Security Metrics for Clouds

A previous article here on general Security Metrics (see link below) outlined some key security controls for measurement:

  • CM-8 INFORMATION SYSTEM COMPONENT INVENTORY
  • RA-5 VULNERABILITY SCANNING
  • SI-4 INFORMATION SYSTEM MONITORING
  • SI-3 MALICIOUS CODE PROTECTION
  • AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING
  • SI-2 FLAW REMEDIATION
  • IR-5 INCIDENT MONITORING
  • CM-3 CONFIGURATION CHANGE CONTROL
  • CA-5 PLAN OF ACTION AND MILESTONES

[NOTE – each of these security controls may have several or even many metrics that can be valuable]

Most security processes in the cloud need to touch all the same bases as conventional security, but may need some specific emphasis to frame it correctly for the cloud. Or they may just have a heightened level of importance.

Inventory is normally a pre-requisite to most other security processes and is also usually underemphasized. If your inventory is wrong, any other security process can also go wrong, based on an incorrect knowledge of what is on your network. Now think about how this applies to the cloud, where provisioning is done much faster and the virtual nature of the environment makes it more practical to provision and deprovision in shorter time intervals than would be acceptable in a conventional data center. As the provisioning process becomes faster, the inventory tracking process has to become more dynamic.

The accelerated time frame that cloud inventory requires has ripple effects across many other processes as well. Vulnerability scanning frequencies will probably need to be increased if the rate of change of systems in a cloud is increased. Likewise; intrusion detection monitoring, anti-virus activities, audit log analysis and patching will all need either a faster process rate and/or faster analysis and reporting.

Most of the controls discussed so far involve efforts to protect the network or detect a failure in protection. But there is also a need to measure how well the incident response and other “after the fact” processes work. Incident response, configuration management and corrective measures (POAMs) can be complicated in a cloud environment because of split responsibilities. While the obvious solution to this is careful and documented assignment of responsibility, it’s important to communicate across the boundaries, the measurement of how well those shared/split processes are being accomplished. Some of them will need to be designed in a “ping-pong” fashion which will require good collaboration and communication.

Follow this scenario:
An incident is declared inside a cloud provider. Several customers have been compromised. The origin of the incident is traced to a customer whose resources were de-provisioned several weeks or even months earlier. The cloud provider has to attempt to perform some level of forensic analysis on an installation that no longer exists. Hopefully, they have enough archive information to do this well. Having good metrics on the security controls listed above will improve both the speed and accuracy of the analysis process and the correction process. Being able to quickly share good information with the other infected customers will do the same for them. The best value found in good metrics is when they actually prevent an incident and protect many customers by enabling proactive measures to close vulnerabilities.

SEE ALSO:
Security Metrics
Cloud Security as an Interconnection
Agile Defense with NIST Controls

Comments are closed.