This is the second in a series of posts that will drill deeper into cloud security and some of the key questions it sparks. The first post examined the many faces of cloud security. In this second installment, I will highlight the spheres of responsibility and look at which security components are Rackspace’s responsibility, and which are the customer’s.
I like to think of cloud security as a team sport: Ultimately, both the cloud provider and the customer have to work together to ensure security best practices are followed and met.
Given the role of the customer in the configuration and consumption of their cloud environment, it’s imperative for the cloud provider and cloud customer to both put controls in place to manage the risks that multi-tenant environments can present. Both the cloud provider and cloud customer must accept responsibility for different aspects of the system and both must implement a range of controls in order to properly secure the service. When the team collaborates well, we’ve seen many architectures pass audits and assessments.
Rackspace’s infrastructure controls are designed to protect cloud resources from attack within the environment. The customer should seek to protect their cloud resources and hosted data with measures overlaying Rackspace’s infrastructure controls as appropriate to their data’s sensitivity and criticality as informed by a formal risk assessment.
For example, customers are the primary owner of their Cloud Files hosted data and maintain sole visibility over its specific security requirements. Accordingly, customers are responsible for classifying their data and applying appropriate risk mitigation controls.
Customer’s sensitive data should be encrypted at rest in order to preserve confidentiality. Rackspace recommends that sensitive data transmitted to and from the cloud should be subject to encryption also by using TLS or a secure VPN. Rackspace can provide SSL certificates through partner contacts and VPN-based products like RackConnect to assist with the security of data in transit.
While Cloud Files does not include encryption, virus detection or compression of objects entering and/or exiting the system; many of these functions are available through third-party tools (like Gazaang) and are ultimately the responsibility of the customer. Customers can monitor their data activity via logs that can be automatically delivered to their account.
Cloud Files enforces customer segregation via the environment’s proxy and authentication systems. As a massive array of redundant storage, the actual location and management of data within the Cloud Files environment requires administrative activity by the proxy servers. A location and account for each file is maintained, and the appropriate tokens supplied by the authentication servers are required before the proxy will serve up any given file.
Rackspace Cloud customers interact with the environment at an administrative level via API and console access and must authenticate using persistent API or keys. Account level authentication credentials provide access to large-scale commands such as Cloud Server creation, deletion and re-sizing and Cloud Files data CDN enablement and should be protected by commensurate organizational and technical controls. Customer applications that interface with Rackspace Cloud APIs should undergo adequate security testing and maintain best practice application security controls including communication with our SSL protected API endpoints via HTTPS. Customers should consider tightly restricting access to API keys and account credentials to those employees with a legitimate business requirement, as well as segregating duties to maintain accountability. Customer’s root level Cloud Server credentials should be subject to similarly strong internal safeguards. Customers may reset their Cloud Server’s root password (or administrative password).
Customers also have particular responsibilities when consuming Cloud Servers services. For Cloud Servers, Rackspace is responsible for the Cloud Server up through the hypervisor level. Customers have full administrative access to their cloud environments and they are considered to be the system administrators responsible for the upkeep of the system including maintaining compliance with their internal security or operational policies.
Rackspace Cloud Servers customers are responsible for disabling non-essential remote root logins. Customers are responsible for performing all server-level actions and maintenance, including installing patches for the OS and application stack. Our Managed Cloud offering provides an option whereby Rackspace employees act as your system administrator in the cloud and patch and update Operating Systems and various applications.
In general, Rackspace recommends that customers include a host-based firewall in their configuration, such as IPTables or the Windows Firewall, on newly created Cloud Servers instances so that both the public and private interfaces are protected by suitable controls. The firewall should be configured with a default deny policy and only necessary ports should be enabled for access. In addition to firewalls, Rackspace recommends that customers maintain a regular patch policy so that the server operating system and applications are updated regularly with their respective security patches. Finally, open cloud customers can create isolated networks using our Cloud Networks.
When consuming Cloud Servers services, customers have full access to log into their servers remotely using secure shell (SSH) or Windows Remote Desktop. Rackspace customers are can make changes to their servers as needed and Rackspace recommends that the customer harden their Cloud Servers by appropriately configuring software and security settings, restricting operating processes and services to those required, including removing or securing default accounts and passwords. Customers should seek to implement cohesive versioning controls and patching policies for operating systems and applications in order to minimize risk stemming from un-patched vulnerabilities and replicated Cloud Server images.
Customers are also advised to maintain appropriate security services on any Cloud Server including up to date and well configured software firewalls on all public and private virtual network connections and regularly updated anti-virus capabilities.
As primary system administrator of the cloud resources, the customer is also responsible for managing user accounts creation, provisioning and destruction, password policies, server level account authentication mechanisms, etc. Rackspace recommends that customers integrate their Cloud Servers resources with their organizational Single-sign on (SSO) domain if available in order to simplify this task.
Rackspace has been assessed and holds validation for the following compliance frameworks: ISO 27001, SSAE 16 and ISAE 4302 (previously SAS 70 Type II), PCI DSS and Safe Harbor (export.gov). Of course, it is the customer’s responsibility to comply with relevant laws and regulations that impacts their data hosted in the cloud. The customer owns the business processes that ensure that the cloud hosting infrastructure meets the data security components of internal policies (for example, IT security policy), or any regulatory or industry compliance requirements (for example, PCI-DSS).
That’s it for this week. I hope you found it informative. Be sure to tune in next week where I’ll talk in depth about the physical security measures we offer our customers.