A while back I wrote about cloud security, and how it was a matter of combining three key points: (1) technology, (2) processes, and (3) responsibility. The technology perspective is basically having tools that allow you to maintain a secure environment, from the infrastructure level all the way up to the cloud software level. The process side of the issue refers to having proper security processes in place, from making sure your company has a proper information security policy of which everyone is aware to correctly managing access control rules (firewalls, passwords, etc.). Finally, the responsibility side relates to cloud vendors acknowledging the importance of the services they provide and offering assurances and guarantees on their end, so that IT feels more secure.
While the theory is great, we’re finally seeing this security model come true in practice. By combining offerings from multiple vendors, it is now possible to make the public cloud much safer from all aspects. Today we’re going to look at some of the offerings that can be combined to improve cloud security and greatly reduce existing concerns.
Two down: Cryptography and network protection
When we think about cloud security from a technology point of view, two things immediately come to mind. The first one is cryptography. If my data is going to be stored somewhere outside of my control, I want at least some assurance that no one else will be able to access it, and having it safely encrypted goes a long way to ensure that. The second is network protection. When I’m running things on the public cloud, I want to be as sure as possible that no one is accessing my servers without my knowing about it.
These two points are also very hard to solve. Most cloud vendors don’t offer any kind of data encryption on their basic servers, so that all the responsibility for data protection falls into the hands of the end users. While it might be simple enough to protect data from a single server, whenever the architecture starts scaling horizontally this quickly becomes a headache. The same goes for network protection and access control: managing dozens, if not hundreds of firewall rules, user names, and passwords is close to impossible.
Fortunately we have today some very interesting tools that can help us. On the data side, all sorts of vendors are now coming out with cloud-ready data encryption tools. Several vendors are coming out with solutions in this space, from the traditional ones like Trend Micro to entirely cloud-focused ones such as Porticor and Ciphercloud. While they may differ in implementation and feature set, all these tools follow the same basic idea: encrypt all the data, and make applications go through them in order to access anything. This way, access becomes controlled and even if the data is somehow stolen from the cloud environment, it will be very hard (close to impossible) to access it later.
On the networking side, one very interesting tool that I recently became aware of is CloudPassage’s Halo. It’s essentially a two-part service: there is a lightweight software component that sits on your cloud servers and a scalable back-end service that stores all the information that the software may need and does the computational heavy lifting that may be necessary. The software automatically applies networking security rules, such as inbound and outbound firewall rules, and monitors server activity to check for unauthorized or malicious access. But the back-end service gives it an interesting twist: since configurations are stored centrally, you can save a base server image with the software installed, and then every new server that comes up will have all the rules and settings already configured. They also offer some other interesting features, such as multi-factor authentication for cloud servers that are well worth a look.
These kinds of tools are interesting not only because they bring more technological security for cloud servers, but also because they simplify the process side of data security. Through their various APIs, management consoles, and portals, IT teams can manage rules and configurations for multiple servers, and monitor the security status of servers much more closely.
Closing the chain: Responsibility
The final piece of the puzzle, when it comes to security, is responsibility: how can we mitigate the risk of not being responsible for the computing environment, especially in a public cloud situation? Cloud vendors try to do this with aggressive SLAs, but the fact is that most SLAs are no guarantees. A close look at any of the fine print out there will quickly show us that the only kind of compensation offered by the vendors today is service credits, and these are usually limited to a single month’s worth. For mission critical applications from large enterprise, this is simply not enough.
This is where insurance comes in. Just like you can insure your business against forces of nature, there are companies, such as CloudInsure, now offering insurance for cloud outages or other “disastrous cloud events”. These are obviously going to be very complex (and possibly costly) insurance policies, but they are a good step in mitigating the responsibility risk associated with the cloud. I believe that we will gradually see greater adoption of insurance-like compensation models for cloud outages, especially by the larger vendors as they look to differentiate themselves from the competition.
By mixing and matching these different solutions and services, it is now possible to make the public cloud much more secure than before. While a cloud environment will never be as secure as an internal data center, I believe that we are reaching a point where cloud security is becoming “good enough” - as long as the proper tools are used - to support almost any application scenario. This should, in turn, help to speed up adoption of the cloud computing model by large companies everywhere.