Security Pavillion at Cloud Expo

With its ability to provide users dynamically scalable, shared resources over the Internet and avoid large upfront fixed costs, cloud computing promises to change the future of computing. However, storing a lot of data creates a situation similar to storing a lot of money, attracting more frequent assaults by increasingly skilled and highly motivated attackers. As a result, security is one - if not the - top issue that users have when considering cloud computing.

Cloud Security Concerns
Storing critical data on a cloud computing provider's servers raises several questions. Can employees/administrators at the cloud provider be trusted to not look at your data or change it? Can other customers of the cloud provider hack into your data and get access to it? Can your competitors find out what you know: who your customers are, what customer orders you are bidding on, pricing and cost information, and other critical data from your business? This information in the wrong hands would be devastating for a business. And what about privacy issues and government regulations?

In its young life, there already have been several cloud security breaches that show the threat is real. One of the more notable security incidents occurred in March 2009 with Google Docs, when a system error allowed the content of private documents to be exposed to everyone for a brief period of time. As a result of this security breakdown, a public interest group, The Electronic Privacy Information Center (EPIC), filed a detailed complaint with the Federal Trade Commission requesting an injunction against Google offering this cloud service until "safeguards are verifiably established" claiming Google's inadequate security is a deceptive business practice.

Situations like this one and other possible security problems have prompted numerous articles (for example The Twitterhack Is Cloud Computing's Wake-Up Call: Time for Security That Works) and white papers on cloud security. The Cloud Security Alliance, a non-profit organization comprised of security and technology experts, published an in-depth 83-page white paper Security Guidance for Critical Areas of Focus in Cloud Computing in April 2009. In addition to articles and white papers, research firm Gartner reports data access privileges, regulatory compliance, data location and data segregation/encryption among the top seven security concerns in cloud computing. Also, cloud computing security is one of the top ten 2009 trends identified in a survey conducted by CloudComputing.

Fortunately, there are several tools already developed for computer, network and storage security in a traditional enterprise environment that can provide security solutions for cloud computing. To establish a basis for the use of these tools, it is essential to understand one key difference between cloud computing and conventional data centers. Figure 1 shows the rather simple yet significant difference between an enterprise's data center and cloud computing. In cloud computing, several users' data is co-located and processed on shared equipment. In spite of the differences, there are similarities to enterprise concerns: access through the internet, critical storage requirements and potential for software attacks. If existing enterprise solutions are implemented and adapted to the cloud, cloud computing providers can create the security that customers require.

The difference between a conventional data center (see Figure 1a) is that it's just used by one enterprise and a cloud computing model (see Figure 1b) is that a single cloud provider hosts applications and data used by several enterprises.

A More Detailed Look at Cloud Computing Security Risks
Start-up companies, small businesses, mid-size and even large enterprises are interested in cloud computing. As a result, all of these potential users should be extremely interested in cloud computing security. A good starting point for assessing the risks in cloud computing is identifying all of the existing risks that cloud users from individuals to the largest companies and even governments encounter. Specific threats to security include:

1. Failures in Provider Security
   In a cloud environment, all security depends on the security of the cloud provider. They control the hardware and the hypervisors on which data is stored and applications are run. Cloud provider security must be top-of-the-line.
2. Attacks by Other Customers
   The cloud environment is shared among customers. If the barriers between customers break down, one customer can access another customer's data or interfere with their applications.
3. Availability and Reliability Issues
   Cloud data centers are generally as reliable as enterprise data centers or more so. However, outages do occur. Also, the cloud is only usable through the Internet so Internet reliability and availability is essential.
4. Legal and Regulatory Issues
   The virtual, international nature of cloud computing raises many legal and regulatory issues. First, export of data out of a jurisdiction may be restricted. If such export is permitted, which jurisdiction's rules apply in case of conflict? And who is liable for errors such as security breaches? These issues must be addressed for any sensitive applications of cloud computing.
5. Perimeter Security Model Broken
   Many organizations use a perimeter security model with strong security at the perimeter of the enterprise network. This model has been weakening over the years with outsourcing and a highly mobile workforce. Cloud computing strikes its death knell. The cloud is certainly outside the perimeter of enterprise control but it will now store critical data and applications.
6. Integrating Provider and Customer Security Systems
   Enterprises have spent decades developing a unified directory and other components of their security architecture: automated provisioning, incident detection and response, etc. Cloud providers must integrate with these systems or the bad old days of manual provisioning and uncoordinated response will return.

While there are proprietary solutions to these security problems, open solutions are easier to integrate with cloud providers and existing systems. Therefore, we must gain a better understanding of the security available through open technologies.

Countermeasures to Mitigate Risks
Addressing the six broad security threats identified previously entails a variety of countermeasures.

Threat 1 (Failures in Provider Security) encompasses most of the threats encountered in a typical enterprise. People are the greatest threat and countermeasure in security so screening, training, and monitoring of provider personnel is the most fundamental step to be taken. Physical and network security for cloud data centers are also essential.

However, cloud data centers introduce a new element that enterprise data centers have not traditionally faced: Attacks by Other Customers, threat 2 in the list above. In a cloud environment, customers are co-located in a single data center or even on a single server. These customers may be competitors. Some of them may even be hackers! Cloud providers are responsible for ensuring that one customer can't break into another customer's data and applications. The most common techniques used are virtualization (preferably via a hypervisor) and network separation (via firewalls, VLANs, and/or encryption).

The best way to ensure the reliability and availability of cloud services (addressing threat 3) is to work closely with your cloud provider and network service providers to verify and monitor their uptime. Today, uptime for most cloud providers is good but not perfect. Every major cloud provider has suffered significant downtime: Salesforce, Amazon, Google, etc. Many cloud providers don't provide Service Level Agreements (SLAs) guaranteeing uptime and the SLAs that are available provide meager recompense in case of outages. Don't forget to consider network uptime when determining cloud availability. If the network is down, who cares if the cloud is up?

Addressing legal and regulatory concerns (threat 4) generally requires calling in the lawyers and compliance experts. However, that doesn't mean that technical measures won't help. Many data breach laws include safe harbor provisions saying that if loss of encrypted data does not need to be reported. Whether this applies in your jurisdiction, using a Self Encrypting Drive (SED) is generally a no-brainer. With an SED, there's no need to worry about a hard drive or backup media being lost or stolen. Software encryption provides similar protection but with higher complexity, lower performance, and less security.

With security threat 5, the solution is as simple as eliminating the perimeter model and relying on alternate approaches. This apparently simple solution is not as easy as it sounds. It requires rethinking long-held architectural assumptions. But it also yields side benefits. By abandoning the assumption that all threats are external, we can achieve stronger protection against internal threats and greater flexibility to position trusted assets outside the traditional perimeter.

Cloud computing may seem different but in many ways it's just a simple extension of enterprise computing as we have known it for decades. As such, it should integrate with existing enterprise security systems. There's no need to reinvent the wheel. That's the essence of threat 6 and the basis for addressing it. Don't let cloud providers convince you that "it's different this time". Demand that they integrate with your existing systems such as your enterprise directory and your monitoring systems. Some cloud providers can do this and some cannot at this time. When comparing cloud vendors, be sure to factor in the cost of maintaining a new directory and monitoring system per cloud provider. If you don't consider this now, you'll soon find yourself with a mishmash of incompatible systems. Deprovisioning a user will take days or weeks. What a nightmare and security hole! Don't let it happen.

Different Security for Different Users
The attractiveness of cloud computing for a broad range of users may require differing approaches for use and security. At the one extreme, low-end users, such as start-ups, can use clouds for just about everything. The cloud provider's security and reliability generally exceeds that of a small enterprise. At the other extreme, high-end users such as large enterprises are more likely to employ a hybrid model. For legal and risk management reasons, they will keep especially sensitive data and applications in-house and may use an internal cloud. In between, mid-size enterprises can use clouds for many purposes including compute cycles for R&D projects, online collaboration, partner integration, social networking, new business tools and more.

Trust, but Verify
Cloud computing providers that can prove the trustworthiness of their resources will differentiate themselves from their competitors. To do this, they must have a way for customers to independently verify the security of the cloud service. Customers need to do more than just take the cloud provider's word for security.

To trust the security of a cloud provider, customers should be able to:

• Verify the integrity of the machines at the cloud provider
• Verify the identity of those machines as well as users, administrators and cloud customers
• Verify what kind of network security measures are being used

The cloud provider that implements these types of security measures offers small and medium size enterprises improved security over what they probably have or would set up within their own organization. For many large enterprises, these steps are similar to ones that have already been or should be implemented.

Be Prepared
As computing takes a step forward to cloud computing, security should not move backward.  Users certainly should not accept moving backwards in terms of security. Going forward, computing technology and security must both advance together. Educate yourself about cloud security and you will be well prepared for the new world of the cloud.