Last week, I attended three IDG conferences: CloudWorld, Next Generation Data Center (NGDC), and OpenSource World (formerly known as LinuxWorld). Despite the fact that all three conferences occurred simultaneously, attendance was very low. It looks like large conferences are mostly a thing of the past.
Despite this, I gathered some thought provoking information about security in cloud computing. First, let me provide some background for those not familiar with the types of cloud computing currently in use:
- Infrastructure as a Service (IaaS): Cloud service providers offering IaaS provide the low level building blocks for building your own virtual environment. These usually come in the form of CPU time, storage, bandwidth, and other related services (e.g., database). When using IaaS, you have control over the operating system, application(s), and data; the provider controls the hardware and network. Examples include Amazon’s Web Services Elastic Compute Cloud (EC2) and Simple Storage Service (S3) or Rackspace’s Cloud Servers and Cloud Files.
- Platform as a Service (PaaS): PaaS providers allow you to run applications on top of the provider’s infrastructure. The provider usually provides a set of frameworks to use in building your application so it can be integrated into their infrastructure. When using PaaS, you have control over your application(s) and data; the provider controls the hardware, network, and operating system. One example of PaaS is the Google App Engine which provides Python and Java frameworks and allows you to upload your application to run on Google’s servers.
- Software as a Service (SaaS): SaaS provides a pre-built application for customers to use in the cloud. These applications are shared by many organizations at the same time. When using SaaS, you only have control over your data; the provider controls the hardware, network, operating system, and application. You can not replace or modify the application beyond simple customizations. Examples include CRM systems such as Salesforce.com and e-mail hygiene systems such as Sentrion Cloud Services.
Together, these three cloud service types have radically changed who is responsible for security and what should be secured. This was really brought home at a talk given by Bill McGee, Senior Director at Trend Micro, Inc. He discussed the varying levels of security responsibility in all three models. As Stan Lee taught us, with greater control comes greater responsibility. So, for example, under IaaS where the customer controls the operating system, applications, and data, customers need to worry about operating system patching, securing the host (e.g., host based packet filters), user provisioning, securing protocols and data, validating application security, etc, whereas the provider “only” has to secure the network against attack and provide redundancy. On the opposite end of the spectrum, under SaaS, the customer can only control the type of data shared with the provider and their own users’ practices (e.g., strength of passwords, account sharing, etc). It is then up to the SaaS provider to secure the rest of the environment (operating system, application, network, and data).
During his presentation, Bill McGee also showed a graph from Dan Hitchcock’s Evolution of Information Security Technologies paper:
As you can see, the graph presents the relative importance of securing networks, hosts, and data over time. Historically, most enterprises put their efforts into securing the network since all of their hosts and data were behind the corporate firewall. Then, as technology started to go mobile, it became more important to secure individual hosts (whether they be laptops or other mobile devices) as those devices often left the protection of the corporate firewall. Now as we see usage moving into the cloud, everything is outside of the corporately controlled firewall. Since the infrastructure used is in multiple data centers, shared by multiple organizations, and most importantly, controlled by the provider, not the corporation, it is vital that protection be put in place to safeguard data above all else. As you can see, host protection is still relatively high as it is still important for corporations to protect the host (internal hosts or virtual hosts in the cloud when using IaaS) — even if the data is protected, the host can still be abused for theft of service (e.g., attacks against other sites, bandwidth theft, denial of service) or theft of reputation.
One final note of interest is the increasing blur between IaaS (“external clouds”) and virtualization (“internal clouds”). Both provide a virtualized hardware/network layer and allow you to bring your own operating system, application(s), etc. This blurring of the lines is being reflected in the current set of virtualization products being offered, such as VMware’s vSphere 4. Organizations which take advantage of these offerings still need to be vigilant. Protecting the virtual machine itself is the key to success as that virtual machine may no longer be running on the internal network. This represents a big opportunity to build security tools that take a holistic view towards securing a hybrid infrastructure.
