As an added security measure, enterprises should preserve a separation of administrator duties in the cloud. The temptation may be to consolidate duties, as many functions can be centrally administered from the cloud using virtualization management software. However, as with physical IT environments, in which servers, networks and security functions are split among several administrators or departments, segregating those functions within the cloud can provide added security by diffusing control. Furthermore, organizations can use centralized virtualization management capabilities to limit administrative access, define roles and appropriately assign privileges to individual administrators. By segregating administrator duties and employing a centralized virtualization management console, organizations can safeguard their private clouds from unauthorized administrator access.
Within the cloud, virtual machines are prolific and highly mobile. In fact, they account for most of the activity in the cloud. Virtual machines are typically provisioned on an automated basis to meet application service level agreements, optimize application execution time and maximize overall resource usage. The fundamental role that virtual machines serve in cloud environments has profound implications on information security. To secure their virtual infrastructure, companies using private clouds must be able to oversee how virtual machines are provisioned and managed within their clouds. In particular, managing virtual machine identities is crucial, as they’re used for basic administrative functions such as identifying the systems and people with which virtual machines are physically associated and moving software to new host servers.
Organizations establishing a security posture based on virtual machine identities should know how those identities are created, validated and verified and what precautions their cloud vendors have taken to safeguard those identities. Additionally, information security leaders should set their identity access and management policies to grant all users — whether human or machine — the lowest level of access needed for each to perform their authorized functions within the cloud.
Employ data encryption and tokenization
Enterprise data used in cloud applications is sometimes stored by the cloud provider — in online backups, for instance. Encrypting data is often the simplest way to protect proprietary information against unauthorized access, particularly by administrators and other parties within the cloud. Organizations should encrypt data residing with or accessible to cloud providers. As in traditional enterprise IT environments, organizations should encrypt data in applications at the point of capture. Additionally, they should ensure cloud vendors support data encryption controls that secure every layer of the IT stack.
An additional precaution to secure data residing in clouds is to segregate sensitive data from the users or identities they’re associated with. For instance, companies storing credit card data often keep credit card numbers in separate databases from where card holders’ personal data is stored, reducing the likelihood that security breaches will result in fraudulent purchases.
Companies also can protect sensitive cardholder information in the cloud through a form of data masking called tokenization. This method of securing data replaces the original number with a token value that has no explicit relationship with the original value. The original card number is kept in a separate, secure database called a vault.