The Two Biggest Lies About Cloud Security | Opinions | ChannelWorld.in

PARTNER HOTLINES

The Two Biggest Lies About Cloud Security

By Bernard Golden, CIO.com on May 30, 2011
Bernard Golden, About the author

Bernard Golden, CIO.com

Bernard Golden is CEO of consulting firm HyperStratus which specializes in virtualization, cloud computing and related issues. He is also the author of "Virtualization for Dummies," the best-selling book on virtualization to date.


Survey after survey note that security is the biggest concern potential users have with respect to public cloud computing. CA and the Ponemon Institute conducted a survey and found similar concerns. But they also found that deployment had occurred despite these worries.

Most of the concerns voiced about cloud computing relate to the public variant, of course. IT practitioners throughout the world consistently raise the same issues about using a public cloud service provider. For example, this week I am in Taiwan and yesterday gave an address to the Taiwan Cloud SIG. Over 250 people attended, and, predictably enough, the first question addressed to me was, "Is public cloud computing secure enough, and shouldn't I use a private cloud to avoid any security concerns?".

However, framing the cloud security discussion as a "public cloud insecure, private cloud secure" formula indicates an overly simplistic characterization. Put simply both are rooted in the radical changes this new mode of computing forces on security products and practices.

Cloud Security Lie #1

The first big lie is that private cloud computing is, by definition, secure merely by way of the fact that it is deployed within the boundaries of a company's own data center. This misunderstanding arises from the fact that cloud computing contains two key differences from traditional computing: virtualization and dynamism.

The first difference is that cloud computing's technological foundation is based on the presence of a hypervisor, which has the effect of insulating computing from one of the traditional tools of security: examining network traffic for inappropriate or malicious packets. Because virtual machines residing on the same server can communicate completely via traffic within the hypervisor, packets can be sent from one machine to another without ever hitting a physical network, which is where security appliances are typically installed to examine traffic.

Crucially, this means that if one virtual machine is compromised, it can send dangerous traffic to another without the typical organizational protective measures even being involved. In other words, one insecure application can communicate attacks to another without the organization's security measures ever having a chance to come into play. Just because an organization's apps reside inside a private cloud does not protect it against this security issue.

Of course, one might point out that this issue is present with vanilla virtualization, without any aspect of cloud computing being involved. That observation is correct. Cloud computing represents the marriage of virtualization with automation, and it's in this second element that another security shortcoming of private clouds emerges.

Cloud computing applications benefit from this automation to achieve agility and elasticity--the ability to respond to changing application conditions by moving virtual machines quickly and by spinning up additional virtual machines to manage changing load patterns. This means that new instances come online within just a few minutes without any manual interaction. This implies that any necessary software installation or configuration must also be automated so that when the new instance joins the existing application pool it can immediately be used as a resource.

It also implies that any required security software must, likewise, be automatically installed and configured without human interaction. Unfortunately, many organizations rely on security personnel or system administrators to manually install and configure necessary security components--often as a second step after the rest of the machine's software components are installed and configured.

In other words, many organizations have a mismatch between their security practices and the reality of what a cloud requires. Assuming that a private cloud is, ipso facto, secure, is incorrect.

Moreover, it's critical to get them aligned. Otherwise, you face the likelihood that your application automation will outstrip your security practices, which is not a good situation. For sure, one would not like to be in the position of trying to explain why the supposedly-secure private cloud ended up exposing a vulnerability because the automation characteristics of cloud computing had not been extended through all parts of the software infrastructure.

So, the first big lie about cloud computing is that private clouds are inherently secure. What is the second?

Cloud Security Lie #2

The second lie about cloud computing security relates to assumptions about public cloud security; specifically, the assumption that security in public cloud computing rests solely with the CSP. The reality is that security in a service provider world is a responsibility shared between the provider and the user, with the former responsible for security in the infrastructure up through the interface point between application and hosting environment, and the user responsible for security with respect to interfacing with the environment, and importantly, within the application itself.

Failing to configure the application properly with respect to the environment security interface or failing to take appropriate application-level security precautions exposes the user to issues for which no provider can possibly be expected to take responsibility.

Let me provide an example. One company we worked with had placed its core application in Amazon Web Services . Unfortunately, it had not implemented appropriate security practices with respect to how it used AWS security mechanisms, nor with simple application design issues.

Amazon provides what is, in effect, a virtual machine-level firewall (called a Security Group) which one configures to allow packets to access specific ports. The best practice with respect to Security Groups is to partition them, so that very fine-grained port access is available per virtual machine. This ensures that only traffic appropriate for that type of machine goes to an instance. For example, web server virtual machines are configured to allow traffic on port 80 into the instance, while database virtual machines are configured to disallow traffic on port 80 into the instance. This blocks attacks on database instances (containing crucial application data) from the outside using web traffic.

To construct a secure application, one must use Security Groups properly. This organization had not. It used one Security Group for all traffic to all instances, which meant that every type of instance was exposed to any type of traffic destined for any instance.

Regarding the organization's application itself, it had implemented poor security practices. Instead of partitioning application code among different types of machines, it had loaded all application code into a single instance, which meant the same instance that received traffic for its corporate website also had code containing proprietary algorithms running on it as well.

The important fact about this situation: If this organization assumed that all security responsibility lay with the CSP (Amazon Web Services, in this case), it would be extremely negligent, because it had not taken important steps to address security issues for which no CSP could be responsible. This is what shared responsibility implies--both parties have to step up to the security aspects in their control, and failing to do so means the application is not going to be secure. Even if the CSP does everything correctly for portions of the cloud application within its control, if the application owner fails to implement its security responsibility correctly, the application is going to be insecure.

I have been in meetings with security personnel discussing security about public CSPs, who refused to consider their company's responsibility in these environments, insisting on redirecting every security topic back to concerns about the CSP's responsibility.

This struck me, frankly, as reckless, as it insinuated a refusal to seriously grapple with the necessary work of creating as secure a public CSP-based application as possible. It was as if the very attitude that all security responsibility lay with the CSP insulated the security person, and by extension, his company, from any liability for security failures in an application running in a CSP environment. It may not come as a surprise that the individual in question was a staunch advocate of private clouds, asserting their far superior inherent security.

The reality is that organizations are increasingly going to deploy applications in public CSP environments. It is vital that security groups step forward to ensure their organizations take every step possible to implement applications that are as secure as possible, and that means what steps the organization itself needs to take in that regard.

Security is, so to speak, the third rail of cloud computing. It is constantly cited as an inherent benefit of private clouds and a fundamental shortcoming of public cloud computing. Actually, the truth is far more ambiguous than these positions imply. Asserting the putative security shortcomings of public cloud environments without seriously considering how to mitigate them seems irresponsible and evidence of a belief that assertion implies dismissal with no further need to investigate mitigation techniques.

A poorly managed and configured private cloud application can be quite vulnerable, and a properly managed and configured public cloud application can achieve very good security. Characterizing the situation as black and white is simplistic and does a disservice to the discussion.

 

Latest Opinions

EDITOR'S PICK

Forecast 2015: IT Spending On An Upswing

As purse strings loosen up, CIOs blend innovation into 2015 IT budgets, but security and cost containment remain top priorities.

‘Security Compliance is Not a Proactive Phenomenon in India’

Pavan Duggal, Cyber Law Expert at the Supreme Court of India, explains why channel partners need to look beyond the IT Act 2000 as the security standards, given today’s fast-changing threat landscape, rapidly evolve.

IT is Indispensable for Business Optimization: David Aires, Intel

David L. Aires, VP, Information Technology Group, and GM, Information Technology Operations, believes security to be the biggest challenge in the current IT environment.

Is the CIO Role Nearing Extinction?

New technologies are shifting power to the hands of the user, endangering the CIO role. But do Indian CIOs consider that a threat or an opportunity? 

The Authentication Market is Big Play for Channels: Gaurav Chawla, Gemalto

We are building a partner network to address the increased demand for authentication solutions across India, says Gaurav Chawla, Director, IAM, Gemalto India.

Versatile Infosecurity: Riding the Security Wave

It takes vision and persistence to stay on top of the security curve. Versatile Infosecurity has mastered that art.

How Futurenet Technologies Helped Sterlite Copper Adopt Next-gen Client Computing

Sterlite Copper was able to successfully adopt next-gen client computing facilities with hand-in-hand assistance from Chennai-based Futurenet Technologies.

DigitalTrack Solutions: Right on the Security Track

DigitalTrack is keeping pace with the changes in the IT security space through DDoS and WAF solutions and is pushing security audits as part of its next move.

SLIDESHOWS

6 Leaders Who Headed for an Abrupt Exit

The abrupt exit of top leaders of Indian and global tech companies this year, with many of them citing ambiguous reasons, surprised the technology world.

Gartner Executive Summary Survey 2014

Gartner's Annual CIO Survey highlights the trends that will drive organizational IT spend in 2014.

10 Overhyped Tech Products That Crashed and Burned

The demos blew everyone away. Then reality hit.

Gartner Executive Summary Survey 2014

Gartner's Annual CIO Survey highlights the trends that will drive organizational IT spend in 2014.

ChannelWorld Survey: State of the Market 2014

Partners poll their sentiments, expectations, pain points, and challenges for the coming year.

FAST TRACK

Mudra Electronics

A vendor-agnostic strategy helped us sustain business, says Bharat Shetty, CMD, Mudra Electronics.

Systematix Technologies

Our USP is a customer-friendly approach backed by services, says Akhilesh Khandelwal, Director, Systematix Technologies.

CorporateServe Solutions

Our ability to turnaround complex ERP projects in record time is what gets us customer referral, says Vinay Vohra, Founder & CEO, CorporateServe Solutions.

KernelSphere Technologies

We are emerging as an end-to-end systems integrator, says Vinod Kumar, MD, KernelSphere Technologies.

Uniware Systems

We constantly validate emerging technologies for first-mover advantage, says Vergis K.R., CEO, Uniware Systems.

Astek Networking & Solutions

An innovative approach helps us stay successful, says Ashish Agarwal, CEO, Astek Networking & Solutions.

CSM Technologies

Our approach is backed by innovation and simplicity, says Priyadarshi Nanu Pany, CEO, CSM Technologies.

ETSC Computers

We want to be recognized as a complete solution provider, says Kailash Gupta, Director, ETSC Computers.

VIDEOS

Arun Parameswaran on VMware’s Cloud, Mobile, SDx Strategy

Arun Parameswaran, MD, VMware India, talks about transformation, strategy, roadmap, and VMware’s role in driving the shift to cloud, mobile, and SDx.

Parag Arora, Citrix: Our Portfolio Will Augment Our Strategy

Parag Arora, Area Vice President, Citrix India, elaborates on his action plan for the company after taking over operations in India.

Shibu Paul, Array Networks: ADN is a Great Business Opportunity for Channels

Shibu Paul elaborates on how Array Networks is empowering its partner ecosystem to address the modern datacenter challenges in India.

Scott Robertson, WatchGuard: We are an End-to-End Security Solutions Company

Scott Robertson of WatchGuard elaborates on the company’s partner roadmap in India and its subsequent shift in the security space.

Gaurav Ahluwalia, R&M: Channels Will Accelerate Our Datacenter Business

Gaurav Ahluwalia of R&M speaks on the company’s renewed focus to build its channel ecosystem and address the datacenter demands of India Inc.

Venkat Murthy, 22by7 Solutions: Real Value is in Solutions

Venkat Murthy, Prime Mover, 22by7 Solutions, elaborates on the need to look at a solutions approach rather than a mere hardware approach.

What Channel Partners Can Learn from a Sahara Adventurer

Steve Donahue, a desert adventurer and a best-selling author, takes experiences from this travels in the Sahara and turns them into lessons for channel partners, as they navigate the shifting sands of today's business and IT environment.

Rahul Agarwal, Lenovo: Profitability and Value Proposition are Vital

Rahul Agarwal, executive director, Commercial Business Segment, Lenovo India, talks about Lenovo’s renewed channel strategy and why the company is now an attractive proposition for its partners.

EMC PARTNER SHOWCASE

Partnering for Profitability

Atul H. Gosar, Director, Network Techlab, shares how the company’s association with EMC has provided it with a competitive edge and a wide customer base, leading to increased profitability.

Sponsored Content

Promising Pipeline

Venkat Murthy, Prime Mover, 22by7 Solutions, shares how EMC brings in competitive edge by enabling technology, GTM and lead generation, helping 22by7 acquire new customers and retain old ones.

Sponsored Content

Powerful Performance

Deepak Jadhav, Director, VDA Infosolutions, says initiatives by EMC around training and certification have helped the company’s staff improve its performance and enhance customer experience.

Sponsored Content

Performance Booster

Rajiv Kumar, CEO, Proactive Data Systems, says that the solution provider’s association with EMC has helped expand its customer base and added value to existing offerings.

Sponsored Content

Pursuit of Profitability

Santosh Agrawal, CEO, Esconet Technologies, shares insights on how the systems integrator’s association with EMC has spelled sustained success over the years.

Sponsored Content

Non-Performance is Not an Option

Nitin Aggarwal, Director, Trifin Technologies, shares insights on how the association with EMC has helped the system integrator stand out and empowered its personnel to deliver consistent performance.

Sponsored Content

STRATEGIC DIRECTIONS 2014

Driving IT to Make an Impact: IDC

IT is being increasingly viewed as something which would help drive revenue rather than just another cost line-item.

Software-Defined Infrastructure: Forrester

Firms must invest in transforming infrastructure to eradicate complex infrastructure to keep pace with business needs.

Better Safe Than Sorry: PwC

Organizations should create a culture of security that starts with commitment of top executives and cascades to all employees and third parties.

New Skills for a New Era: Gartner

A new talent strategy is required—one that is a key part of the evolving IT strategy and one that focuses on a blend of business and modern IT skills.

The Rise and Growth of Big Data: Ernst & Young

Leading organizations are reaping rich rewards on their investment in big data even as competition struggles to keep pace.

SOCIAL MEDIA @ CW India
SIGNUP FOR OUR NEWSLETTER

Signup for our newsletter and get regular updates.