How to protect cloud infrastructure

/ photo by Joe Grand CC

According to statistics , a third of US businesses use the cloud. It is expected that by 2020 the number of cloud consumers will double. A similar situation is observed in Russia. Despite the crisis, the number of companies using cloud solutions is growing every year. The Russian cloud market grew by 25% and reached a bar of 16.5 billion rubles in 2015, and it is expected that by 2018 this figure will increase to 32 billion rubles.
')
Clouds are gradually becoming the main part of IT, so companies have to pay attention to security issues. And identifying threats is the first step to minimizing risks. At the RSA conference held in March of this year, the organization CSA (Cloud Security Alliance) presented a list of 12 cloud security threats that companies face.

The first item was a data leak. The cloud is exposed to the same threats as traditional infrastructures. Due to the large amount of data that is currently being transferred to the clouds, the sites of cloud hosting providers are becoming an attractive target for attackers.

The security and availability of cloud services also depends on how well developed are the access control and encryption mechanisms in the API. Weakly secure interfaces become a bottleneck for accessibility, confidentiality and integrity.
For these reasons, the CSA recommends controlling access, using protection tools and tools for early detection of threats, as well as multifactor authentication and encryption. Do not forget about logging, monitoring and auditing events for individual accounts.

Another reason for the use of these security mechanisms is the problem of corporate mobility - BYOD (Bring Your Own Device).



/ photo by Henri Bergius CC

The fact is that 40% of US employees use personal devices to solve work problems and often store work data on their own drives. At the same time, 83% of respondents admit that they prefer cloud applications rather than traditional solutions. As for Russia, the numbers are comparable.

“Personal smartphones in Russia are used at least as often as personal computers,” notes Mikhail Alperovich, director of the Laboratory of Protected Mobility at Digital Design. “According to my estimates, the penetration rate of BYOD in the category of smartphones in Russia is about 30%.”

The fact is that a legitimate user who has access to unprotected cloud resources can get copies of corporate files and save them on their device. The danger here is that data may fall into the hands of third parties. This is possible, for example, in the case of theft or loss of a smartphone, and according to statistics, 70 million mobile devices are lost every year. This is a serious security threat.
Despite all the problems, it is still possible to provide reliable data protection in the cloud.

CASB - Secure Cloud Access Broker

CASB (Cloud Access Security Broker) is a unified security tool that allows administrators to identify potential risks and provide a high level of protection. Today, only 5% of businesses use CASB, but the tool is gaining popularity, and, according to experts, this figure will increase to 85% by 2020.

The solution provides a single point of control for all cloud applications used by the company. This control is manifested in various forms: access control, data leakage prevention, encryption, etc. A broker manages connections between cloud applications and the outside world using a proxy and API.



The solution works in conjunction with the cloud infrastructure of the hosting provider, providing the ability to monitor shared files. Thus, administrators know where the content is stored and to whom.

Data encryption

According to ZDnet, encryption is one of the most reliable ways to protect data transferred between networks. “This is one of the most common ways to protect data from unauthorized access,” writes system administrator Ken Hess, “and a response to the doubts of companies starting with BYOD.”

Encryption can protect information on mobile devices, but only when used correctly. To do this, managers must implement encryption at all stages of the data life cycle (both during transmission and storage). This is important because applications on smartphones, laptops and tablets gain access to the company's network and cache corporate data. If the device is lost, it may leak.

Creating and managing encryption keys is a major part of the cryptographic process. The use of symmetric algorithms requires the creation of a key and an initialization vector, which must be kept secret from all persons who do not have rights to decrypt data. Using asymmetric algorithms requires the creation of a public and private key. The public key can be provided to anyone when the private key is known only to the person to whom the encrypted transmitted data is intended.



The asymmetric encryption method is based on the use of a pair of different keys: a public key and a private key. If encryption was performed with a public key, the private key should be stored in a secure place, separate from the encrypted data. In this case, even if important encrypted information falls into the attacker's hands, he will not be able to read the contents. An approach whereby encrypted data and encryption keys are separated from each other is a good guarantee of security.

As for IT-GRAD , to offer data encryption in the cloud, we suggest using Trend Micro SecureCloud. Architecturally, the solution consists of a management system, provided as a service with access via the management console, and agents installed on the protected virtual machines.

The solution usage model assumes that the virtual machine disks are encrypted using encryption keys stored in the SecureCloud system. Through it, the processes of initial encryption or decryption of protected disks are initiated. When you try to access data, the SecureCloud system is accessed, after which the encryption key for decrypting the data is issued either automatically or only after the approval of the administrator.

PS Yesterday's post: 25 books on the topic of cloud computing .