Security in the age of the cloud

Klaus Manhart, Computerwoche

Monday 24 April 2017

Security continues to be a central issue for many companies, which is not surprising given the attention it often gets in the media. The fact is, when a company’s IT security is breached, the consequences are enormous. Many experts consider the cloud to be the number-one security risk. However, you can improve the security of your company data by taking relatively simple actions.

Growth in cloud solutions is causing some concern among companies regarding security, but why?

The cloud architecture relies on IT resources that are distributed and can be activated and deactivated depending on need. Compared to the PC age, this is resulting in a completely new set of security problems. For example, cloud attacks have increased – from simple DDoS (distributed denial-of-service) to highly complex threats that can very quickly cause severe damage to a company.

Two of the most vulnerable targets during cloud attacks are current internet-capable devices and the HTTP protocol. The interfaces (APIs) to IT systems that cloud suppliers use today are other sources of risk. And this is just scratching the surface.

At the recent RSA Conference, the internationally recognised Cloud Security Alliance (CSA) gave a lecture titled the Treacherous 12, a discussion of the 12 biggest security risks in the cloud that companies must urgently address.

Many companies and users are concerned about these developments. According to an Intel study of 800 IT decision-makers from the US, China, Germany and Great Britain, 69 per cent were worried about security and data protection in private clouds. For public clouds, that number rose to 87 per cent. And for good reason: almost one-third of public cloud users reported concrete security issues and 65 per cent estimate the number of incidents is even higher than in traditional IT set-ups. The IT business world expressed little surprise at the findings.

Security breaches represent not only a risk for the data, but also for the employees and the reputation of a company. They entail immense costs, as studies show. In fact, cyber security incidents cost UK firms £34.1bn in the past year. The same study estimates the cost of data theft incidents to be £6.2bn; the report compares that to burglary costs which are reported to be over £5.8bn during the same period.

Best practices for cloud use

By implementing best practices, companies can minimise risks from cloud technologies. The use of properly monitored cloud services offers a sufficient degree of security to meet company needs. To guarantee this, security experts recommend several actions to take.

One important security rule is to opt for hybrid cloud infrastructures and hardware, and software solutions from well-known suppliers. Extra precaution should be taken if using public cloud services, especially when dealing with critical company data.

When selecting a provider, users should consider issues such as transparency, complete control and strong encryption. Moreover, a company’s IT managers should contractually arrange with the supplier redundancy systems, reliable backups and comprehensive archiving systems.

Strong authentication procedures must also be in place to reinforce security when logging in. In that process, a carefully parameterised user access via local security consoles is a further sensible option. Companies should also prohibit, if possible, the use of URL shorteners that have proven to be prone to HTTP attacks on cloud data. This is yet another effective safety measure.

In particular, implementing hybrid IT can be a very useful way to get a handle on security problems. Lenovo, one of the leading suppliers of hybrid infrastructures, also sees it this way.

Lenovo advises sensitive information such as personal data to be stored in strictly shielded local IT systems or a private cloud, so that even the highest legal regulations and compliance requirements can be met.

Less sensitive data and applications such as development and test workloads, on the other hand, can be flexibly and inexpensively hosted in the less-secure public cloud. In this way, companies or other users, have an IT setup in which requirements and resources are optimally aligned to one another – while also optimising costs.

How Lenovo supports cloud security

IT administrators should take targeted precautions to guarantee robust company IT security. From an infrastructure perspective, security is multi-faceted. One single technology is not sufficient for the cloud. For this reason, Lenovo’s System x Server is equipped with its Trusted Program Module (TPM) that checks microcode executed on the server. With its TPM, Lenovo thus ensures a high level of security.

A TPM can also function as an identifier. In the virtual world, users must ensure that the code is actually being executed on the machine on which it should be implemented. This is important because a multitude of data is transferred back and forth between machines for processing. The IT administrator must be sure that these data are running on the hardware that is intended for this purpose.

Another Lenovo security feature for protecting users is the encrypted hard drive, which has become an important part of the security infrastructure in modern IT landscapes. Lenovo is working closely with Intel, Microsoft and other software suppliers to be able to improve other security features in their respective products.

Other Lenovo security initiatives

As well as focusing on initiatives that improve cloud security, Lenovo also has programs that improve security across a company’s entire IT system. For example, it founded a Product Security Office (PSO) to ensure that software and hardware development processes are running securely. A security committee checks all products for defects. And a product security incident response team registers all security incidents that are discovered by Lenovo, the industry or various governments or customers.

In addition, the team has many security measures pertaining to its own hardware development. This is how Lenovo builds and maintains the code for the firmware development process on its own servers. The release firmware is always digitally signed in the process; strict protocols define who has access to the signing server; and each component is labelled and lettered so that it cannot be manipulated.

This provides clear evidence that components are authentically designed by Lenovo and not forgeries. All Lenovo suppliers must additionally sign a legally binding agreement that they will comply with all data protection laws in the countries in which they provide services.

In conclusion, many organisations recognise the benefits of the cloud, while noting that there are also security risks. However, to guarantee a secure data and application environment, IT managers should consider partnering with a trustworthy supplier to mitigate their security risks. Lenovo has demonstrated that it has a proactive stance to security, and offers professional solutions that can help businesses to transition to the cloud.

Building the next-gen data centre

Where traditional and web-scale apps co-exist