This article originally appeared in the May 2012 issue of INTERNET TELEPHONY magazine.
Cloud service providers typically are very clear about what they secure for customers, and what cloud customers themselves must look to secure. But that point is sometimes lost in translation. However, with better education, new tools and related services, things are likely to improve on this front over time. At least that’s what INTERNET TELEPHONY is hearing from the handful of sources it interviewed for this article.
People spinning up cloud services typically are data analysts, marketing folks and developers – and sometimes IT doesn’t even know they’re using cloud services, says Rand Wacker, vice president of CloudPassage, a three-year-old company that secures virtual servers running on public or private clouds. In traditional networking scenarios, IT usually makes sure things are secured, but these other folks might not realize they’re responsible for that when they turn up cloud services. A recent survey by CloudPassage indicates that while Amazon and others in the cloud services space make clear who is responsible for what in terms of security, more than 30 percent of hundreds of customers surveyed believe their cloud provider offers all needed security.
Forrester (News - Alert) Research’s James Staten, vice president and a principal analyst at the firm, explains that infrastructure-as-a-service providers typically offer security up the virtual machine, or point of abstraction. That means the IaaS outfit will secure the hypervisor, hardware, and other gear in the data center, and will offer data center perimeter security. Customers, meanwhile, are responsible for securing what’s inside their virtual machine and any connections they open on it to the outside world to it. The problem, as noted above, is that some customers don’t understand that important point.
“Forrsights surveys and discussions with clients continue to show that the early adopters of cloud services are not I&O professionals, and this gap rose in 2011,” according to Forrester Researcher’s 2012 Top 10 IaaS Cloud Predictions for I&O Leaders, which was released Feb. 3, 2012. “And the trend of empowered employees and developers not telling I&O about their use of cloud continued in 2011. Thankfully we saw more I&O leaders begin to proactively engage these leaders by demonstrating how I&O can make services more predictable and productive. However, more of this engagement is still needed, since the pressure on the business to move more quickly and autonomously increases with the risk of a double-dip recession in 2012.”
Forrester suggests that companies would do well to publish cloud use policy documents that state how their organizations can best use new technologies like cloud computing successfully and securely. And, as Staten notes, there are specific tools to enable organizations to monitor and even block delicate data like customer information or payroll information from being moved.
When it comes to securing cloud services, traditional security technologies don’t work, says Wacker of CloudPassage, because either you don’t have access to the network so you can’t use a firewall or a VPN, or the tools are not designed for the dynamic nature of the cloud. That’s why CloudPassage designed cloud-ready security solutions, which have the added value of being as lightweight as possible on the server.
CloudPassage supplies for free tools to secure up to 25 servers. It makes money on customers that want to secure more than 25 servers or add functionality. And customers can increase and decrease the number of servers secured on an as-needed basis. For example, Foursquared, one of CloudPassage’s largest customers, runs a couple hundred servers during the week, but doubles that on the weekend.
More important than scalability, however, is the fact that with the cloud operational model you have no idea what the IP address is, what kind of server might be involved, and when or how often things will change, Wacker explains. So CloudPassage has created a policy model that doesn’t apply policy based on IP address, but rather allows the customer to define a group of servers. That allows CloudPassage to apply policy to servers automatically as they are turned up and down, and changed around.
Cloud security solutions outfits, research and analyst firms like Forrester, and cloud services providers are working to educate customers about what it takes to secure the cloud, and about who is responsible for what security in cloud environments, says Staten. He adds that market leader Amazon holds sessions and tutorials that cover cloud security and makes explicit in its customer agreements what it secures and what it does not.
Yet despite the available tools and efforts to educate the market about cloud security, even some large high-tech organizations – such as Sega and Sony – have had their environments breached. Staten suggests these two examples, especially when compared with one another, expose a valuable lesson in how security policies can make a big difference.
The Sony and Sega break ins last year both involved multitenant hosted environments (although not necessarily cloud environments), he says. But while the Sony breach exposed customer names, accounts, passwords and other detailed data, the Sega breach exposed only user names and passwords (other information was on the Sega premises where there was heavier security). Taking the extra steps to evaluate your risk profile and secure especially sensitive data can have big payoffs later, he indicates.
“It’s all about risk profile management,” he adds.
In any case, Staten says it should be noted that despite the education gap around cloud security and the potential risks of shared networking, multitenant environments tend to offer far better security than that found in your typical enterprise.
“There’s a reason we put our money in a bank vault and not under our mattress,” he says.
Edited by Stefania Viscusi