When enterprises make decisions on which cloud services to consider, security is the ultimate “table stakes” capability that any cloud provider must prove. There has been great innovation in the industry to assuage mainstream adopters, but not all cloud service providers are consistent in areas of identity management, network security, data security, threat prevention, and more. Organizations and individuals still need to pay close attention to whether cloud service providers are delivering these five main security features:
- Standards-based integration with identity management providers: Integrated identity has become a key enabler to quickly provision and (more importantly), de-provision access to company resources and data. To facilitate this, the service should have an identity solution for their management tools that quickly and easily integrates with existing processes used by the customer through a standards-based mechanism such as Security Assertion Markup Language (SAML) 2.0, OAuth 2.0 with OpenID Connect, etc. This type of integration also provides complete control over password complexity rules, expiration, and the ability to require various forms of multi-factor authentication. In addition to standards-based integration, the service should also provide an easy-to-use, stand-alone multi-factor authentication (MFA) mechanism for those customers who don’t already have an existing identity management solution. This encourages the customer to implement strong authentication measures which can help prevent malicious actors from being able to take over control of their accounts. CenturyLink Cloud provides SAML integration today, and we are currently evaluating support for other standards as well as an integrated MFA solution for access to the Control portal.
- Securing Specific API Calls: Today’s cloud providers regularly provide application programming interfaces (APIs) that allow customers to integrate management of their cloud service into 3rd party management platforms or their own internally built applications. This allows the customer to implement custom workflows or to integrate cloud automations into their existing corporate or customer-facing applications to enhance business agility. While these APIs provide valuable business capabilities for customers, they also introduce an additional attack surface that must be properly protected. Service providers should give customers API authentication mechanisms that are resistant to replay or man-in-the middle attacks and can be used to provide cryptographic validation of the API messages being sent. These authentication mechanisms should ensure that API commands can only be issued by properly authenticated endpoints, and that each message is authentic and hasn’t been tampered with using cryptographically sound techniques. The CenturyLink cloud API uses encrypted transport mechanisms to protect the API transactions from compromise. Future enhancements will focus on implementing additional protections to ensure the authenticity and validity of the transactions.
- Multi-tier User Management and Billing: In order to properly meet the needs of complex businesses, the cloud service should provide a flexible account structure that allows easy rollup of billing and usage information at the top level, while enforcing complete segregation of networks and hosts at the sub-account level. The customer should have complete control over which sub-accounts must be completely isolated, even from the parent account, and which sub-accounts are allowed to exchange data freely. This allows the segregation of production and development/QA, or perhaps meets a regulatory requirement that two different business units are prohibited from being able to share data between their systems. The CenturyLink Platform has a well-designed account hierarchy structure to fully deliver on this requirement today.
- Logging and Reporting: The collection of relevant logging from the cloud environment continues to be a stumbling block for some companies in their adoption of cloud-based infrastructure services. At a minimum, the service should provide detailed logging of all management actions performed through the provider’s user interface or through API calls. Access to this logging data should be provided both in the user interface as a reporting function, and in a real-time publish/subscribe method so it can easily be consumed by the customer’s existing log management system. For those customers who don’t already have a well-developed log management and alerting mechanism, it would be ideal for the service to have an integrated add-on capability to perform log management and alerting within the customer’s cloud environment. CenturyLink has rich capabilities around logging and reporting available in the CenturyLink Platform and a variety of add-on services available to meet the logging and reporting needs.
- Patch Management: Generally service providers will regularly update their templates used to create new machines so they remain relatively current with patches. Once a virtual machine is launched, however, the responsibility to patch the system typically falls to the customer. Cloud environments are not always taken in to consideration for the customer’s existing patch management tools, creating an opportunity for attackers. Customers should look for a cloud service provider that offers an easy, integrated option that provides patch and vulnerability management for the customer environment. This would include regular (monthly) OS and application patching, along with vulnerability scans run at a frequency as required by the customer, and a dashboard where the customer can view up-to-date statistics on security vulnerabilities while trending the environment over time. Leveraging the Managed Operating System or Managed Application services available on CenturyLink Cloud provides standard patch management services. Additional features around dashboards and vulnerability scans are under consideration for future releases.
Security will remain an important consideration for any cloud deployment. As you look to your next deployment, partner with your cloud vendor to discuss whether they have a robust, comprehensive security plan that addresses traditional concerns as well as modern attacks.