Cloud Security: Confident, Fearful, or Surprised
Published 11/04/2011
By Ken Biery
This two-part guest blog series explores the topic of cloud security. Part one of the series focuses on the questions enterprise IT decision makers should ask when considering moving business applications to a cloud-based computing environment.
There is no shortage of information about cloud security. There are those that say cloud security is inherently more secure because of its ability to create and maintain a more hardened centralized environment. Others claim, because of multi-tenancy, virtual systems and data will never be even modestly secure.
The big surprise about cloud security may be that there are not really any big surprises. The good security practices that work in a traditional network also work for cloud-based IT. The key is understanding how to apply security practices to a cloud environment and to develop a security strategy that uses known and sound security foundations to address various cloud environments.
A more secure cloud is the product of careful planning, design, and operations. This begins with understanding the type of cloud (public, private, hybrid) that is being used and then its model, whether it be software-as-a-service (SaaS), platform-as-a-service (PaaS) or infrastructure-as-a-service (IaaS.) These two factors will determine the type and amount of security controls needed and who is responsible for them.
Public and Private Clouds
Public clouds typically tend to have a limited number of security measures, providing a more open and flexible computing environment. These clouds usually have a lower cost since their security features are basic. While this may be perfectly acceptable for some circumstances, such as non-critical or non-sensitive environments, it will not usually meet the requirements of most enterprise users.
Public clouds also generate the most concern about using a shared virtualized environment. These are mainly centered on how to properly segment systems and isolate processing resources. Segmentation and isolation can be challenging to accomplish and measure, especially for an auditor or assessor looking at these primary security control areas. Another factor is that many public cloud providers do not, or cannot, sufficiently support the types of controls required by enterprises to meet security and compliance requirements.
When considering a public cloud, it is important to ask the provider about their security measures, such as segmentation, firewalls/intrusion protection systems, monitoring, logging, access controls, and encryption. Their responses and transparency about the details of their environment’s security measures speak volumes of what to expect. Also, you may want to do some searches on the provider as they may have a reputation for harboring “bad neighborhoods”, which tend to host botnets or malware sites.
Private clouds can be internally hosted or located at a service providers’ facility. For internally hosted clouds, just like traditional environments, the security design and controls can be highly customized and controlled by the organization. If hosted at a service provider, the number of controls can vary considerably depending on the model selected. This is not to say that a service provider cannot provide a good set of default and optional security controls. Obviously, this is why having a good understanding of the provider’s cloud design and its features, as well as your own requirements, is crucial.
Multi-tenancy, Segmentation, and Isolation
Multi-tenancy is one of the major issues when it comes to security and compliance in the cloud. In some cases, multi-tenancy may require that an environment’s controls be set to the lowest level to support the broadest set of requirements for the largest number of potential users. One of the main concerns around multi-tenancy is that, due to the use of a shared resource pool of computing resources, one entity’s virtual machine (VM) could compromise another entity’s VM. A lack of proper segmentation between the two entities’ environments could make this possible.
This lack of separation can also create compliance challenges for multi-tenancy environments. Assessors and auditors are looking for sufficient controls to help prevent information leakage between virtual environment components. Improperly configured hypervisors, management interfaces, and VMs have the potential to become a leading cause for non compliance and risk exposure. In a traditional network, if a system is misconfigured, it can be compromised. If a virtual environment is misconfigured, it can compromise all of the systems within it.
It is important to note that there has not been any major publically disclosed compromise of hypervisors. However, it is only a matter of time. The virtualization layer is too tantalizing of a target for hackers not to pursue aggressively.
One of the cleanest ways to show separation within a virtualized environment is to have VMs with compliance or higher security requirements run on dedicated physical hardware. Yes, this is contrary to one of the benefits of cloud computing until the effort and cost of compliance and robust security is considered. This approach can be easier to establish and maintain since only a smaller number of systems may need to have advanced protection.
Isolation needs to be performed at the operating system (O/S) layer and no two VM operating systems should be shared. Specifically, the rapid-access memory (RAM), processor and storage area network (SAN) resources should be logically separated, with no visibility to other client instances. From a network perspective, each entity is separated from the next by use of a private virtual local area network (VLAN.)
The second part of this blog series will explore the cloud security best practices that can be employed to create a multi-layered defense for cloud-based computing environments.
About the Author
Ken Biery is a principal security consultant with Terremark, Verizon’s IT services subsidiary, focused on providing governance, risk, and compliance counsel to enterprises moving to the cloud. With extensive knowledge in the area of cloud computing, he enables companies around the globe to securely migrate to the cloud and crate more efficient IT operations.