A growing portion of the applications we use at Cisco are hosted on third-party clouds. In fact, the Information Security (InfoSec) team now conducts more security assessments for applications hosted on public clouds than for applications hosted on-premises. “Rather than resisting the move to a world of many clouds because of security concerns, we’re embracing the shift,” says Mohammed Iqbal, Cisco InfoSec architect.
We’re working on two projects to protect confidential data stored on third-party clouds. One is creating trusted services that consider the context of a request before granting access. The other is extending our network and security policies to approved third-party clouds.
Making Applications Smarter About Granting Access
Today our third-party cloud applications grant access based on user identity: username, password, and sometimes a one-time token. Now we’re making applications smarter about granting access. The project is called Trusted Service. The concept is that the application itself will take the necessary steps to stay secure and keep its data secure.
The first step in creating a Trusted Service is to make the application aware of the context of requests. The context includes not only who is making the request but also where, how (wired, wireless, or VPN), when, and with what device. With this information, the application can take the appropriate action to safeguard itself and its data. To achieve this goal, we plan to connect the Cisco® Identity Services Engine (ISE) in our data center to cloud applications. ISE will communicate with the application using a standards-based protocol.
We’re in the process of developing a monitoring framework for our third-party cloud service providers. Suppose an employee named Aaron signs into a cloud service that stores highly confidential documents. Here’s the vision: the monitoring agent we’ve deployed on the third-party cloud sees that Aaron is attempting to download a document. Using our API, the agent asks the ISE in our data center to report which device Aaron is using. ISE sends a message that the device is untrusted. The agent immediately takes the actions we’ve specified when a user attempts to download documents onto an untrusted device. The policy might be to block access to the file entirely, for example, or to block the download but allow Aaron to view the document.
Figure 1. Cisco ISE Considers the Context of a Request Before Granting Access
Intercloud Fabric Extends Policies to Third-Party Clouds
In parallel with the Trusted Service project, we’re developing a trusted hybrid cloud model. The idea is to extend our data center to approved third-party clouds (Figure 2).
“The same network and security policies will apply to applications whether they are hosted on our private cloud [CITEIS] or the public cloud,” says Sudesh Gadewar, InfoSec cloud security architect. The underlying technology is Cisco Intercloud Fabric™, which creates an encrypted IP Security (IPsec) tunnel between clouds. “Intercloud Fabric makes it easy for application teams to move the application back and forth, eliminating any motivation to host applications or data on non-approved clouds,” Gadewar says.
We’ve completed a proof of concept using Intercloud Fabric to host supply chain applications on a third-party cloud. Data travels between our data center and the third-party cloud by way of Cisco Intercloud Fabric Firewalls installed in both locations. The proof of concept was a success. “People accessed the application in the private cloud exactly as they would have if it were hosted on CITEIS,” says Gadewar. “Security did not change the experience.”
Figure 2. Cisco Workforce Uses a Variety of Clouds
We have several motivations for finding a better way to secure external cloud applications:
● Facilitating fast IT: Until now, application owners had to complete a lengthy security questionnaire from InfoSec. “The questionnaire generally takes two weeks for the application owner to complete and two weeks for us to review,” says Bassem Khalife, senior IT program manager. “We want to speed up assessment so that Cisco teams can start taking advantage of new applications sooner.”
● Making sure that application security doesn’t degrade over time: “Our biggest security challenges are incidents that happen outside the Cisco network,” says Iqbal. For example, an attacker might try to intercept data traveling between two external clouds. Or an employee might use a cloud service approved for confidential information to share more sensitive information.
● Avoiding risks from infected endpoints: Many security incidents happen because of compromised endpoints rather than application vulnerabilities. Examples include malware-infected tablets or public kiosks. Using ISE to check the device’s security posture before granting access reduces this risk.
● Ensuring that application data is up to date: Currently we use batch processing to update application databases hosted on third-party clouds. If we’re confident that intercloud communications are secure, we can update databases in real time.
● Scaling automatically: With a secure hybrid cloud model, we can automatically provision the right amount of third-party cloud infrastructure based on current workload. Automatic provisioning avoids slow performance resulting from not having enough infrastructure. It also avoids paying for more infrastructure than needed.
Iqbal concludes, “As public clouds have matured, so has their security. But it’s up to the tenant to use public clouds in a secure manner. That’s why we’re shifting how we do security assessments. Instead of conducting a one-time assessment, we’re implementing controls to make sure we continue to use the application securely over time. The result is a trusted service for employees, partners, customers, and our IT team.”
For More Information
Cisco Identity Services Engine
Cisco Intercloud Fabric
To read Cisco IT case studies about a variety of business solutions, visit Cisco on Cisco: Inside Cisco IT http://www.cisco.com/go/ciscoit.
To view Cisco IT webinars and events about related topics, visit Cisco on Cisco Webinars & Events.
This publication describes how Cisco has benefited from the deployment of its own products. Many factors may have contributed to the results and benefits described. Cisco does not guarantee comparable results elsewhere.
CISCO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some jurisdictions do not allow disclaimer of express or implied warranties; therefore, this disclaimer may not apply to you.