Cloud computing is one of the most-discussed topics among IT professionals today. And not too long into any conversation about the most highly touted cloud models - software as a service (SaaS), infrastructure as a service (IaaS) or platform as a service (PaaS) - the talk often turns to cloud security. According to Milind Govekar, an analyst at Gartner, cloud has rocketed up the list from number 16 to number two in Gartner's annual CIO survey of key technology investments. "Like with anything new, the primary concern is security," he says. In fact, the vast majority of clients who inquire about cloud, he says, would rather create a virtualised datacentre on their own premises - what some call a private cloud - because they're uncomfortable with the security issues raised by cloud computing and the industry's ability to address them.
"We are in the early stages of a fascinating journey into a new computing model that, for all its purported advantages, from a security and risk point of view, is a difficult thing to deal with," agrees Jay Heiser, an analyst at Gartner. "The things that make it easy and appealing - like the immediate plug-and-play productivity - also make it impossible to conclusively assess your relative risks." Current certifications, such as SAS 70 and ISO 27001 and 27002, are not sufficient, he says, leading to frustration for both buyers and sellers.
For this reason, securing cloud computing environments will be a major focus of vendor efforts over the next year, says Jonathan Penn, an analyst at Forrester Research. In the short term, he sees users having to do a lot of the legwork, but over time, "cloud providers themselves will see the opportunity to differentiate themselves by integrating security," he says. Security vendors accustomed to selling directly to the enterprise will find that they need these cloud providers as a way to reach the market, Penn says, and as the market matures, customers will want this stuff baked into the services they're buying. "That will be quite a radical change and a disruption," he adds.
In the meantime, organisations such as the Cloud Security Alliance (CSA) are working to put some shape around the security issues and the ways to address them. The CSA recently released a summary of the strategic and tactical security pain points within a cloud environment, along with recommendations on how to address them. The organisation divided the domains into two broad areas: governance and operations.
Domains grouped under governance include:
- governance and ERM
- legal and electronic discovery
- compliance and audit
- information lifecycle management
- portability and interoperability
Domains grouped under operations include:
- traditional security, business continuity and disaster recovery
- datacentre operations
- incident response, notification and remediation
- application security
- encryption and key management
- identity and access management
The CSA also summarized the top threats of cloud computing, along with the cloud models each threat most pertains to and guidance for remediation.
The categories of tools that can help address these threats include XML, SOA and application security; encryption tools for data in transit and at rest; smart key management; log management; identity and access management; virtual firewalls and other virtualisation-management tools; data-loss prevention; and more. "You're translating the existing security architecture into the cloud, so there are a lot of different tools you'll need, some of which already exist and other cases where you need new technology," Reiser says.
For instance, malware scanning tools will need to look specifically for emerging malware that targets virtual platforms; identity management systems will need to authenticate not just users but also devices and applications; and security information management (SIM) systems will need to log billions of events and analytics.
Forrester also released a list of questions that enterprises should ask to secure their cloud implementation, covering the areas of security and privacy, compliance, and other legal and contractual issues.
Experts also emphasise that the level of exposure and risk for the three cloud models are very different, and the way of addressing security also differs, depending on which layer you're engaging with. "The security requirements are really the same, but as you go from SaaS to PaaS and IaaS, the level of control you have over security changes," says Mike Kavis, founder of Kavis Technology Consulting and CTO at a startup company. "From a logical view, nothing has really changed, but how you physically do it changes dramatically."
As the CSA explains, with SaaS, the provider's applications run on a cloud infrastructure and are accessible through a Web browser. The consumer does not manage or control the network, servers, operating systems, storage or even individual application capabilities.
For this reason, the SaaS model integrates the most functionality directly into the offering, with the least consumer extensibility, and "security responsibilities are almost entirely up to the vendor," Reiser says. "If the vendor doesn't encrypt data, it's not encrypted. If there isn't activity monitoring, you won't get any."
With PaaS, consumers create applications using programming languages and tools supported by the vendor and then deploy these onto the cloud infrastructure, the CSA explains. As with SaaS, the consumer does not manage or control the infrastructure - the network, servers, operating systems or storage - but does have control over the deployed applications and possibly the application-hosting environment configurations.
There are fewer customer-ready or built-in security features with PaaS than with SaaS, the CSA says, and those that do exist are less complete, but there is more flexibility to layer on additional security. This means users need to pay attention to application security, as well as security issues surrounding the management APIs, such as authentication, authorization and auditing.
Here, consumers can provision processing, storage, networks and other fundamental computing resources, as well as deploy and run operating systems and applications, according to the CSA. While they don't manage or control the underlying cloud infrastructure, they do have control over operating systems, storage and deployed applications, and possibly limited control of select networking components, such as host firewalls, the CSA says.
With IaaS, there are few integrated security capabilities beyond protecting the infrastructure itself, but there's enormous extensibility, according to the CSA. This means users need to manage and secure operating systems, applications and content, typically through an API.
"A lot of the perimeter security is handled by the vendor, but they're giving you access to virtual machines, so you still have to build the application and provide the infrastructure control," Kavis says.
With IaaS, virtualisation management is a big concern, says Heiser, particularly when it comes to intrusion detection and the integrity of partitioning virtual machines. "You need to mediate separation and make sure they don't interact with each other," he says.
Chris Barber, CIO at Wescorp, says he is concerned about multitenancy and hypervisor vulnerabilities. "Since you have multiple users on a single physical box, there may be a security vulnerability that one user could somehow access another user's virtual machine," he says.
Sidebar: Four examples of cloud security in the real world
Perhaps the best way to further understand cloud security is through specific examples. Here's a peek into a few of the biggest concerns that users have and how four companies have chosen to handle them.
Cloud model: SaaS
Security concern: Single sign-on
When Lincoln Cannon was hired 10 months ago as director of web systems at a 1,500-employee medical device company, he wanted to help the marketing department make a switch to Google Apps and a SaaS-based training application called eLeap, in the interests of lowering development costs and improving productivity.
However, there were some concerns. Marketing executives didn't want users to have more than one log-in, and IT wanted to retain access control over the applications, especially when it came to adding new employees and terminating their accounts when they left the company.
Cannon turned to a single sign-on system from Symplified, which communicates with Active Directory to verify the credentials of the user who is trying to log in to the cloud application. Google Apps uses APIs to offload authentication of users to a single sign-on provider, Cannon says, but with eLeap, the system needed to use an authentication adapter.
Either way, "it's kind of like a guardian," Cannon says. "To get to our instance of eLeap training or Google Apps, you have to authenticate with the single sign-on provider." And it's synchronized with Active Directory. "We define, through Symplified, which of our accounts has access to these SaaS applications, and when we kill the account in Active Directory, it prevents anyone from using that account to access those SaaS applications," Cannon says.
The Symplified system can operate in a SaaS model itself, but the device company chose to implement a Symplified-managed router behind its firewall. It did this because IT didn't want to manage user accounts and passwords in the cloud. "All that happens behind the firewall," Cannon says.
Cloud model: IaaS
Security concern: Data encryption
At Flushing Bank in New York, CIO Allen Brewer turned to the cloud for data backup after getting fed up with on-site tape backup. Using Zserver from Zecurion, Flushing is now sending files over the Internet to be stored for backup. The prime concern for the bank was data encryption and finding a provider that could accommodate the bank's already-developed encryption algorithm. "Some rely on the vendor to supply encryption, but we do our own," Brewer says. "Everything we send and store is encrypted at the vendor site."
Several providers of cloud-based backup storage install appliances at the customer site to accommodate encryption, but Flushing was not interested in that setup. Brewer also chose Zecurion because he knows the location of the datacentre where his information is stored. "We know one of their three datacentres have our data - it's not just sent into the cloud and we don't know where the data is," he says.
Cloud model: Private, on-site cloud
Security concern: Virtualisation
When Matt Reidy, director of IT operations at Snag¬AJob.com, embarked on the company's three-year technology refresh, his goal was to move from a 75 percent virtualised environment to a 100 percent virtualised, private secure-compute cloud, using Dell blade servers running VMware and vSphere at the core.
As a high-growth, entrepreneurially spirited dotcom, Reidy says, SnagAJob wanted the flexibility of a cloud model, but "we weren't ready to use cloud services from other vendors. A lot of stuff we'll do will wither and die on the vine, while other things will take off, and having a virtual cloud infrastructure will enable that with minimal talent investment, as far as time spent to spin new things up."
Before the technology refresh, SnagAJob had a multitier infrastructure, with firewalls providing physical separation between the Web, application and database layers. Reidy was able to attain 100 percent virtualisation by eliminating the physical firewalls and implementing a virtual firewall from Altor Networks. The only place a physical firewall will continue to exist is at the perimeter, in addition to an intrusion detection and prevention appliance.
Before vSphere Version 4, Reidy explains, you could get firewall appliances running as virtual machines, but "they were severely limited in their performance, because network traffic had to pass through those virtual machines," he says. But now, vSphere includes an API called VMsafe that enables firewall vendors such as Altor, Checkpoint and others to move traffic inspection into the VMware kernel.
"It improves performance, stability and security by a factor of 10," Reidy says. With the Altor virtual firewall, Reidy's team can also see, for the first time, what traffic is flowing between which virtual machines, including protocols and data volume. "That's a challenge in the virtual cloud space - traditional products won't capture that," he says. "We're able to tighten our security more because we can see what's flowing and write rules based around what we see versus what we think is going on." Other products that enable such visibility, he says, include Cisco Systems's NetFlow and Juniper's J-Flow, as well as an open systems standard called sFlow.
Cloud model: IaaS
Security concerns: Virtualisation, business continuity, auditing
At his startup, Kavis has chosen to use Amazon to host his entire infrastructure. Before doing that, he sat down with a security specialist, who identified all the requirements for implementing the virtual machines. Kavis then built a virtual image applying those controls and created a snapshot that he can replicate anytime he needs to set up a new virtual machine.
"Amazon provides you with the virtual image software, but it doesn't apply the security to it," Kavis says. "With PaaS, that would all be taken care of for me, but with IaaS, I can build the security to the level I want, and I have a lot more flexibility over what the machine is doing."
Kavis also has to perform all the functions that a systems administrator would, such as opening and shutting down ports, writing configurations and locking down the database, which he does using the LAMP stack, provided by Amazon out of the box. Kavis is 100 percent comfortable with the perimeter security provided by Amazon, which is "at a level very few companies can do," he says.
To ensure business continuity, Kavis replicates everything to at least two additional environments, in different zones. "The only way I can be totally down is if multiple Amazon zones are down," he says. "And Amazon has very high reliability in each specific zone, so we've never had everything down at one time." With IaaS, he emphasises, "it's up to me to build an architecture that can have high reliability."
One concern Kavis has yet to address is auditing. "Because the rules haven't changed to reflect cloud computing, regulations still require visits to the physical box, and you can't do that in the public cloud," he says. For data that falls under compliance regulations, Kavis plans to use a virtual private cloud. "The vendor will say, Here's your server, locked in a cage, and if you ever have an audit, you can bring in the auditors to look at it.' We'll use that for passing audits, but everything else will be in the public cloud." Even if he needs to house certain types of data on-site, he says, "we will still offload processing to the public cloud to get those benefits of scale and cost."
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.