By Vishwas Manral, Distinguished Technologist, HP Networking, Advanced Technology Group
On Twitter follow: @vmanral
It’s widely known, that the perceived security risks are one of the key hurdles for wide-scale enterprise public cloud deployments. I recently read an article by Kevin Mitnick and what he thought about Cloud Security. What caught my eye was that Kevin was not too impressed with the security in the cloud. So I decided to dig further, to see what the state of Cloud security was and what security issues are hindering enterprises from using the public clouds. I am summarizing some of the key points here, in this longer than usual blog.
The scope of security
Enterprises demand security even they are using resources in the cloud, and to understand the risks involved is the first step in the process. The expectations of security range from “Cloud Security is the Cloud Provider’s business” to “Clouds just cannot be Secure”. The answer I found, however (no surprises there!!!) lies somewhere in between.
Security in itself can encompass a lot of different aspects. It can mean physical security – achieved through restricted access of the cloud premises (multi-factor authentication for access to the data center). It also means the destruction and shredding of storage hardware to make the original data unrecoverable. Security can mean ease of manageability and control by using uniform infrastructure/hardened software components and then monitoring and correcting any anomalies. Security can also mean tools for application level security like Single Sign on (SSO), password management and even secure maintenance and installation of software.
In this blog I will try to focus on some of the paramount concerns related to the infrastructure.
Risk factors of security
Some of the essential characteristics of a cloud are On-demand Self-service, resource pooling and rapid elasticity. These rely on the Multi-tenancy strategy of the cloud provider. Multi-tenancy however inherently allows sharing of resources and adds a level of risk for the applications running on the shared infrastructure.
This leads to hazy tenant resource boundaries, where parameter security alone cannot help. Security through depth (multiple layers) is generally used in such cases – where the host security/compliments the parameter security. In such scenarios flexibility and the breadth of tools for services like firewalls, filtering, IDS/ IPS to allow for a range of deployment options are important.
Enterprises need to ensure that not only compute, but also the network resources and services (DNS, IPAM) are effectively segregated. Doing so makes sure data between the tenants is never leaked or compromised. Even with the best separation, tomography can be used to derive useful information – the link is an example of how CPU temperature can be used to derive CPU utilization.
I personally use cloud-based data storage services to backup my personal data like photos and videos. One of the key concerns of using the services is not only securing data as it is moved into the cloud (data in motion), but also securing data as it resides in the cloud (data at rest). There are extensive security concerns with data as it is stored in the cloud because of access of “cloud user” data to the provider. Also by its very nature the cloud data can be stored in (multiple) different location and tracking data, further complicating the issues.
Enterprises need to make a careful determination of what data needs to be stored encrypted as it resides in the cloud, making sure the encryption keys are never passed to any application in the cloud. When data is no longer required and deleted, mechanisms for tracking, virtual shredding and guaranteeing the deletion of all data as it resides in the cloud, are very important for an enterprise.
Regulatory concerns of security
Privacy risks of cloud-based resources/data are heightened by government laws and regulations. These bring in its ambit not only data of users who reside in that particular geography, but also data processed in the geography (of a user who may not reside in the jurisdiction).
Cloud-based forensics are also important to enable government mandates. This entails the ability to perform forensics in the cloud by enabling the key principals of uniqueness:
- unique identifier/ time source/ application finger printing
- ability to acquire data as it resides in virtual disc
- ability to provide a crumb trail (after the fact)
Enterprises need to be aware of the jurisdictions their resources resides (so as to be aware of the regulatory implication of their data), even though cloud by itself is meant to be location agnostic. Keeping data encrypted, as it resides in the cloud has been suggested as a solution, but such data cannot use many of the services in the cloud – like Compute, Big Data etc. An interesting field of “Homomorphic computing”, tries to allow for encrypted data to be able to use compute services, as well as provide encrypted results for the same.
Compliance and monitoring
Static paper-based security certification for cloud does not make sense—because of its very dynamic nature. The only way to provide guarantees is to do dynamic monitoring/auditing and compliance. An interesting angle of security arises, as the user of a cloud service does not own the complete stack of infrastructure. Providing security in the cloud is hence a shared responsibility.
Enterprises need to make sure that they clearly understand the boundaries of security/ privacy/ compliance responsibilities, and between the cloud provider and its user—the enterprise. Enterprises also need to make sure periodic verification, monitoring and testing are done. This will make sure no leaks occur—which can easily go unnoticed in such dynamic environments.
Transparency and openness
Transparency, interoperability and openness play a critical role in the security defenses in the cloud. It is important to know how transparent a cloud provider and the processes they follow are. In case of any breach a cloud user needs to be sure they are rightly notified of the breach as well as the circumstances and conditions. Its helps a user evaluate their own process against that of the provider.
An enterprise needs to evaluate the commitment of the provider to openness and transparency—before taking the plunge. They also need to evaluate their dedication to security. They can determine this by their commitment to various standards like SSAE16, ISAE 3402, SOX 404, PCI DSS, GLB, ISO27001, etc, as appropriate.
So what should enterprises do when it comes to security?
Cloud providers have been working hard to address the various security concerns that have been raised. Cloud providers manage huge infrastructures and by utilizing the economies of scale. This way they can use the best security methodologies, tools and resources available in the market, which may be available only to a select few. So unless you have some unique requirements for security, the cloud providers should be able to meet your needs.
For all others the answer to the question seems very clear. A company needs to first evaluate the criticality of all its data. If it determines data that it can’t afford to lose it, it should not put that data the public cloud. For the rest it should determine what and how the data needs to be stored in the cloud. Reports point to more and more enterprises taking to the cloud and with the increased reliance– security concerns and threats will only grow.
BTW, what does HP provide?
Here is an interesting slide, from my colleague Mauricio Sanchez, which captures this very well.
Read more: CSA paper on top cloud security threats
Related blog post: 4 Top Technology Trends