While maintaining appropriate data security continues to be a prevailing concern, a cloud computing infrastructure can actually increase your overall security.
Adapted from “Securing the Cloud” (Syngress, an imprint of Elsevier)
While some of you may still harbor deep concerns over cloud computing from a security standpoint, that’s essentially an inaccurate conclusion. With its inherent qualities, cloud computing has tremendous potential for organizations to improve their overall information security posture.
There are many reasons for this. The cloud model enables the return of effective control and professional operation over IT resources, processing and information. By virtue of the scale of the public cloud, tenants and users can achieve better security because the provider’s investment in achieving better security costs less per consumer.
A private cloud provides significant security advantages for the same reasons. There are caveats, however: You won’t get the benefit without investment, and not every model is appropriate for all organizations. Regardless of which services delivery model or deployment model you choose, you will transfer some degree of control to the cloud provider. This is completely reasonable if control is managed in a manner and at a cost that meets your needs.
There are several areas of concern when it comes to cloud computing:
Although the public cloud model is appropriate for many non-sensitive needs, the fact is that moving sensitive information into any cloud not certified for such processing introduces inappropriate risk. You need to be completely clear about certain best practices: It’s unwise to use a public cloud for processing sensitive, mission-critical or proprietary data. It’s expensive and excessive to burden non-sensitive and low-impact systems with high-assurance security. Finally, it’s irresponsible to either dismiss cloud computing as being inherently insecure or claim it to be more secure than alternatives.
Follow a reasonable risk assessment when choosing a cloud deployment model. You should also ensure you have appropriate security controls in place. List your security concerns so you can either dismiss or validate them and counter them with compensating controls.
As you consider the security concerns around cloud computing, you also have to consider the security concerns around virtualization and its role in cloud computing. You need to understand how virtualization is implemented within a cloud infrastructure.
Starting at the level of our objective, a virtual machine (VM) is typically a standard OS captured in a fully configured and operationally ready system image. This image amounts to a snapshot of a running system, including space in the image for virtualized disk storage.
Supporting this VM’s operation is some form of enabling function. This is typically called a hypervisor, which represents itself to the VM as the underlying hardware. Different virtualization implementations vary, but in general terms, there are several types:
There are interesting security concerns around the use of virtualization, even before you consider using it for cloud computing. First, by adding each new VM, you’re adding an additional OS. This alone entails additional security risk. Every OS should be appropriately patched, maintained and monitored as appropriate per its intended use.
Second, typical network-based intrusion detection doesn’t work well with virtual servers co-located on the same host. Consequently, you need to use advanced techniques to monitor traffic between VMs. When you move data and applications between multiple physical servers for load balancing or failover, network monitoring systems can’t assess and reflect these operations for what they are. This is exaggerated when using clustering in conjunction with virtualization.
Third, using virtualization demands different management approaches for many functions, including configuration management, VM placement and capacity management. Likewise, your resource allocation problems can quickly become performance issues. Thus, refined performance management practices are critical to running an effective, secure virtualized environment.
Vic (J.R.) Winkler is a senior associate at Booz Allen Hamilton, providing technical consultation to primarily U.S. government clients. He’s a published information security and cyber security researcher, as well as an expert in intrusion/anomaly detection.
©2011 Elsevier Inc. All rights reserved. Printed with permission from Syngress, an imprint of Elsevier. Copyright 2011. “Securing the Cloud” by Vic (J.R.) Winkler. For more information on this title and other similar books, please visit elsevierdirect.com.