Brought to you by the Cisco Innovators Program
As businesses rush to the cloud, is haste making waste of their data security?
"People make quick decisions about cloud services because the OpEx model is so attractive--but cloud computing requires as much, or more, security attention than your own network services do," says Brian Betzel, EVP at Cisco Premier Certified Partner Infinity Network Solutions, which helps businesses improve their processes by helping them implement and manage technology.
To test your network's cloud readiness, rate your company on the following checklist.
How Are You Controlling Users' Access?
"One-size-fits-all access privileges rarely if ever work," Betzel says. "First define who your users will be--to what cloud resources, when, and from where, with what devices."
After you've defined an initial policy for access privileges, best practices are to apply it by using:
1. Authentication, authorization, and accounting (AAA). These services can be applied automatically to wireless, wired, and VPN access by a single network access control platform. For example, a Cisco® Identity Services Engine (ISE, part of the Cisco TrustSec® solution, can see all devices on the network and enforce granular access policies.
2. Context-aware access.Identifying who is connecting to the network--from what device, from where, and when--allows the network to control which applications they can use, and how they can use them. For example, the Cisco TrustSec Security Group Access feature inserts policy markers into the incoming packet header that can be read and enforced by network devices along the data path; the context-based policy platform is an ISE.
How Are You Protecting Your Network Perimeter?
" You can try using a traditional firewall, but most businesses find they need more specific controls," says Betzel. "Consider a gateway that is context-aware--aware of application, user, device, and location--and inspects packets in real time, without sacrificing performance."
Best practices at the perimeter include:
3. A high-performance firewall. A context-aware firewall with high throughput and multiple security services increases protection and operational efficiency.
4. An intrusion prevention system (IPS). "Like an armed guard, an IPS inspects what's entering and can dispose of an amazing amount of junk that would otherwise get on your network," says Betzel. IPS is available for a variety of routers and appliances; new Cisco firewalls have separate processors for full IPS capabilities, with no impact on performance.
How Are You Protecting Your Traffic on the Internet?
To safeguard your data when it's outside your network, best practices include:
6. VPNs. "If you have the right firewall at your perimeter, you can easily create high-performance VPNs to a cloud provider," says Todd Ellison, vice president of IT at Venturenet, a Cisco Premier Certified Partner. Venturenet focuses on providing small and medium-sized businesses (SMBs) with enterprise-class solutions, including Exchange and SharePoint hosting.
"We have a customer with a few hundred employees that periodically gets a million or more daily visitors to its website," he says. "Whenever their traffic spikes, they fire up their virtual machines in our cloud, and their Cisco Adaptive Security Appliance [ASA] firewall automatically load balances the traffic to us through VPNs to our ASAs."
"Make using VPNs easy and efficient for your users," he says. "Standardize on one VPN interface so it's the same experience whether they're on a PC or an iOS, Android, or other device." An interface that supports both SSL and IPSec (including TLS, DTLS, and IKEv2) makes using VPNs quick and easy.
7. Encrypt data and prepare for recovery. Encrypt any sensitive data that will reside with the cloud provider. Also make your own backup of the data stored by the cloud provider, encrypt it, and store a copy physically and/or with another provider.
A Security Checklist for Your Cloud Provider
Any cloud provider can make security promises. Trust, but verify--and codify.
8. Investigate the reputation and performance of the provider. "We research their history and interview them," says Betzel. "Then we go see their operation in action." Highly automated security and high throughput are desirable attributes.
9. Clarify the security requirements--yours, theirs, and for regulatory compliance. For example, how do they: Protect your data throughout its lifecycle and separate it from other tenants' data? Secure access to administrative controls? Handle vulnerability alerts and patching, and disaster recovery?
10. Document security responsibilities in your service-level agreement (SLA). Time you devote to contract details will be well spent. "Make sure that security scans happen automatically each quarter, and that you have the right to request an annual security audit, including a penetration test," says Ellison.
When do you fly to the cloud? A Cisco Certified Partner can be your expert copilot for strengthening and streamlining your network security; addressing PCI, HIPAA, or other regulatory requirements; and being your advocate when selecting a cloud provider and negotiating your SLA.
Find a local Cisco Certified Partner that can help you with security for the cloud.
Read a white paper about Cisco cloud security solutions for cloud providers and data owners.