Cloud Computing: Cloud Security Concerns
While maintaining appropriate data security continues to be a prevailing concern, a cloud computing infrastructure can actually increase your overall security.
Vic (J.R.) Winkler
Adapted from “Securing the Cloud” (Syngress, an imprint of Elsevier)
While some of you may still harbor deep concerns over cloud computing from a security standpoint, that’s essentially an inaccurate conclusion. With its inherent qualities, cloud computing has tremendous potential for organizations to improve their overall information security posture.
There are many reasons for this. The cloud model enables the return of effective control and professional operation over IT resources, processing and information. By virtue of the scale of the public cloud, tenants and users can achieve better security because the provider’s investment in achieving better security costs less per consumer.
A private cloud provides significant security advantages for the same reasons. There are caveats, however: You won’t get the benefit without investment, and not every model is appropriate for all organizations. Regardless of which services delivery model or deployment model you choose, you will transfer some degree of control to the cloud provider. This is completely reasonable if control is managed in a manner and at a cost that meets your needs.
Keeping Track of Security
There are several areas of concern when it comes to cloud computing:
- Network Availability: You can only realize the value of cloud computing when your network connectivity and bandwidth meet your minimum needs. The cloud must be available whenever you need it. If not, the consequences are no different than a denial-of-service attack.
- Cloud Provider Viability: Because cloud providers are relatively new to the business, there are questions about their viability and commitment. This concern deepens when a provider requires tenants to use proprietary interfaces, leading to tenant lock-in.
- Disaster Recovery and Business Continuity: Tenants and users require confidence that their operations and services will continue if the cloud provider’s production environment is subject to a disaster.
- Security Incidents: The provider must inform tenants and users of any security breach. Tenants or users may require provider support to respond to audit or assessment findings. Also, a provider may not offer sufficient support to tenants or users for resolving investigations.
- Transparency: When a cloud provider doesn’t expose details of its own internal policy or technology, tenants or users must trust the provider’s security claims. Tenants and users may still require some transparency by providers as to how they manage cloud security, privacy and security incidents.
- Loss of Physical Control: Because tenants and users lose physical control over their data and applications, this gives rise to a range of concerns:
- Data Privacy: With public or community clouds, data may not remain in the same system, raising multiple legal concerns.
- Data Control: Data could be coming in to the provider in various ways with some data belonging to others. A tenant administrator has limited control scope and accountability within a public Infrastructure as a Service (IaaS) implementation, and even less with a Platform as a Service (PaaS) one. Tenants need to have confidence their provider will offer appropriate control, while recognizing the need to adapt their expectations for how much control is reasonable within these models.
- New Risks and Vulnerabilities: There’s concern that cloud computing brings new classes of risks and vulnerabilities. There are hypothetical new risks, but the actual exploits will largely be a function of a provider’s implementation. All software, hardware and networking equipment are subject to unearthing new vulnerabilities. By applying layered security and well-conceived operational processes, you can protect a cloud from common attacks, even if some of its components are inherently vulnerable.
- Legal and Regulatory Compliance: It may be difficult or unrealistic to use public clouds if your data is subject to legal restrictions or regulatory compliance. You can expect providers to build and certify cloud infrastructures to address the needs of regulated markets. Achieving certification may be challenging due to the many non-technical factors, including the current state of general cloud knowledge. As best practices for cloud computing encompass greater scope, this concern should fade.
Although the public cloud model is appropriate for many non-sensitive needs, the fact is that moving sensitive information into any cloud not certified for such processing introduces inappropriate risk. You need to be completely clear about certain best practices: It’s unwise to use a public cloud for processing sensitive, mission-critical or proprietary data. It’s expensive and excessive to burden non-sensitive and low-impact systems with high-assurance security. Finally, it’s irresponsible to either dismiss cloud computing as being inherently insecure or claim it to be more secure than alternatives.
Follow a reasonable risk assessment when choosing a cloud deployment model. You should also ensure you have appropriate security controls in place. List your security concerns so you can either dismiss or validate them and counter them with compensating controls.
The Role of Virtualization
As you consider the security concerns around cloud computing, you also have to consider the security concerns around virtualization and its role in cloud computing. You need to understand how virtualization is implemented within a cloud infrastructure.
Starting at the level of our objective, a virtual machine (VM) is typically a standard OS captured in a fully configured and operationally ready system image. This image amounts to a snapshot of a running system, including space in the image for virtualized disk storage.
Supporting this VM’s operation is some form of enabling function. This is typically called a hypervisor, which represents itself to the VM as the underlying hardware. Different virtualization implementations vary, but in general terms, there are several types:
- Type 1: This is also called “native” or “bare metal” virtualization. It’s implemented by a hypervisor that runs directly on bare hardware. Guest OSes run on top of the hypervisor. Examples include Microsoft Hyper-V, Oracle VM, LynxSecure, VMware ESX, and IBM z/VM.
- Type 2: This is also called hosted virtualization. This has a hypervisor running as an application within a host OS. VMs also run above the hypervisor. Examples include Oracle VirtualBox, Parallels, Microsoft Windows VirtualPC, VMware Fusion, VMware Server, Citrix XenApp and Citrix XenServer.
- OS implemented virtualization: This is implemented within the OS itself, taking the place of the hypervisor. Examples of this include Solaris Containers, BSD jails, OpenVZ, Linux-V Server, and Parallels Virtuozzo Containers.
There are interesting security concerns around the use of virtualization, even before you consider using it for cloud computing. First, by adding each new VM, you’re adding an additional OS. This alone entails additional security risk. Every OS should be appropriately patched, maintained and monitored as appropriate per its intended use.
Second, typical network-based intrusion detection doesn’t work well with virtual servers co-located on the same host. Consequently, you need to use advanced techniques to monitor traffic between VMs. When you move data and applications between multiple physical servers for load balancing or failover, network monitoring systems can’t assess and reflect these operations for what they are. This is exaggerated when using clustering in conjunction with virtualization.
Third, using virtualization demands different management approaches for many functions, including configuration management, VM placement and capacity management. Likewise, your resource allocation problems can quickly become performance issues. Thus, refined performance management practices are critical to running an effective, secure virtualized environment.
Vic (J.R.) Winkler is a senior associate at Booz Allen Hamilton, providing technical consultation to primarily U.S. government clients. He’s a published information security and cyber security researcher, as well as an expert in intrusion/anomaly detection.
©2011 Elsevier Inc. All rights reserved. Printed with permission from Syngress, an imprint of Elsevier. Copyright 2011. “Securing the Cloud” by Vic (J.R.) Winkler. For more information on this title and other similar books, please visit elsevierdirect.com.