Securing a Cloud Environment With a Telco Cloud Provider

Tuesday, July 25, 2017


Nowadays, nobody can deny the remarkable benefits of cloud computing, both infrastructure as a service (IaaS) and software as a service (SaaS). Cloud computing drives cost savings, agility to support customer demands and innovation; definitively it is a fundamental factor in the corporate digital transformation. Otherwise, cloud computing also involves some level of complexity in dealing with IT security, since organizations delegate certain responsibilities to third parties in storing and controlling sensitive data. During this article, we aim to identify the cloud security handicaps and propose a security model according a Telco Cloud Provider perspective to make easier and safe the cloud voyage.

IT and security professionals were fully aware about security information risks and how they affect to cloud environments. However, the continuous news bombardment about cyber-attacks, apart from encouraging in general public the security awareness –which is clearly needed–, is contributing to spread some misleading ideas about the level of security in the cloud.

What do you consider more convenient?, stuffing money in a mattress or in a bank? If you have your money with you in your home, then the money will be always available (simplicity) and you may be less likely to be a target for criminals, but if for some reason somebody break into your house you will certainly need the best protection systems, are you able to implement similar security measures than a bank?

As IDC presented in its 2016 cloud view report, security concerns remain the key inhibitor to continue cloud growth. Is this impression based on a true story? We believe not. Most of the cyber-attacks are not related to the cloud infrastructure itself and cannot be ascribed to the cloud services provider. Additionally, Gartner supports this assumption in a recent analysis that reports, through 2020, 95 percent of cloud security failures will be the customer's fault.

Although the security risk is the same in a cloud environment than on premise, it is required to introduce three main handicaps, namely: complexity, vulnerable communications and exposure.

Complexity of a borderless environment
Boundaries of today organizations have been demolish by technologies, such as mobility, software-defined networking (SDN) and cloud services, and also by operational demands like secure production processes and supply chains. As reveal by a Gartner press release : by 2018, 25% of corporate data traffic will flow directly from mobile devices to the cloud, bypassing traditional enterprise security controls. This is a real pain for IT departments, who inevitably need to deal with dozens of third-party cloud services, SaaS-application providers and shadow clouds not only from within perimeter, but also from outside, which seems practically impossible to manage.

Then, organizations require from cloud services providers the implementation of proper security controls, at least similar what customers would put in places in its own datacentre and, additionally, establish a flexible and effective control and notification mechanisms.

Quality of Service in communications
Although customers can access their Virtual Private Clouds through the Internet, this option presents diverse and costly inconveniences, such as communications security issues, latency, delays, data loss, and jitter, among others. This, definitively, does not guarantee the service quality (QoS) expected of a data network in a professional environment when it comes to accessing corporate applications.

Exposure of applications
At the time of leaving the perimeter and making use of SaaS or customer applications on IaaS, there is a greater exposure and vulnerabilities are much easier to exploit. This risk is an indirect consequence to migrate corporate applications to the cloud, it´s not intrinsic to the cloud itself, but the risk the non-solved vulnerabilities of the corporate applications that for being in a closed environment have gone unnoticed. As organizations have assumed that live in a hole in the ground is not any longer an option, then it is necessary to implement some best practices, such as security monitoring, vulnerability assessment or identity and access management.

Security of the cloud
Cloud providers focus on securing the infrastructure itself, implementing similar mechanisms than datacentres usually do, making transparent this measures for customers. These measures include:
  • Data resilience in multiple regions: the cloud provider must have distributed storage in multiple regions to ensure global availability. As part of its global Cloud services offer, Telefónica offers nodes in different countries to solve local regulatory problems, without undermining a unified and global perspective that may be required by multinational clients and the portability of information between regions.
  • Segmentation: in a shared environment, complete isolation between users must be ensured and the use (or abuse) of one of them does not affect the performance of the rest.
  • Certifications: third party certifications provide assurance regarding implementation of Systems and security Measures. Organizations such as the Cloud Security Alliance (CSA) award certifications such as CSA Star, based on the ISO 27001 standards group and suited specifically for cloud services.

Security towards the cloud
The better option to address the communication issue between the private network and the VPC is to enable the extension of end clients’ virtual private networks (VPN) over IP/MPLS technology and with global coverage. Then, all corporate resources, instances, databases or end-points, independently where they are, are visible in the same LAN. This model allows to easily include an additional security layer by means of next generation firewalls deployed in the access network itself to filter and block any malware and unwanted traffic, which is known as Clean Pipes. By last, organizations can delegate the deployment of the perimeter defence in the internet access provider, obtaining easy-scalable architecture, greater resilience and a cost-reduction (moving CAPEX to OPEX) and, in addition, if the internet access provider supply the cloud environment the synergies are quite remarkable and ensuring end-to-end security.

Additionally, an integrated proposal for cloud and telecommunications services allows you also to contract for differential best-of-class services such as the AntiDDoS (Global Shield) service that stops attacks from the network, before they even affect the datacenter.

Security in the cloud
A competent cloud platform shall include a bunch of security services to secure the environment and the customer applications, such as:
  • Visibility and control: it is worth highlighting the importance of having tools that allow intuitive visibility into the overall safety state, as well as cross-monitoring, detection and response tools. A vulnerability analysis platform, like Vamps, can be integrated into testing processes and contribute to a more secure development process
  • Integration with managed security platforms: a differential factor of an integral security proposal for the cloud is the level of integration with Managed Security Services (MSS). If the same provider can offer both, the complexity, main handicap of the managed security, will be strongly minimized. Telefonica has specifically defined its cloud security solution with this principle in mind to simplify the day-to-day operation.
  • Identity Management and Authentication: the cloud services platform must offer the capacity for a comprehensive and generic identity management, which is interrelated with that of the other services used by the organization, such as communications or applications. For this, Telefónica offers services as well known as Latch and Mobile Connect in its cloud services offer.
  • Security governance: additionally, some interaction among the resources deployed in the cloud environment with risk management and security compliance tools will bring a higher level of security understanding. Telefónica has in its portfolio a specific regulatory compliance solution, Sandas GRC, which interact with the Telefonica’s cloud environment to provide real-time risk and regulatory compliance.

The Telco Cloud Provider solution
A Telco Cloud Provider model has multiple benefits, since comprises in an integral offering hosting, security of the platform itself, QoS and secure communication between private network and VPC (Virtual Private Cloud), and security for both customer environment and its applications. This model brings multiple advantages, such as scalability, compatibility, resilience, global visibility and an important cost reduction.

In summary, Telefónica, thanks to its capacity as integral provider, is able to offer a unique cloud security solution that combines cloud-hosting with the Telefónica's renowned experience communication services and also with the most advanced protection of ElevenPaths’ products, operated from Security Operations Centers (SOCs) all over the world.

Mercedes Soto Rodríguez 
Jefe de Producto de seguridad en la nube 

Francisco Oteiza Lacalle 
Jefe de producto de Seguridad Gestionada 

No comments:

Post a Comment