Securely operating the enterprise cloud

The term ‘enterprise cloud’ is bandied about today with differing views on its meaning. Even in the enterprise space, making assumptions about the similarities of Software-as-a-Service (SaaS) applications is a mistake. When you pull back the covers, you find radically different architectures over what constitutes an enterprise-grade application.

A true enterprise cloud is not limited to a specific department or function, such as sales, HR, or facilities, but encompasses the entire enterprise. It’s a multi-instance cloud with a common data model that operates on a uniform infrastructure.

Security is paramount. Any enterprise cloud provider responsible for the data that resides within every customer instance must take securing that data very seriously.

A multi-layered approach to cloud security

My experience with global customers helps me understand that cloud security requires a multi-layered approach. Industry leaders who depend on the cloud to run their business need to know that beyond having their data secure and that the cloud is physically secure, that there are strict operational controls and well thought out processes and procedures for when security events inevitably occur.

The baseline for operating an enterprise cloud is to build the infrastructure as an enterprise would built it. Don’t optimise for cost, but rather focus on real availability, security, and performance. For instance, we run a highly redundant and secure cloud infrastructure built on a multi-instance architecture in which every customer instance has its own application logic and database.

We have redundant routers, switches, firewalls and server load-balancers for every customer instance. We add additional security to this setup with intrusion detection systems (IDS) and distributed denial-of-service (DDOS) protection at each of our global locations to quickly detect, alert and remediate suspicious events. We run a Linux kernel with an enhanced security module as our operating system on the servers that run application logic in Java virtual machines.

Physical security

Beyond secure infrastructure, facilities need to reflect those customers would choose for their own environments. This aspect of operational security starts with the physical security at each data centre location.

Physical security methods including purpose-built buildings, 24×7 security guards, man-traps to enter the facility, biometrics scanners (palm and fingerprint) and so forth. This makes it very difficult to get into any data centre facility, even when authorised to do so.

Furthermore, we only use full-time and screened personnel to work in our data centre locations. We don’t use contractors or third-party ‘smart-hands’ to install or perform break-fix operations. Our customers’ data is our data and we only want our personnel with physical access.

Secure controls and logging

Like security for an apartment building, protecting physical access is only part of overall building security. Another critical factor is controlling who has the keys, who can disarm the theft alarm, who can access the visitor logs, etc. On the enterprise cloud, we have strict controls on who can access the underlying network and server infrastructure. Access requires a secure virtual private network (VPN) connection using multi-factor authentication (MFA) and one-time passwords.

Also, very few individuals in the company have read-write access to infrastructure devices. If an engineer wants to make a change on a device, he or she must have strictly followed our change management process and is only then granted read-write access by our 24×7 Site Reliability Engineering (SRE) team for time of the change window. The SRE team grants the engineer clearance-to-proceed for his or her change and when the change is complete, the read-write access for the engineer is revoked.

Our technicians may need temporary access to an instance to troubleshoot an issue – similar to loaning an apartment key to family members when they come to visit. In a similar fashion, the Enterprise Cloud gives customers full control of all technician logins (including completely prohibiting technician access without customer approval).

Similar to how an apartment building with a door has visitor logs, a ServiceNow instance has full audit logs of all login access and all transactions on the instance (including any efforts to delete logs) – required for secure operation and potential forensics analysis. Alongside our continuous audits, we have customers who audit our security and operations on a regular basis too.

Security incident handling process

For an apartment building or other facility, personnel train on how to respond to a security incident, with clear guidelines on who calls the police, who is in control, who communicates the issue and so on. This process is as important to security operations as any camera or locked.

It is no different on the enterprise cloud, which requires a defined security incident handling process. Our process is staffed by a global response team, which has defined roles and responsibilities and workflows for detecting, triaging, investigating, communicating and resolving any incidents. This process gets tested regularly to ensure that if an incident occurs the process goes smoothly.

Operating the enterprise cloud securely takes multiple layers of effort. It involves rigorous physical security, strict controls on who can log in and make changes to the infrastructure, and – critically - giving customers full access control and a wealth of logs and audit trails for complete reassurance.

Today’s enterprise cloud providers must provide the necessary features and procedures for enterprises to operate securely in the cloud. This mean meeting customer demand for multiple layers of security and operational controls, combined with a well-defined security incident handling process.

Allan Leinwand, Chief Technology Officer at ServiceNow