Editor's note: Cloud computing security has become a pivotal issue for enterprises exploring hosted solutions for a variety of services and applications, including cloud-based unified communications
(UC). The already-difficult task of securing sensitive data, resources and applications becomes even more daunting when you attempt to safeguard a cloud environment with more potential entry points and, as a result, create more vulnerable spots.
Whether your enterprise has chosen to pursue a public, private or hybrid cloud computing approach, CIMI Corp. President Tom Nolle details the cloud computing security obstacles you may face in your implementation and how to overcome them.
While the connected world offers enormous opportunities to use information technology (IT) to improve worker productivity, it has also created a collateral risk to companies' information assets. Active interference with IT processes can also attack company operations, because most operations now rely on IT support.
Security of both information and information processes is already a critical requirement, and as enterprises move toward cloud computing, security specialists are heading into unfamiliar territory. In the past, security measures could be divided into data security, access security and transmission security. Cloud computing affects all three by dispersing computing resources within and even outside of the enterprise.
Resource, data management are key cloud computing security considerations
Data security -- the protection of stored information assets -- has normally relied strongly on the physical security of the data center. In cloud computing, the virtual nature of the data center makes it difficult to know which forms of access control are being applied and how thoroughly those controls protect information assets. With public clouds, enterprises have no idea how assets are stored and protected. Even private clouds can include insecure assets, unless all new system and storage device locations are subjected to a security audit before adding them to the cloud.
One of the most insidious methods of breaching virtualization or cloud computing security is the "poisoned resource." If resource management processes for commissioning new servers and storage arrays are not strongly secured, it's possible for a foreign resource to be added to the pool and used freely by enterprise applications. That resource could be a lure for an attacker -- a place where data, passwords, keys and other important assets can be compromised, with the apparent full support of the enterprise's own cloud computing security processes.
In fact, resource-related security problems are the greatest new threat to cloud computing security, and they also apply to simple virtualization applications within a single data center. Problems arise because managing IT resources, like resource pools in the cloud, means having to enroll new devices when they become available, and that process can easily be compromised. Viruses targeting virtualization tools (like hypervisors) and cloud computing management tools can enroll maverick resources. Once a resource is enrolled, it often enrolls others. You have to fully secure each individual cloud data center, in terms of both access and resource enrollment, or there is no cloud computing security.
Access and transmission security: Tighten VPN enrollment, encryption practices
Access security for cloud computing tends to focus too much on secure access to cloud computing applications through things like Secure Sockets Layer virtual private networks (SSL VPNs). This type of access security doesn't differ significantly among public cloud, private cloud and enterprise client/server implementations of applications.
The major issue with access security in the cloud is the security of enterprise VPNs as opposed to access VPNs. Most enterprises rely on VPNs to segregate their private traffic; they treat VPN membership as conveying some right of access to applications and resources. Cloud resources are typically hosted on a company VPN, even if those resources are owned by a public cloud operator. Providing a mechanism for third-party sites to join a VPN reduces VPN security, so it's critical to carefully audit VPN enrollment processes to ensure there is no way for unwanted sites to be added.
Transmission security is normally enforced through a combination of network segregation (isolation of traffic from shared facilities like the Internet) and encryption. Public cloud computing obviously reduces the extent to which shared facilities can be avoided, but any form of cloud computing demands broader dissemination of encryption keys and increases the risk of compromise.
Most public cloud users should review their encryption policies, paying particular attention to any transmission of critical information over nonsecured client/server links. SSL connections should be mandatory in cloud applications because it's difficult to control where cloud traffic goes.
Cloud computing security risk factors
The following practices increase cloud computing security risks:
- The use of public cloud resources for service-oriented architecture (SOA) application components necessitates exchanging information with other components running on enterprise systems. These links are more difficult to secure; in some cases, enterprise managers may not even be aware they exist.
- Dynamic discovery and the enrollment of resources in public cloud applications create a risk of having a poisoned resource enter your resource pool. Where virtualization is used in data centers, it's particularly important to ensure that servers not intended to be a part of a cloud are not linked into a virtual pool that supports cloud applications.
- VPNs that segregate traffic are much less suitable as a general access and transmission security tool in cloud computing than in standard client/server computing because of the necessary elasticity of VPN membership.
- Reliance on contractual terms to protect information access in public clouds is rarely successful in itself. Nearly all such contracts limit consequential liability and prevent enterprises from recovering the cost of operations problems or legal action arising from a cloud computing security breach. It's essential that public resources be secured and monitored by enterprise-owned tools.
Analyzing cloud computing security issues
Addressing cloud computing security issues is, first and foremost, a matter of determining whether your cloud applications are most likely to raise data security, access security or transmission security issues. Where data security isn't a major factor, cloud access and transmission security are managed using the same tools that would be used to manage Internet VPN access to corporate applications hosted in a traditional way.
Data security issues raised in cloud computing are much harder to manage, since a lack of enterprise control over the physical storage resources makes implementing effective security measures nearly impossible. Careful auditing of cloud data center security may be one solution, but many enterprises believe that the best strategy is to avoid storing critical data in the cloud at all.
Cloud computing security practices continue to develop, with promising advances coming even in the area of data security. Regular review of security tools and practices can ensure your own security strategies are optimized and can open broader applications of cloud computing in your enterprise.
About the author:
|Tom Nolle is president of CIMI Corp., a strategic consulting firm specializing in telecommunications and data communications since 1982. He is the publisher of Netwatcher, a journal in advanced telecommunications strategy issues.|
This was first published in July 2010