The Cloud: Secure Enough for Security
We can only secure our assets if we’ve first secured our technology.
"Cloud computing” is a catch-all term that refers to many different technologies and business models. But they are not all created equally. Some are turnkey; others roll-your-own. Some are secure; others easily exploited. Some are publicly accessible, others highly restricted. For cloud-based physical security applications, all of these characteristics are important to consider.
It’s bad enough when a commercial website gets hacked and personal or financial data is compromised, but it’s potentially life threatening when a physical security system is vulnerable. That’s why we must ask ourselves: If physical security is moving to the cloud where it can be accessed on demand by anyone anywhere (even with restrictions), how do we keep it secure?
Let’s consider this question in three stages:
Varieties of Cloud Computing
The gold standard for defining the various species of cloud models is the U.S. National Institute of Standards and Technology (NIST). The NIST Definition of Cloud Computing provides a framework that nearly everyone in business, technology and government circles accepts as a productive, vendor-neutral vocabulary for understanding this important shift in computing paradigms.
The figure below summarizes the main categories NIST uses for its framework.
NIST defines each of the first two layers in this diagram as follows.
Deployment Models refer to the scope of the user base for a set of computing resources.
A public cloud is called “public” because it’s available for use by anyone and everyone and is readily accessible over the public Internet. Consumer websites fall into this category, as do most transactional services supporting e-commerce, banking, and other commercial relationships. Many government websites also fall into this category because they are accessible without restriction on the public Internet.
A private cloud is accessible only to a restricted set of users, usually those within a company or other defined group, and is often enforced through network access control (e.g., only available inside company walls). Think of an Intranet or HR system that can’t be reached from outside the office network. A cloud might be set up as private for many reasons, ranging from lack of a requirement for public access to regulatory restrictions on dissemination of data.
A community cloud is somewhere between public and private, with access restricted to multiple sets of users who have something in common. Resources shared between multiple federal agencies would be a good example of a “community cloud,” as would a data center shared by sibling companies.
Service Models refer to the level or types of services provided by the cloud system.
The simplest of these, Infrastructure as a Service (IaaS) provides basic computing services such as disk storage and server capacity, with application installation and maintenance left up to the customer. This model emerged early in the hosting industry, and was the subject of last year’s GSA award to 12 separate vendors operating under a Blanket Purchase Agreement to provide basic computing services to the agency. IaaS is basically outsourcing the physical and networking aspects of computing to a third party.
Platform as a Service (PaaS) is usually described as providing one more service layer than IaaS in the form of a programming environment that subsumes many core utility functions, but leaves final application development and behavior up to the end user. Examples of this would include Force.com and Google App Engine. These offerings don’t really do anything on the day that you purchase them; you have to program them by writing your own game, social networking app, or physical security system.
Software as a Service (SaaS) is the turnkey solution among service models, providing a complete application and all the layers beneath it as a readily consumed service. This is the most prevalent model on the Internet today, and accounts for all of the well-known services such as online e-mail, online banking, e-commerce, and just about every other popular service offering. For obvious reasons, SaaS is also the predominant model among cloud-based physical security applications designed to perform specific security management tasks and services. Examples include hosted access control and hosted video, or what is generally called Security as a Service, as shown in the diagram below.
Cloud Models for Physical Security
With information security still being the No. 1 concern voiced about cloud solutions, which cloud models offer the best fit for physical security applications?
Let’s talk about the NIST Service Models first, because there is really only one that offers a strong fit for physical security. On its own, IaaS is a poor contender because installing and securing a single (private) instance of an application would be infeasible for most users. PaaS is out of the running because it requires user application programming of unknown vulnerability. The turnkey SaaS model is what most users want, and because the complete application infrastructure is shared, it can be very effectively secured at a relatively low cost per user.
In terms of Deployment Models, there are several factors at play in the debate over public versus private clouds for applications such as physical security.
One factor is the old bias that private solutions are inherently more secure than public ones simply because they reside on a private network. But in an era when almost every private network is connected with the public network in one way or another, that distinction is losing meaning. So-called “private” corporate and federal networks are penetrated on a daily basis, often with many vulnerable assets exposed once a firewall has been breached. Many industry observers say the odds may be better with a public cloud that is designed from the outset to resist the attacks commonly seen on the public Internet.
A second factor is economics. Private clouds are expensive because costs are not amortized over a large enough user base to provide any significant advantages over traditional computing. Among these expenses are annual security audits, which are often skipped on “small” IT systems such as most physical security applications. The federal government is one of the few examples of an organization large enough that a private federal cloud — a computing infrastructure accessible only to government agencies — can provide enough economies of scale to be a practical solution. We have recently seen numerous federal RFPs requesting cloud solutions for physical security, with a mix of requests for private as well as public solutions.
Securing the Physical Security Cloud
Assuming that the number of physical security solutions using public clouds will continue to grow, what are some of the approaches the industry (or customers) can do to make sure these applications are as secure as possible?
First, there’s an old rule of thumb that says your security is only as good as your last security audit. Vendors need to perform standardized audits, and customers need to insist on them. Within the federal market, this audit requirement has been institutionalized in FISMA (Federal Information Security Management Act) and more recently with FEDRAMP, which has a specific cloud focus.
Second, there are many best practices that the cloud industry has already started advocating. Physical security service providers should incorporate these best practices into their own offerings. One of the best sources for this type of information is the Cloud Security Alliance.
Finally, buyers always need to take at least some responsibility for the security of their purchases. Ask questions. Ask about audits. Ask where the data is hosted. Ask whether the service has undergone penetration testing. There are many “top 10 cloud security” lists on the Web — download a few and learn the hallmarks for recognizing good, secure cloud offerings for your physical security solution.