain degree of governance needs to be in place for an enterprise cloud environment to safely thrive. A lot of that comes from first defining appropriate expectations. Not all users should expect, or be able to access, all information just because it's based in the cloud. Those who need elevated privileges should be granted them, but only if they absolutely need them. The second step is verifying performance. In the cloud more than any other arena, those with privileges need to be monitored. Logs must be kept and records must be analyzed in order for the information in the cloud to be secure. Governance is key.

Least Privilege Lucy:

Least privilege is a concept that applies to all aspects of information technology. It particularly applies to the cloud, as it's the platform with the most access points. In order for a cloud network to be secure to enterprise standards, access must only be granted to users who have the need for it. Most of the time, the environment in a cloud situation has been established with solid technologies—but it's of the utmost importance that users of the platform take responsibility for the information they allow their employees to see. There will always be a need for privileged users—certain applications and commands will always need elevated rights. On the flip side, the entity that houses data for enterprises will always need to be secure. A lot of people get nervous about sending sensitive resources to the cloud, but if it's protected the way physical assets are protected, confidential information will remain just that: confidential. And the way to do that truly is through least privilege. Even if a cloud provider doesn't buy into the concept, it's still something that individual companies can (and should) do within their infrastructures.

Compliance Carl:

As an auditor, I realize most of the security initiatives in organizations are driven by the requirement to be compliant with industry mandates. While one would hope a company is interested in purely protecting its precious assets, compliance does serve as a catalyst for most organizations. And it's a great place to start—there's a reason for regulatory laws regarding data security. The bottom line is simple—they're in place to protect the assets of companies. Once a determination is made to take necessary security measures, that information needs a multi-faceted plan to be successful. Such a plan also needs to include the principle of least privilege. When talking about protecting these resources in the cloud, it's important to emphasize that each user should only have access to the information they absolutely need. In such a public and shared environment, knowing where your data is and who has access to it is paramount to the success of your security strategy. The Ponemon study referenced earlier states that cloud providers are “least confident in their ability to restrict privileged user access to sensitive data.” By appropriately managing access to sensitive information, companies can be more confident in the security of their information resources.