Observations on Cloud Security—Part 1

When looking at your own in-house security, make sure to pay close attention to access controls and your IT security infrastructure. Next time, we’ll look closer at security in the cloud.

Aw 161987 Michaelbachelorweb 1

Never mind that we have our banking online, along with other investments, healthcare activity, and so many other personal details. We have widgets to make, darn it, so let’s get serious about information security.

As the headline of this blog says, what follows are observations. I’m not a professional IT security expert. I have, though, had to pay attention to matters of IT security for the past 21 years in various environments—ranging from government Sensitive Compartmented Information Facilities (SCIFs) to sensitive manufacturing customer data.

The relevance to security did not begin with Ethernet, but it did increase. When the Industrial Internet of Things (IIoT) and cloud computing topics started getting more serious, so did concerns about security and even legal liability for providing such a solution. Are we sufficiently guarding clients’ sensitive data if it’s on the cloud rather than in their possession? How about this angle: Are you responsibly safeguarding another person’s money if you store it in the bank rather than in your own home? Banks are more public than homes. Banks are more secure than homes as well, trust issues aside for a moment. Is the cloud similar?

I spent some time doing some homework on this topic because it is a pass or fail issue on moving forward for many. I wanted to unpack areas of vulnerability in a cloud-based solution and take a closer look. In Part 1, I’m going to briefly cover a couple of in-house security issues that matter, regardless of whether we use cloud-based solutions or not. Next time, in Part 2, I’ll discuss exposures involved with the cloud and some things to consider when bringing the two parts together.

Access controls

I asked the IT director of one of our customers what he thought about using a cloud-based solution in his company. His response was that if it is provided by one of the major suppliers, he did not have a problem with it. But if he was going to use a solution with us that was on the cloud, we would have to do more than use a major cloud provider; we would have to prove to him that our access controls were up to par with his company IT standards.

He could control means of access internally to his company, but had less control over vendor best practices in their own environments. Outside of having no security or monitoring at all, nothing is more vulnerable than sloppy password practices. This would apply to wireless network access, secure remote access procedures, mobile access devices, audits, personnel training and hiring practices, physical access restrictions, etc. This matter is internal, having nothing to do with the cloud. The potential for vulnerability here is high. This can be well managed, but it requires more attention and can more easily get loose and problematic.

Internal IT security infrastructure

This involves typical installation and configuration of servers, PCs, switches, routers, firewalls and demilitarized zones (DMZs), virus and intrusion detection software, and policies. This is the part of security that internal IT staff can control, provided a decent budget is in place for it. Reasonable security measures can be taken here. This isn’t the strongest link, as I’ll discuss next time. But we can get the job done here if it’s not neglected. Yes, there is risk here—though it tends to be lower than user access controls into the system.

Summary

Next time, I’ll go into some detail about the cloud datacenter, and messaging between a PC or server in your organization, and the cloud. This is where the data leaves the facility and is out of your hands. What happens then? How secure is it? Is it responsible? How does it compare to the security measures we can apply internally? Where is the weak link?

Well, the point of two blog parts is not about cliffhangers. It’s simply about blog length. So I’ll give away the punchline. In short, I’m going to suggest next time that the weak links are internal; that the exposures outside of your control are more secure. Technically, there is risk that should not be ignored. But the weakest link is your own user access controls, and you do not have the same budget for infrastructure. It’s not even in the same league. While you may have warranted concerns about moving to cloud-based IIoT solutions, which is essentially software as a service (SaaS) that sits on an infrastructure as a service (IaaS), you have your own house to get in order first and foremost. I’ll explain where I’m coming from in further detail next time.

Michael Bachelor is president at Bachelor Controls Inc., a certified member of the Control System Integrators Association (CSIA). For more information about Bachelor Controls, visit its profile on the Industrial Automation Exchange.

 

More in IIoT