Cloud computing, virtual business services, or whatever else you might call third-party provisioning of critical services, are included in today's list of business-enabling tools. They enable small businesses to provide services once available only to customers of large organizations. They also enable any organization to trust that the right amount of resources are available when needed. And this is one of cloud computing's biggest potential weaknesses.The robust cloud
Organizations' search for ways to meet shifting customer demand, while keeping costs in line with budgetary constraints, leads them to the cloud with with increasing frequency. Cloud service providers (CSPs) typically deliver robust, cost-effective services by using virtualization technology.
Virtualization provides several advantages over traditional infrastructure deployment methods. For CSPs:
- Hardware pooling allows a CSP to host services for multiple organizations on shared hardware platforms. It also allows on-demand increases in processing or communication resources. In other words, unexpected or intermittent increases in service use is handled by expanding the number of customer-dedicated virtual systems.
- CSPs can deploy almost any application without worrying about underlying hardware constraints.
- CSP customers can expect higher up-time periods and shorter interruption recovery times. The enablers for these virtualization characteristics include redundant virtual systems and virtual system deployment via pre-configured images.
But improperly managed virtualization is also a potential security vulnerability.Virtualization security challenges
The fundamental security flaw in virtualization is also what makes it so attractive: the ability to quickly bring up servers of any type. This weakness provides system engineers with opportunities to implement application or database servers immediately following a customer request. This isn't always a good thing.
With traditional systems, a systems engineer had to request a new hardware platform in order to implement new or upgraded services. The acquisition process necessarily allowed at least one manager review. In organizations with strong change management processes, it might also result in a multidisciplinary review of the hardware, the environment into which the engineer planned to place it, and the intended services. Because of this review, IT could address security issues before purchase and implementation, or they would block implementation as designed.
Virtualization makes it too easy for engineers to bypass change control processes. Because additional hardware is often not required to implement a new server, an engineer can deploy critical processes, and sensitive data, without review by architecture and security teams. This may result in systems placed in network segments with lower than required trust levels or vulnerable local security configurations.
Any organization deploying virtualization faces these challenges. However, internal reviews and change processes, managed by the organization responsible for safeguarding the data, help prevent security misses. When virtualization occurs in the cloud, change management is beyond internal staff daily review.
One additional risk associated with CSP virtualization is the drive for competitive pricing to attract new, and retain existing, customers. Even if a CSP has documented change processes, including security reviews, business pressure might drive management to force virtual implementations without the delays inherent in change management.Meeting the challenges
I do not advocate cloud-avoidance. Instead, I encourage organizations to review whether moving any process to the cloud adds business value over that gained by keeping it in their data center. But like any business relationship in which sensitive data is shared, organizations considering using one or more CSPs must implement strong administrative controls to manage trusted relationships. Agreements must contain language specific to customer expectations related to use of virtual or hardware technologies, including:
- CSP commitment to use a documented and auditable change management process;
- A system design step whereby the customer organization can opt to review new system implementation as part of the change management process;
- The ability of the customer organization to perform its own audit of CSP change documentation and virtual system configurations; and
- A clear statement of intent by the CSP to never deploy a previously unapproved system without allowing the customer to review server configuration and network placement.
Cloud computing and virtualization are both business-enabling technologies that will only become more prevalent. The only path open to security professionals is to adapt policies and processes to accommodate both. And this isn't a bad idea, even if you are still pushing CSPs away from your door. You might want to check the effectiveness of your own organization's ability to manage the potential chaos virtualization can introduce into your data center.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.