Data Security Monitoring in 232645

This research note is restricted to the personal use of [email protected]


G00232645

Data Security Monitoring in the Cloud:Challenges and SolutionsPublished: 23 April 2012

Analyst(s): Jeffrey Wheatman

Data-level security monitoring is increasingly crucial for sensitive datahandled in the cloud, but the available monitoring options are immature andchallenging to implement. Gartner's best practices can help with riskassessment and technology selection.

Key Findings Security requirements and drivers in the cloud are different from those in traditional data center

environments, and data monitoring is no exception. The dynamic nature of the cloud, coupledwith the lack of customer ownership of infrastructure and limited transparency, has essentiallybroken traditional security models and architectures.

While cloud providers have increased the options for monitoring in their clouds, the offeringsare still fairly immature, limited and mostly focused on network- and application-layer activity,rather than on activity in the data layer.

Auditors and other stakeholders are increasingly focusing on data access, and the securitymonitoring options currently available in the cloud are unlikely to fully satisfy their requirements.

Recommendations Communicate with stakeholders to ensure that they understand the potential risks associated

with storing and processing data in the public cloud, focusing on the lack of options formonitoring, especially for regulated and critical data.

Ensure that cloud services providers (CSPs) provide the appropriate level of monitoring controlsfor the level of risk associated with the data (especially regulated data). This does not mean theCSP will take ownership of the monitoring controls, because the data belongs to theorganization, and the organization is ultimately responsible for its safety and security.

Communicate with current and potential CSPs concerning your data-level monitoring needs.Seek guidance about how to use native tools or solutions from your CSP, solutions fromindependent software vendors (ISVs), or extensions or APIs offered by CSPs to allow you tobuild your own solutions.



Ensure that any data monitoring solution you adopt integrates, or at minimum communicates,with your enterprise's current monitoring and incident response tools and processes in caseswhere the security organization must manage multiple solutions (not only cloud solutions).

Analysis

Why Monitor Data Access in the Cloud?

Gartner is seeing more clients entrusting not only regulated data, but also intellectual property andother critical data, to public cloud projects. When these data elements are placed in cloudenvironments that are not fully under the enterprise's control, it becomes more important tounderstand who is accessing what. An enterprise can recover from a breach involving regulateddata, but the margin of error for intellectual property tends to be much narrower. Under thesecircumstances, the ability to conduct real-time monitoring of data in the cloud could mean thedifference between a minor incident and one that threatens the viability of the enterprise.

The security risks to data in the cloud are significant (see Note 1 and "What You Need to KnowAbout Cloud Computing Security and Compliance" [Note: This document has been archived; someof its content may not reflect current conditions.]), but they are not well-understood, making thistype of risk difficult to manage. Moreover, the immaturity and dynamic nature of cloud computingmakes traditional enterprise data security controls impractical. Controls can be grouped into threebasic categories:

Administrative: These controls include policy, procedure, and identity and access governance.

Preventative: These controls include access, encryption, intrusion prevention and datamasking.

Detective: These controls include monitoring, analytics and incident response.

The Risks Involved

Gartner has seen an improvement in the ability of CSPs to offer administrative and preventativecontrols, either natively in the cloud or through partnerships with ISVs, but detective controlsfocused specifically on data access, if they exist at all, are less mature. Enterprises often do nothave visibility into what goes on in the cloud, and the patterns and behaviors related to data accessare no exceptions. This weakness represents a significant risk for enterprises that store or processcritical data in the cloud. These risks include:

Poor supervision of highly privileged users: CSP administrators have access that could easilysubvert controls implemented higher up in the stack, and could access stored data acrossmany of their customers. The inability to view what these administrators do with this privilegedlevel of access carries a significant risk, and could result in an adverse audit finding. Althoughmany CSPs monitor their administrators' activities, they typically do so for their own needs,which don't necessarily match their customers' needs, and may offer insufficient protection forcritical data.

Page 2 of 8 Gartner, Inc. | G00232645



Weak data segmentation: The multitenancy models that are the norm in public cloudsinevitably lead to risks of data crossing logical or physical boundaries, and of savvy or skilledusers being able to bypass controls at virtualized borders. The segmentation security controlsoffered by the virtualization technology that supports cloud implementations have historicallybeen attack-resistant. However, there is always the possibility that unknown vulnerabilities ornew attack mechanisms may allow the crossing of security boundaries that lead to data access.

Excessive reliance on applications' access controls: Lack of data-centric monitoring at thecloud infrastructure level places much of the security load on the applications' access controls.If permissions are granted inappropriately, or if deprovisioning is not implemented orentitlement review is not done, users may have access to data they do not need, and this maylead to a data breach whether intentional or accidental. Even if application-level monitoring isavailable from the CSP or the application, it is often not granular enough to provide a realunderstanding of which users are accessing which data and under what circumstances.Moreover, the cloud provider may not be able or willing to implement behavioral-based anomalydetection.

These risks have prompted Gartner to recommend to clients that are storing or processing criticaldata in the cloud that they develop a strategy for monitoring the data's usage, either using CSP-provided tools, or third-party tools needed for data monitoring in the cloud. Data-centric regulationssuch as PCI standards and the U.S. Health Insurance Portability and Accountability Act, andpending regulations such as the EU Data Protection Directive, have rigorous requirements forauditing and accountability concerning access to protected data types. Moreover, enterprises willincreasingly pressure cloud providers to offer them the ability to respond to increasing auditors'focus on regulatory compliance in cloud deployments and auditors are likely to find that thecurrent data monitoring capabilities are inadequate.

Challenges to Implementing Data-Level Monitoring in the Cloud

Data-level monitoring in cloud environments can be challenging, because of general issues relatedto cloud architectures, and specific issues unique to particular cloud offerings. These challengesinclude:

Cloud providers tend to focus on performance-based monitoring, rather than securitymonitoring, and whatever security monitoring they do offer is usually not oriented to the datalayer. Network security monitoring tools such as firewall logs and network intrusion preventionsystems provide visibility into network activity, but do not focus on data payloads. Applicationmonitoring in platform as a service (PaaS) and software as a service (SaaS) systems typically donot deliver anomaly-based detection. A SaaS- based CRM data monitoring system, forexample, would not trigger on the fact that a salesperson has downloaded the entire customerdatabase, even though this action would likely represent a deviation from normal sales activity.Cloud application brokerages are attempting to improve their oversight of situations like this bysending cloud application traffic through a proxy where data access controls can be enforced.

Data-centric monitoring technologies, such as database audit and protection (DAP) andcontent-aware data loss prevention (DLP) tools, are typically architected using networkaggregators in conjunction with server agents installed on the database server. Public CSPs will

Gartner, Inc. | G00232645 Page 3 of 8



not allow client devices to be installed on their networks, and their willingness to allow clients toinstall agents varies widely by offering.

The dynamic nature of cloud computing may mean that the data moves within the CSP'sinfrastructure. If this is the case, any monitoring solution must be able to move rules, profilesand policies on the fly to be effective. When cloud providers begin to offer data monitoring, theircapabilities will be limited in scope and function. Comprehensive monitoring requires acombination of structured rules and behavior-based anomaly detection. Due to the effortinvolved in fine-tuning behavior-based monitoring, the offerings will likely be signature-based, atleast in early stage offerings.

Many CSPs offer audit log management capabilities in SaaS and PaaS stacks, but nativelogging adds processing and storage overhead, as well as the need for various log retentionand archiving requirements.

SaaS offerings tend to provide application monitoring based on the assumption that since theclient can only access data through the applications, the monitoring of direct access to data in other words, not through the application is unnecessary.

Best Practices for Data Security Monitoring in the Cloud

Data security monitoring challenges and solutions vary for each cloud computing model in whichGartner sees enterprises investing, but certain overall best practices still apply:

Begin by deciding whether data-level monitoring is required. For some use cases notably inSaaS and PaaS offerings the default network or application monitoring provided as part ofthe cloud provider's service agreement may be sufficient. For example, if the data in a SaaSoffering is only accessible through a provided application interface and the data is stored usinga distributed storage model, the value of data-specific monitoring is low. Some PaaS offerings,such as application life cycle management as a service (ALMaaS) or application security as aservice (ASaaS), do not store the types of data that need to be monitored.

Evaluate the options for data-level security monitoring in current and future cloud projects, andensure that any providers or platforms that are adopted provide the appropriate level ofmonitoring controls for the risk associated with the data. This is especially important forregulated data types. In cases where CSP offerings are insufficient, add-ons or third-party toolsmust be evaluated in order to adequately address the risks.

Ensure that the enterprise's auditors, legal and compliance departments, and otherstakeholders understand the risks of limited cloud data security monitoring, and that they will besatisfied with any solutions before they are implemented. (Retrofitting will likely have an impacton sizing, performance and cost.)

Follow the growth of third-party cloud security brokers that can provide layered security on topof CSP offerings. This approach will likely not be possible immediately, however, because thesethird-party solutions are still comparatively new, and growing in maturity.




Communicate with current and potential CSPs concerning your data-level monitoring needs.Seek guidance as to how to use cloud-native tools or solutions, solutions from ISVs or APIsoffered by CSPs to allow you to build your own solutions.

Some organizations will only deploy and manage one monitoring platform. In cases where thereare distinct platforms one in the enterprise and one in public cloud you must ensure thatany monitoring solution integrates or communicates with your enterprise's monitoring, and withyour incident response tools and processes.

Look to cloud-based security services that can act as proxies, and that can either encryptsensitive data before being stored in the cloud, or monitor all cloud data access.

Infrastructure as a Service (IaaS)-Specific Issues

In an IaaS cloud deployment, the client owns the entire stack, and this simplifies implementation ofdata-level monitoring. Although IaaS providers will not allow a network collector to be deployed, theclient can install a local agent, data collector or virtualized appliance versions of network software.This makes it possible to implement a DAP or DLP solution that provides visibility into what is goingon at the data layer. Native auditing and logging can also be used to feed to an internally managedmonitoring solution, such as a security information and event management (SIEM) tool, thatsupports a comprehensive view of the overall threat picture, encompassing internal and cloud-based threats.

It is important to note, however, that logging or auditing functionality that is turned on or agents thatare installed will impact processor usage and storage, and may result in added costs due to thebandwidth used by transmitting monitored data between the cloud and corporate networks. Nativelogging in particular presents several challenges: Logs typically need to be archived and maintainedfor legal and regulatory compliance, and because they contain actual data need to be furthersecured against possible access by an attacker. Moreover, the system's administrators haveaccess to the logs, and could potentially alter them to hide the details of a breach.

PaaS-Specific Issues

PaaS presents the most difficult set of use cases, for three reasons:

PaaS refers to a broad range of platform types and therefore a broad range of approaches todata security monitoring. A database-as-a-platform provider may, for example, make it possibleto turn on logging for an additional charge, but likely will not allow the installation of an agent fora third-party monitoring solution such as a DAP or DLP tool. On the other hand, in a moreexpansive platform, such as business process monitoring as a service, the data store isembedded, and there is no option to turn on logging or install an agent. This means that theonly monitoring available is what may be offered by the provider.

As noted, most monitoring in these stacks is performance-based, and any security monitoringtypically uses signature-based detection. Some PaaS providers provide APIs that can beleveraged to expand their native monitoring capabilities. These APIs can be customized tosupport behavior-based monitoring and analysis, but require significant effort to fine-tune.




Further, because some PaaS offerings comprise several layers, it can be difficult to identify theappropriate level at which to monitor.

Because the market is so fragmented, PaaS clients will likely be purchasing solutions frommultiple providers, which will make normalizing a monitoring solution extremely challenging forthe foreseeable future.

SaaS-Specific Issues

In many ways, SaaS provides the easiest data security monitoring solution. SaaS is offered as astack, so data typically can be accessed only through the designated application, not directly. Forthis reason, there is no real differentiation between application monitoring and data monitoring.Most, if not all, SaaS providers can produce reports based on application activity. However, thesecanned reports are based on standard signatures that is, what the provider defines as normalactivity.

The challenge is assessing how to implement behavior-based monitoring. Some SaaS providersoffer APIs that can be used to generate custom reporting and analysis, but the benefits of usingthese APIs may not be worth the effort; in other words, the effort of creating customized monitoringand reporting solutions may be so onerous as to push customers to use native CSP offerings,however limited they may be. Also it is difficult to standardize monitoring across multiple SaaSproviders. This is where application brokers can play a significant role.

Another issue is that the simplicity of the integration between the application and the data in SaaS,while seemingly providing a strong look at data access, does not lend itself to monitoring based onbehavioral analysis (for example, triggering on an individual's leveraging legitimate access to view ordownload more records or documents than are needed to complete a given job). SaaS also doesnot provide visibility into the data payload for classification purposes.

Recommended ReadingSome documents may not be available as part of your current Gartner subscription.

"Cloud IaaS: Security Considerations"

"Critical Security Questions to Ask a Cloud Service Provider"

"Database Activities You Should Be Monitoring"

"Database Activity Monitoring Is Evolving Into Database Audit and Protection"

"Hype Cycle for Cloud Security, 2011"

"Key Issues for Securing Public and Private Cloud Computing, 2011"




"Predicts 2012: Enterprises Must Balance Opportunity and Risk in Cloud and Mobile Security"

Evidence

The analysis in this research was developed based on information derived from various datasources. Gartner client calls on the topic of data security in general and on security in the cloudindicate that many clients focus more aggressively on preventative controls than detective controls,and this is more obvious in cloud projects. Calls were conducted by Gartner with 15 leadingproviders of cloud computing services to discuss current and future offerings for data-centricmonitoring. Calls with auditors and a review of pertinent data-centric laws and regulations providedthe framework for drivers of data protection in cloud environments.

Note 1 References for the Risks of Cloud Computing

"Reducing Security Risks in Cloud Computing"

"Risk Management in Cloud Computing"

Nearly half of U.S. IT professionals say the risks of cloud computing outweigh the benefits,according to the first annual ISACA IT Risk-Reward Barometer Survey.

This is part of a set of related research. See the following for an overview:

Securing and Managing Cloud Computing




Regional Headquarters

Corporate Headquarters56 Top Gallant RoadStamford, CT 06902-7700USA+1 203 964 0096

Japan HeadquartersGartner Japan Ltd.Atago Green Hills MORI Tower 5F2-5-1 Atago, Minato-kuTokyo 105-6205JAPAN+ 81 3 6430 1800

European HeadquartersTamesisThe GlantyEghamSurrey, TW20 9AWUNITED KINGDOM+44 1784 431611

Latin America HeadquartersGartner do BrazilAv. das Naes Unidas, 125519 andarWorld Trade Center04578-903So Paulo SPBRAZIL+55 11 3443 1509

Asia/Pacific HeadquartersGartner Australasia Pty. Ltd.Level 9, 141 Walker StreetNorth SydneyNew South Wales 2060AUSTRALIA+61 2 9459 4600

2012 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Thispublication may not be reproduced or distributed in any form without Gartners prior written permission. The information contained in thispublication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness oradequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publicationconsists of the opinions of Gartners research organization and should not be construed as statements of fact. The opinions expressedherein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does notprovide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and itsshareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartners Board ofDirectors may include senior managers of these firms or funds. Gartner research is produced independently by its research organizationwithout input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartnerresearch, see Guiding Principles on Independence and Objectivity on its website, http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp.


AnalysisWhy Monitor Data Access in the Cloud?The Risks Involved

Challenges to Implementing Data-Level Monitoring in the CloudBest Practices for Data Security Monitoring in the CloudInfrastructure as a Service (IaaS)-Specific IssuesPaaS-Specific IssuesSaaS-Specific Issues

Recommended Reading

Documents

Data Security Monitoring in 232645