Cloud Security: The basics

According to Milind Govekar, an analyst at Gartner, cloud has rocketed up the list from number 16 to number two in Gartner's annual CIO survey of key technology investments. "Like with anything new, the primary concern is security," he says. In fact, the vast majority of clients who inquire about cloud, he says, would rather create a virtualized data center on their own premises--what some call a private cloud--because they're uncomfortable with the security issues raised by cloud computing and the industry's ability to address them.

"We are in the early stages of a fascinating journey into a new computing model that, for all its purported advantages, from a security and risk point of view, is a difficult thing to deal with," agrees Jay Heiser, an analyst at Gartner. "The things that make it easy and appealing--like the immediate plug-and-play productivity--also make it impossible to conclusively assess your relative risks." Current certifications, such as SAS 70 and ISO 27001 and 27002, are not sufficient, he says, leading to frustration for both buyers and sellers.

For this reason, securing cloud computing environments will be a major focus of vendor efforts over the next year, says Jonathan Penn, an analyst at Forrester Research. In the short term, he sees users having to do a lot of the legwork, but over time, "cloud providers themselves will see the opportunity to differentiate themselves by integrating security," he says. Security vendors accustomed to selling directly to the enterprise will find that they need these cloud providers as a way to reach the market, Penn says, and as the market matures, customers will want this stuff baked into the services they're buying. "That will be quite a radical change and a disruption," he adds.

In the meantime, organizations such as the Cloud Security Alliance (CSA) are working to put some shape around the security issues and the ways to address them. The CSA recently released a summary of the strategic and tactical security pain points within a cloud environment, along with recommendations on how to address them. The organization divided the domains into two broad areas: governance and operations.

Domains grouped under governance include:

* governance and ERM
* legal and electronic discovery
* compliance and audit
* information lifecycle management
* portability and interoperability

Domains grouped under operations include:

* traditional security, business continuity and disaster recovery
* data center operations
* incident response, notification and remediation
* application security
* encryption and key management
* identity and access management
* virtualization

The CSA also summarized the top threats of cloud computing, along with the cloud models each threat most pertains to and guidance for remediation.

The categories of tools that can help address these threats include XML, SOA and application security; encryption tools for data in transit and at rest; smart key management; log management; identity and access management; virtual firewalls and other virtualization-management tools; data-loss prevention; and more. "You're translating the existing security architecture into the cloud, so there are a lot of different tools you'll need, some of which already exist and other cases where you need new technology," Reiser says.

For instance, malware scanning tools will need to look specifically for emerging malware that targets virtual platforms; identity management systems will need to authenticate not just users but also devices and applications; and security information management (SIM) systems will need to log billions of events and analytics.

Forrester also released a list of questions that enterprises should ask to secure their cloud implementation, covering the areas of security and privacy, compliance, and other legal and contractual issues.

Cloud layers

Cloud layers

Experts also emphasize that the level of exposure and risk for the three cloud models are very different, and the way of addressing security also differs, depending on which layer you're engaging with. "The security requirements are really the same, but as you go from SaaS to PaaS and IaaS, the level of control you have over security changes," says Mike Kavis, founder of Kavis Technology Consulting and CTO at a startup company. "From a logical view, nothing has really changed, but how you physically do it changes dramatically."

SaaS.
As the CSA explains, with SaaS, the provider's applications run on a cloud infrastructure and are accessible through a Web browser. The consumer does not manage or control the network, servers, operating systems, storage or even individual application capabilities.

For this reason, the SaaS model integrates the most functionality directly into the offering, with the least consumer extensibility, and "security responsibilities are almost entirely up to the vendor," Reiser says. "If the vendor doesn't encrypt data, it's not encrypted. If there isn't activity monitoring, you won't get any."

PaaS.
With PaaS, consumers create applications using programming languages and tools supported by the vendor and then deploy these onto the cloud infrastructure, the CSA explains. As with SaaS, the consumer does not manage or control the infrastructure--the network, servers, operating systems or storage--but does have control over the deployed applications and possibly the application-hosting environment configurations.

There are fewer customer-ready or built-in security features with PaaS than with SaaS, the CSA says, and those that do exist are less complete, but there is more flexibility to layer on additional security. This means users need to pay attention to application security, as well as security issues surrounding the management APIs, such as authentication, authorization and auditing.

IaaS.
Here, consumers can provision processing, storage, networks and other fundamental computing resources, as well as deploy and run operating systems and applications, according to the CSA. While they don't manage or control the underlying cloud infrastructure, they do have control over operating systems, storage and deployed applications, and possibly limited control of select networking components, such as host firewalls, the CSA says.

With IaaS, there are few integrated security capabilities beyond protecting the infrastructure itself, but there's enormous extensibility, according to the CSA. This means users need to manage and secure operating systems, applications and content, typically through an API.

"A lot of the perimeter security is handled by the vendor, but they're giving you access to virtual machines, so you still have to build the application and provide the infrastructure control," Kavis says.

With IaaS, virtualization management is a big concern, says Heiser, particularly when it comes to intrusion detection and the integrity of partitioning virtual machines. "You need to mediate separation and make sure they don't interact with each other," he says.

Chris Barber, CIO at Wescorp, says he is concerned about multitenancy and hypervisor vulnerabilities. "Since you have multiple users on a single physical box, there may be a security vulnerability that one user could somehow access another user's virtual machine," he says.