As with real cirrus, stratus, and cumulus clouds IT’s cloud computing services come in various types and often combine with each other to make strange formations. An exposed hiker in the open might ask: "Is that but a fair weather cumulus cloud, or an ominous storm cloud?”
In the world of IT security, we call that risk assessment.
When it comes to putting your IT resources and – perhaps – even slightly sensitive data such as personal names, addresses, and phone numbers into the cloud one might start with these three questions:
- Who is in control?
- Do they provide assurances?
- Can we trust them?
In traditional IT environments, organizations generally share control over the network with service providers, but for the most part control their applications, servers, and storage infrastructure. In an internal cloud environment, the architecture changes, but not the complexion of control. As shown in the figure, however, the control architecture changes profoundly for public cloud offerings such as Amazon EC2, Google Apps, or Salesforce.
As we move from left to right in the diagram and put more and more control in the hands of the service providers, the outlook shifts from fair weather green to ominous red.
Assuming we trust our IT department to give the necessary assurances and do their jobs well, the “dedicated IT” stack is green but for its use of the Internet, which is yellow.
With server hosting providers or “colo” data center facilities we still retain substantial control, perhaps relying on the service provider only for rack space, power, and cooling. In these simple arrangements, the service hosting providers will typically provide assurances, or service level agreements (SLAs). They may help us build trust by offering site tours, audits, and track records. We may feel we can fully understand their operations and residual risks. We may feel comfortable sharing control of the server, storage, and network functions with hosting providers. Yellow is mellow.
In the world of cloud computing, everything changes. As we move from
- Infrastructure-as-a-Service (IaaS) with its line of demarcation in the server where the silicon stops, to
- Platform-as-a-Service (PaaS) where you cross the line after your code and applications are integrated with outside components, to
- Software-as-a-Service (SaaS) where you abandon all control when you hand over your data
I paint the functions these services control an alarming red. To see why, we must ask: Do they provide assurances?
No. The major public cloud computing providers generally offer no SLAs at all. They accept little or no liability even for the security measures their own advertising claims to provide.
Can we trust them? The short answer is no. Their actual security measures are obscure, vulnerabilities undisclosed, and audits unimpressive.
But each situation is unique and everything relative in risk management. With a water tight raincoat as counter-measure, the hiker need fear no rain. Lightning may be the only residual risk, and that may be acceptable. There is much more to be said about the risks of cloud computing and how one might ride this red tiger with a yellow whip; controlling enough of the data, applications, or virtual machines to accept some residual risks. Another option might be to consider internal clouds or private (community) cloud arrangements that give customers more say.
We’ll say all this at Catalyst North America and more. In our “Flying into the Cloud: Executive Perspectives on Externalized IT” track, we’ll cover practical perspectives on leveraging public clouds. We’ll cover internal or hybrid cloud strategies that maximize our control as we reap the benefits of the industry’s “big switch” to cloud’s elastic, on-demand architectures. And in “Cloud Now: Usage, Practices, and Rewards” I’ll go much more in-depth with “Security Strategies for Cloud Computing.”
Dan,
NIST has published a working draft of the Cloud Computing Security presentation:
http://csrc.nist.gov/groups/SNS/cloud-computing/index.html
Some of the Security Advantages mentioned in the presentation are:
1. Shifting public data to a external cloud reduces the exposure of the internal sensitive data
2. Cloud homogeneity makes security auditing/testing simpler
3. Clouds enable automated security management
4. Redundancy / Disaster Recovery
5. Data Fragmentation and Dispersal
6. Dedicated Security Team
7. Greater Investment in Security Infrastructure
8. Fault Tolerance and Reliability
9. Greater Resiliency
10. Hypervisor Protection Against Network Attacks
11. Possible Reduction of C&A Activities (Access to Pre-Accredited Clouds)
12. Simplification of Compliance Analysis
13. Data Held by Unbiased Party (cloud vendor assertion)
14. Low-Cost Disaster Recovery and Data Storage Solutions
15. On-Demand Security Controls
16. Real-Time Detection of System Tampering
17. Rapid Re-Constitution of Services
18. Advanced Honeynet Capabilities
What are your thoughts on these benefits?
Posted by: Saqib Ali | June 26, 2009 at 02:15 AM
Saqib,
I don't think all of these are security advantages, for example, I disagree completely with (1). Many of those cited as advantages are not unique to public clouds. Those advantages that are unique to large public clouds (like greater resiliency) are only potential advantages depending on the actual implementation and many other factors.
Dan
Posted by: Dan Blum | June 26, 2009 at 02:18 PM
Dan,
I agree that it will depend on the actual implementation. It usually does for everything. For e.g. you can create world's most secure cipher, but the poor implementation is usually the weakest link.
But in theory, if cloud services are implemented properly, I think NIST's list of advantages hold true.
Saqib
Posted by: Saqib Ali | June 28, 2009 at 10:18 PM