There is no doubt that cloud computing has become mainstream and is great for business. What used to be hype is now real and here to stay. Companies such as Amazon.com, Rackspace, IBM, HP, Microsoft, and others have established sound businesses around “cloud” with aggressive growth plans. With the total market size estimates by various analyst firms ranging from $10B to $25B, the numbers are heady. These numbers are forecasted to grow at a double digit compounded growth rate over the next few years. And businesses are starting to believe in cloud computing as a way to increase operational efficiency and reduce costs. According to a recent survey by North Bridge Venture Partners on the Future of Cloud Computing, 50 percent of respondents were confident that cloud solutions are viable for mission critical business applications.
Cost and flexibility are certainly key in driving this ferocious appetite for cloud computing. In all the excitement, however, security continues to be the missing piece and is a major concern. Fifty-five percent of the North Bridge survey respondents identified security as a concern and a barrier to adoption of cloud. As we know very well from social networking, security can be a thorn in the rosy outlook.
But, before we dive into security issues related to cloud, let’s start with the basics.
What is Cloud Computing?
The word “cloud” most likely was derived from the image of cloud that was commonly used for the Internet. So cloud computing basically means doing all or most of the computing in the Internet without relying on physical resources.
So, let’s now look at securerobe cloud. There are many confusing definitions floating around but probably the clearest definitions have been established by the National Institute of Standards and Technology (NIST) and the Cloud Security Alliance.
Software as a Service (SaaS): In the case of SaaS, you use the provider’s applications on a cloud infrastructure with little to no control over the infrastructure, network, servers, operating systems, storage, etc. There are many examples of SaaS vendors – Salesforce.com, Google Apps, Ning, Workday, and many others.
Platform as a Service (PaaS): Customer deploys applications using an application development environment and middleware capabilities for specific languages such as java, python, .net, etc. and doesn’t control infrastructure, servers, OS, or storage but has control over the apps. Some examples of PaaS vendors include Microsoft Azure, Amazon and Force.com
Infrastructure as a Service (IaaS): Customer gets processing, APIs, storage, networks, and computing resources from the provider using his or her own OS, applications and maybe some networking components. Some examples of IaaS vendors include Amazon, Rackspace and CloudFoundry.
The lower down the stack you go, the more security capabilities the customer is responsible for.
Cloud Characteristics
While a lot of people are claiming to be “cloud” providers, the key characteristics that are important for cloud are:
Self-Service. Customers must be able to self-service to get the service.
Network Access. Customers have to be able to access the service over the network versus on an on-premise hardware.
Multi-tenancy. The provider must allow for an environment with multi-tenancy, i.e. multiple customers are sharing a common environment. That’s what helps in optimizing the costs.
Scalability. The cloud solution has to be scalable with thousands or even millions of customers using the service over the network.
Usage metrics. Usage metrics have to be visible and tracked
Cloud Benefits
With so many companies jumping on the bandwagon, there must be some benefit. In fact, cloud can be very powerful and offers many benefits. Cloud leverages massive scale, homogeneity, virtualization, low cost software, service orientation, and advanced security technologies, resulting a lot of benefits for the customers, some of which include:
Reduced cost. This is perhaps the biggest benefit from customers’ point of view. Economies of scale allow vendors to reduce the cost dramatically. Currently, servers are used at only 15 percent of their capacity in many companies and 80 percent of enterprise software expenditure is on installation and maintenance of software. Use of cloud applications can reduce costs from 50 percent to 90 percent.
More mobility. By definition, cloud can be accessed from anywhere, which allows mobility in using the information.
Flexibility to adjust. Flexibility or elasticity to use the service based on your needs and scale up as needed is a huge advantage.
Increased storage. Storage in Cloud is cheap and you are only using what you need to.
Leverage vendor expertise. Assuming you pick the right vendor, you can leverage the vendor expertise and have your IT focus on other critical issues.
Security Issues
In most surveys for cloud computing, top issues continue to be security, performance, and availability. These are all good concerns and need to be addressed. Performance and availability are big issues because as soon as you move your services from your environment where you can touch and feel things, to out there literally in the cloud, there could be some impact. Make sure that your Service Level Agreements (SLAs) from cloud providers are very clear on these issues.
Security continues to be the number one issue and that’s what we’ll address in detail here.
The key security issues from customers’ points of view seem to be around security defects in the technology itself, unauthorized access to customer information, encryption, application security, identity management, virtualization security, etc.
Responsibility for security issues depends on which tier of cloud offering you are using. So, for IaaS, vendor responsibility is around physical, environmental, and virtualization security. Every other aspect of security in applications, operating system, etc., still needs to be handled by the customer. On the other hand, if you are using a SaaS offering, then the vendor is responsible for all elements of security. Here are the key issues to keep in mind with some recommendations:
Physical Security. You want to make sure that physical security around the infrastructure is very tight – even tighter than in your environment because it’s not your employees’ anymore.
Tip – Ask your provider for the physical security policies. Every cloud vendor should have a clear architecture related to their physical security. What type of layout they have? Who can access what? Are you allowed to do periodic visits to see their physical structure? What happens in case of a disaster such as an earthquake or hurricane?
Insider Abuse. When you “cloudize” your environment, you lose control over who’s managing that infrastructure with your confidential information. Insider abuse is a common problem, where information can be stolen and passed on to outsiders or they can collude with hackers.
Tip – Ask your cloud provider what their policy is for background checks of all their employees. Who has access to sensitive information? If a lot of employees have access to sensitive information, then your risk of insider abuse is much higher. Do they have any hacking background or past felonies?
Data encryption. Cloud environments are shared and your data is in the same environment alongside data from other customers. Breaches can easily happen from one database to another.
Tip – Find out how cloud providers protect sensitive data in storage infrastructure. What kinds of logs are available? How is the data encrypted? Although encryption is not a panacea and other issues such as access control are very important, it’s an extremely important element of data protection. Data needs to be encrypted at rest, in transition, and for disposition. How’s the key management handled?
Third party relationships. You are as strong as your weakest link. And, in corporate environments, your weakest link could be your integration with your partners. In the case of cloud providers, this is even more important due to integrations of various third parties and applications into the cloud environment.
What to do – Find out how cloud providers enforce security processes for their integrations with third parties. Is there a certification process to make sure that third party applications are secure and won’t allow hackers to get into the cloud provider environment through one of these partners?
Network Security. In recent months, aggressive marketing by various cloud providers has made it easier for hackers to get accounts and to plant botnets. Cloud is also susceptible to a more Denial of Service attacks. As such, cloud providers need to ensure that their perimeter is secure and barrier to attacks is high.
Tip – Find out what devices the cloud providers are using to stop bad guys from getting in through the perimeter. Do they have strong network firewalls? How are they kept updated? Do they have good Intrusion Detection System/ Intrusion Prevention System (IDS/IPS) systems in place? How do they monitor the events? Do they have Security Information and Event Management SIEM or log management software in place?
Virtualization Security. Almost all cloud providers use virtualization to provide economies of scale and optimal distributed architecture. Virtualization has its own set of security issues.
Tip – Find out what security process they have for their virtualization environment. How are they testing for vulnerabilities and fixing them?
Access Controls. Some of the big issues for cloud services are around access control, authentication, user management, provisioning, etc.
Tip – Find out how what types of standards the cloud provider is following. How’s the provisioning of users done? Who manages the credential management process? How much control do you have? Is there a dedicated VPN? Is there a federated identity process and how’s that managed? Can OpenIDs be used for registration and authentication?
Application Security. With more than 75 percent of attacks happening through Web applications, this becomes a critical piece in the overall cloud decision-making process. Although the exposure is similar to what you would have in your own environment, it’s on a massive scale and you may not have any control over it.
Tip – Questions to ask and consider: Does security ownership transfer to the infrastructure provider? What’s the impact on security in the Systems Development Life Cycle (SDLC)? How do you ensure protection against key vulnerabilities such as Cross-site Scripting (XSS), SQL Injection, Cross-site Request Forgery (CSRF), Session Management, etc.? What happens in case of a breach? Who’s responsible? What are the security issues around APIs (integration is very important when you move to cloud) and what kinds of encryption keys are used for these integrations? Does the cloud provider use vulnerability scanning tools and services to find vulnerabilities in applications? What is the process of remediating or blocking those vulnerabilities? Would the cloud provider allow you to run your own vulnerability assessment tools?
Legal issues. Providers and customers must also consider legal issues such as e-discovery to make sure there is no miscommunication for terms.
Tip – Make sure you clarify with your provider where the ownership lies for these issues and that you feel comfortable with it.
Cloud computing is the right thing for most organizations in spite of security. Security issues do need to be carefully addressed, though, before jumping full force into cloud. The key is to do proper due diligence with your cloud providers and really understand their SLAs. Ask the right questions and take your time in selecting the right provider for you based on your requirements and risk appetite. Like with any other business decision: No risk, no reward.
securerobe 