Addressing risks in Cloud Computing

IT has the ability to deliver almost anything that you can think of, and here is the latest entrant - The Clouds, which is now a phrase du jour in the IT coliseum already. Clouds are on the rise and so are the organizations looking ahead to capture clouds for their business practices.

Cloud Computing has changed the approach such that a cloud – user now only requires a browser for access to the company’s network. And this raises risks and compliance concerns.

Being a part of GRC, we know what matters to organizations most and here, it is their corporate data which they may put on off-premise servers. So are the clouds safe? What are the risks involved? Will the data (kept off – shore) still sync with their company's internal compliance mandates?  

Being in the GRC domain, I had serious question in front of myself – are clouds secured and safe and what should they do to adhere with IT security norms. How can they be well-equipped to address any IT security concern raised as any organization would want clouds to be safe before putting their enterprise data on-board?

With the current economic scenario, businesses, especially mid-size, may feel the need for cost reduction and look forward to this technology to source some or all of their computing services into the cloud; but what may hold them back are the security concerns. To pass the risk and compliance test, they would need to address the following concern that comes with clouds not only for IT auditors but also for themselves. A lack of robust methodology of identifying risk areas and being compliant may derail the complete concept of clouds. 

First, we discuss the various planks which can be of major concerns to the data owners:

·      SaaS, PaaS and IaaS: Cloud providers use Software as a Service (SaaS) or Platform as a Service (PaaS i.e. providing a platform to build software applications to cloud - users) or Infrastructure as a Service (IaaS like servers) to deliver a single application through the browser serving multiple clients.

·      Use of web services: Use of web services like search engines, web portals, etc.

·      Use of Utility Computing in Clouds: Utility computing i.e. utilization of services and computing resources, such as virtual Data Centers.  

Risks Involved

·      SaaS, PaaS and IaaS: The risk of using Saas, PaaS or IaaS is that all these platforms raise issues of identifying user accounts (duplicate user accounts) and their roles and rights, misalignment of data.  In short, concerns of authorization and authentication. Here, the onus of data security lies not only on the data owners, but also majorly on the cloud providers (Cloud Service Providers), as the data is stored on any third – party software, storage blocks or platform based clouds.

·      Use of web – services: Use of web services in the clouds is crucial to IT security as traditional vulnerabilities like virus, spywares are always of concern. Apart from the traditional villains resting on the web, it is security of the enterprise data to be transmitted to these web services is also under scanner.

·      Use of Utility Computing in Clouds: Utility computing raises a high level of security concern as mission critical data of organizations are under scrutiny. The access to crucial and critical IT environments such Data Centers has always been of high concern to organizations. The fear of clouds growing dark rises, as we are actually looking into the prospects of a ‘virtual Data Center’.  

Compliance practices to tackle the risks

Addressing risk and compliance aspects is fundamental for clouds to grow. This is important as no GRC umbrella over an organization’s cloud cluster would mean a complete degradation of their enterprise data and their business practice. The best practices to tackle the mentioned risks are suggested below:

·      SaaS, PaaS and IaaS: Organizations need to focus on data security which becomes highly important as the clouds reside on storage blocks, software or platforms. User accounts and their roles and rights are absolutely crucial as well as their authorization and validation must be of primary focus to the organizations.Organizations / data owners here would also require robust cloud-based third party policies, rather than just the orthodox enterprise third party-based policies for the service providers who own the clouds (as the data now no more rest in their environment or facility).

·      Use of web services: Filtering (URL filtering) on what is to be viewed on the basis of User roles is an effective measure while using web services on the clouds. This ensures that each cloud users access what is actually necessary for their role. This takes care of access to attractive but distracting information / services, which gives an easy en-route to traditional intruders. In case web security is outsourced to a third - party, SLAs / KPIs and related policies must just not only focus on web-security and filtering concerns, but must also focus on the services to curb and prevent data loss. Here, the responsibility of these measures lies primarily with the organizations, who own the data, because it’s just not their data residing on the clouds, they actually share a room out there! What is notably important here is to realize the guidelines and policies that need to be built around these risks and consistently keep a check on them.

·      Use of Utility Computing in Clouds: To overcome security concerns related to the utilities like virtual Data Centers, it is highly recommended to locate and highlight low, medium and high-level of security concerns and risks in-depth. The policies, authorization and access to Data Centers must not only highlight but also address the risk areas and concerns that have been analyzed. The back-up and restoration methodologies adopted are of high significance too, because the Data Centers in the clouds are just not located off-shore, but are virtual as well. So, if organizations do not want the clouds to grow dark, it is important to primarily focus on the below aspects:

·         Policy management and audit capabilities for themselves and cloud-providers

·         IT security controls and the ability to transport and archive enterprise data

·         Addressing poor visibility into risk exposure properly

·         Avoiding lack of alignment from not having risk and compliance processes embedded within the business

Best practices ensure that the organizations; their corporate and enterprise data remain on cloud nine. Clouds are always pleasant to watch and GRC is all about ensuring they don’t grow dark. We won’t.

ORACLE provides a vast option for enabling audit. However most companies struggle to understand how to use the options and what options need to be enabled in order to be compliant. There is also the question of what are the audit options that need to be enabled without any compromise on the performance of the systems. The solution to that is to strike a balance between properly configuring auditing and only auditing appropriate tables that will not have any measurable performance impact and therein lays the challenge.

Below are some of pointers that organization should keep in mind in order to make best use of the options that ORACLE provides for audit and at the same time not compromise the performance.

Initial Steps

One of the most simple of ways to audit is to ensure that a basic set of audit trails is enabled all the time. These could be as basic as ensuring that system logs capture the user access and the privileges that are assigned to the various users. Also ensure that logs capture the changes that are being made to the database schema and the users who are making the changes. Although this may not be the most comprehensive of audits this will ensure that attacks can get detected and other detailed audits can be enabled.

Auditing Users

Oracle’s standard audit commands allow all system privileges to be audited along with access at the object level to any table or view on the database for select, delete, insert or update. Audit can be activated either for successful attempts or failures or for both. Audit trails can also be enabled for individual groups and it can also be done for groups or privilege levels. In case of an action level audit individual record is created per action. At a session level one record is created for all audit actions per session.

Tackling Performance Issues

The common misunderstanding is that enabling audit generally makes the system slower and affect performance negatively. Although this feeling may not be without reason, the real reason may also be unawareness of how to balance audit and performance. If all audit trails are enabled yes the performance may get affected. However it is also true that this will churn out an audit trial which really may not make too much sense. It will be extremely difficult to manage and interpret such huge amounts of data into something that can be used as an effective control mechanism. The key word factor here is to “Keep It Simple”. As mentioned earlier organizations need to identify the critical tables and for starters enable only audit trails only on those tables. In case any attacks are detected it can be probed further. So also for user level auditing. Organizations need to decide on wanting to turn on action level or session level audit without affecting the performance of the systems. Although too much may be said about performance it is also true that audit needs also need to be catered to and the balance between both is typically where organizations struggle.

Finally organizations should realize that there is no one standard one size fits all approach to auditing any application or database. What works for one organization may not be good for you and what used to work earlier may no longer be good today. With the growth of technology as well as cyber crimes you need to keep updating your triggers as well as audit trials. Row level audits may not be the solution to all audit questions. Management inclination for better audit is a must. It needs to be complimented by better reporting and governance structures in order to ensure that information is secure.