Cloud SWAT teams

Cloud computing poses unique security challenges for organizations, and multiple industry surveys have shown that security and privacy are among the key concerns of executives considering the cloud.

To address the challenges of securing the cloud, the Cloud Security Alliance (CSA), a not-for-profit organization made up of cloud vendors, user organizations and other key stakeholders, is developing the concept of cloud-specific “security incident-response teams” (CloudSIRT). Security executives and industry analysts say the initiative is a good move and should help bolster security in the cloud.

For many, the threat of security breaches is the biggest reason why they’re reluctant to embrace cloud computing. IT and security executives still aren’t convinced that service providers can adequately safeguard their data, particularly when it comes to using public cloud services for business transactions.

Some of this apprehension might be justified. In one of the latest industry surveys on cloud computing, conducted by security services provider Trend Micro in June, 43% of the respondents said their enterprises had experienced a security “lapse” or other problem with their cloud vendors within the past 12 months.

The company queried 1,200 IT decision-makers in the U.S., the U.K., Germany, India, Canada and Japan. According to the survey, respondents said the top barriers to adopting cloud computing are concerns about the security of data or the cloud infrastructure (50%), and concerns about performance and the availability of cloud services (48%).

Another report, released in June by research firm 451 Group, venture capital firm North Bridge Venture Partners and research firm GigaOM Pro, shows that many organizations are still in the early stages of cloud adoption or are taking a wait-and-see approach.

In that survey, 40% of the 413 respondents, including both IT professionals and vendor personnel, said they are only beginning to experiment with a move to the cloud. Another 26% said they are awaiting market maturity before adopting a formal cloud strategy.

Taking a Team Approach

CSA is aiming to quell many of the concerns about cloud security and privacy by promoting the use of best practices for cloud security and providing education on using the cloud to help secure other forms of computing.

In January, the organization began pushing the idea of CloudSIRT, an initiative in which major cloud providers are working to address the future of collaborative incident response and information sharing in the cloud.

The CSA’s premise is that SIRTs form the cornerstone of coordinated incident response and security information sharing for government agencies and enterprises, and that the model has worked well for handling malicious activity on the Internet.

But the organization says the advent of cloud computing has created a new set of challenges. The characteristics of cloud computing, such as multitenancy, resource sharing and on-demand provisioning, have the potential to complicate traditional response team operations. As a result, new types of teams are needed, it says.

“Most incident-response teams are focused [on] more traditional, on-premises computing infrastructure belonging to enterprises, governments and education institutions, and the threats to them from malware, spam, DDoS attacks and hackers,” says John Howie, who heads the CSA working group for the CloudSIRT initiative. He is also senior director of technical security services for the online services security and compliance team at Microsoft Global Foundation Services.

“With public and off-premises private cloud computing, organizations of all types no longer have computing infrastructure, or have a much reduced attack surface,” Howie says. “Cloud providers are managing the computing infrastructure. Incident response now has to cross not just boundaries within an organization, but across organizations.”

What’s more, the concentration of information assets from multiple user organizations creates the real possibility that the consequences of security breaches in the cloud will be much more severe than those of traditional incidents.

“An attack against a cloud provider, successful or not, can impact many organizations,” Howie says. “Complicating the situation, organizations might contract service with many cloud providers. As hackers develop new attacks, cloud providers and consumers need a new breed of team to coordinate incident response effectively.”

Cloud providers present a rich target for hackers, Howie adds. “Instead of compromising a single organization, a hacker can attack a cloud provider and can potentially gain access to the data belonging to several organizations,” he says. Because of this, they’re willing to devote much time and resources to attacking a cloud provider.

A cloud incident-response team that includes cloud vendors can share operational threat information to coordinate defenses against potential attackers as they’re identified, Howie says, helping to ensure the security and privacy of customer data.

The goal of the CSA working group is to bring together cloud service providers, telecommunications and Internet service providers, established computer emergency response teams (CERT) and other qualified parties to establish an industrywide CloudSIRT.

“Since the initial working group was brought together at the beginning of the year, we have developed a charter, membership criteria, information exchange protocols and other collateral that will be necessary to bootstrap CloudSIRT,” says Howie.

CloudSIRT has been formally incorporated, and the group is working toward establishing a memorandum of understanding with the CSA and registering as a nonprofit with the Internal Revenue Service.

CloudSIRT will officially launch at the CSA Congress in November. The group will initially consist mainly of cloud vendors and related service providers and established CERTs. Members will be expected to share information in a trusted fashion, and they must feel comfortable sharing information, Howie says.

To accomplish these goals, the working group has drawn up strict membership criteria and will publish details of who is eligible to join CloudSIRT and how they can join in the coming weeks. Howie wouldn’t say whether users would be included, but he did indicate that the working group is exploring “many more opportunities.”

Security experts say the CSA effort is a good step toward addressing cloud security.

“I’m positive on CSA and the CloudSIRT initiative, because appropriate forms of information sharing are very important in incident response and threat assessment,” says Dan Blum, a security analyst at Gartner.

“The CSA has been an excellent focal point for the industry to collaborate on cloud computing security issues and has developed useful guidance,” he says. “The CSA has also done well on coordinating with other organizations, such as standards bodies.”

Blum agrees with the premise that cloud computing requires a different type of response team. “A serious incident in the cloud may affect multiple [cloud service providers] and enterprise customers,” he says. “Each enterprise must have its own [incident-response] team to deal with a variety of issues, including legal and PR. But the enterprise IR team may be completely dependent on [cloud provider response] teams for information about the incident and some aspects of operational response.”

Today, Blum says, cloud customers likely aren’t being notified of all incidents their cloud service providers detect, and what information they do receive might be inconsistent, untimely or insufficient.

“Cloud-specific IR teams may help customer confidence to the extent they’re actually able to do [something] to resolve incidents or facilitate information exchange,” he says. “But cloud service providers and legal or regulatory bodies may first need to develop uniform codes of conduct that allow greater transparency and reduction of liability.”

As hybrid clouds evolve and organizations are linked more closely to cloud service providers and the providers are linked to one another at an operational level, Blum says, “IT’s world will become increasingly interdependent, and the effectiveness of incident-response processes and risk management in general will be even more critical. This will require CERT-level IR teams, much like incidents affecting multiple ISPs. It will also require teams that can work across [cloud service providers] on issues affecting a single customer or multiple customers.”

Internal Cloud Teams

Some organizations have created their own cloud incident-response teams or are planning to do so, and they will be looking to the CSA for guidance.

“It’s exciting to see a [cloud] response team being formed,” says Rosie Rivel, director of IT global risk and compliance at Kelly Services, a Troy, Mich., provider of workforce services.

“Our IT security group is always dealing with security-related issues, but in more of a traditional fashion,” Rivel says. “As we’re moving into the cloud, what we’re trying to do is build a knowledge base internally, but we can’t do that in a short period of time.” Being involved in the CSA effort would help Kelly Services gain valuable knowledge about cloud security, she says.

The company began using cloud computing in 2004, when it adopted Salesforce.com as its customer relationship management platform. The cloud is now a major part of its IT strategy.

Bart Falzarano, chief information security officer at Walz Group, a Temecula, Calif., provider of communications and compliance technology services, has set up an internal cloud incident-response team that monitors its private cloud and SaaS services. Team members include senior managers, infrastructure engineers and technical operations support personnel.

For those looking to form their own teams, Blum says it’s best to include people from various parts of the organization.

“In general, IR teams must be cross-functional to cover multiple types of incidents,” Blum says. For example, human resources would get involved in incidents involving insiders, external security service providers might be needed for incidents involving hackers from the outside, operations would cover low-consequence incidents or those concerning availability, and legal might be drawn into incidents with regulatory compliance or public relations implications.

“Cloud technical specialists will be needed on the team for organizations using public cloud services for real business,” Blum says.

Howie, who is responsible for the incident-response function at Microsoft in addition to leading the CloudSIRT working group, wouldn’t discuss Microsoft’s efforts regarding cloud incident response. But he says for organizations that are adopting cloud computing and want to establish a cloud security team, the best place to start is with an existing CERT.

“There are plenty of excellent resources that an organization can leverage,” such as information and tips about security incident-response teams provided by the Software Engineering Institute, Howie says.

An organization looking to create a cloud response team has to “take into account the unique characteristics of cloud computing, establish lines of communication with its cloud providers, and draw up standard operating procedures for a range of potential incidents, [from] service outages all the way up to breach notifications,” Howie says.

Violino is a freelance writer in Massapequa Park, N.Y. You can reach him at bviolino@optonline.net.