Posted by: Beth Cohen
Business Security, Cloud architectures, cloud computing models, Cloud security, enterprise cloud services, IT security
Question: Cloud security is still a major concern for IT and Business executives. Are there emerging security products that address the unique challenges of the cloud?
Progress has been made; business executives no longer give security as the primary reason for not implementing cloud architectures in the enterprise. Cloud security is definitely still a concern, but many enterprises are taking it in-house and deploying private clouds. It does not solve the fundamental problem, but it at least it ducks the pressing security issues of the public cloud, for a while, anyway. Most currently available enterprise security tools are retrofits of existing approaches that assume a private controllable network of some sort that needs to be protected. Too many of the older products essentially assume security is the protection of the soft inside with a hardened outside. However, there are plenty of new vendors are taking a fresh look at cloud security and working on exciting new solutions that assume that system exposure is a fact of life.
To really take cloud security to the next level, the cloud has to be looked at from a different perspective. Cloud infrastructure and applications are all on the ubiquitous network, so the relationship between users and the systems they are using are very abstracted. Users are not accessing applications from inside protected networks and locked-down clients. Therefore taking this metaphor and applying it to security means that any solution (or set of solutions) needs to take the cloud own its own terms and address the problem at all levels of the cloud stack. Cloud Security Alliance (CSA) has identified the following threats to cloud security:
- Abuse and Nefarious Use of Cloud Computing – I would add “Hacking as a Service” which leverages the relative anonymity of the cloud to prey on users.
- Insecure Application Programming Interfaces – This is probably the most easily understood, but hardest to fix problem. API developers are not highly motivated to make security a priority.
- Malicious Insiders – The temptation to leave backdoors and get back at employers never goes away.
- Shared Technology Vulnerabilities – The abstraction and complexity of cloud architectures makes this very difficult to identify and fix.
- Data Loss/Leakage – Now that data is anywhere and everywhere, this will only get worse.
- Account, Service & Traffic Hijacking – A growing problem.
- Unknown Risk Profile – We do not know what we do not know, but the hackers will figure it out for us!
Addressing the entire cloud stack sounds great on paper, but due to the diffuse nature of the cloud comprehensive integrated solutions are not going to work. That does not mean that security cannot be applied to the applications, platform, hypervisor, and networks up and down the stack. To address the new reality the emphasis has shifted to a portfolio of application based security, ID management, VPN sessions, and end to end data protection, and away from more traditional monolithic security approaches such as firewalls and port based security. Some of the newer security solutions are taking existing comprehensive ID management systems and extending them into supporting mobile apps for example.
Another major issue that is important to public and community cloud customers is separation of data and security for multi-tenancy. It is not enough to only look at it from the customer perspective, the provider needs to address it at the hypervisor, storage and instance perspectives as well. SaaS is a particularly difficult nut to crack because the responsibility for securing the systems is shared all along the supply chain. If any of the constituents decide to cut corners or are not as savvy about security as they should be, they are exposing all of their partners downstream to potential embarrassment. The strings of successful attacks on Sony, Heartland, TJX and others demonstrates that the hackers are well ahead in their understanding of the weak points in the systems.
Many of the emerging technologies are still focused on securing the infrastructure. New products are virtualized firewalls and secured hosts and other methods of securing the cloud that are not fundamentally different from previous thinking about security. There are some companies that are taking a totally new approach to cloud security. Those are the ones I am excited about. Next time I will discuss some emerging companies that are taking cloud security seriously and will deliver workable new solutions that benefit everyone.
About the Author
Beth Cohen, Cloud Technology Partners, Inc. Moving companies’ IT services into the cloud the right way, the first time!