Apps

Hardening the cloud: New security tools help to seal the gaps

Thoran Rodrigues takes a look at some of the cloud-focused security tools that provide cryptography and network protection roles.

A while back I wrote about cloud security, and how it was a matter of combining three key points: (1) technology, (2) processes, and (3) responsibility. The technology perspective is basically having tools that allow you to maintain a secure environment, from the infrastructure level all the way up to the cloud software level. The process side of the issue refers to having proper security processes in place, from making sure your company has a proper information security policy of which everyone is aware to correctly managing access control rules (firewalls, passwords, etc.). Finally, the responsibility side relates to cloud vendors acknowledging the importance of the services they provide and offering assurances and guarantees on their end, so that IT feels more secure.

While the theory is great, we're finally seeing this security model come true in practice. By combining offerings from multiple vendors, it is now possible to make the public cloud much safer from all aspects. Today we're going to look at some of the offerings that can be combined to improve cloud security and greatly reduce existing concerns.

Two down: Cryptography and network protection

When we think about cloud security from a technology point of view, two things immediately come to mind. The first one is cryptography. If my data is going to be stored somewhere outside of my control, I want at least some assurance that no one else will be able to access it, and having it safely encrypted goes a long way to ensure that. The second is network protection. When I'm running things on the public cloud, I want to be as sure as possible that no one is accessing my servers without my knowing about it.

These two points are also very hard to solve. Most cloud vendors don't offer any kind of data encryption on their basic servers, so that all the responsibility for data protection falls into the hands of the end users. While it might be simple enough to protect data from a single server, whenever the architecture starts scaling horizontally this quickly becomes a headache. The same goes for network protection and access control: managing dozens, if not hundreds of firewall rules, user names, and passwords is close to impossible.

Fortunately we have today some very interesting tools that can help us. On the data side, all sorts of vendors are now coming out with cloud-ready data encryption tools. Several vendors are coming out with solutions in this space, from the traditional ones like Trend Micro to entirely cloud-focused ones such as Porticor and Ciphercloud. While they may differ in implementation and feature set, all these tools follow the same basic idea: encrypt all the data, and make applications go through them in order to access anything. This way, access becomes controlled and even if the data is somehow stolen from the cloud environment, it will be very hard (close to impossible) to access it later.

On the networking side, one very interesting tool that I recently became aware of is CloudPassage's Halo. It's essentially a two-part service: there is a lightweight software component that sits on your cloud servers and a scalable back-end service that stores all the information that the software may need and does the computational heavy lifting that may be necessary. The software automatically applies networking security rules, such as inbound and outbound firewall rules, and monitors server activity to check for unauthorized or malicious access. But the back-end service gives it an interesting twist: since configurations are stored centrally, you can save a base server image with the software installed, and then every new server that comes up will have all the rules and settings already configured. They also offer some other interesting features, such as multi-factor authentication for cloud servers that are well worth a look.

These kinds of tools are interesting not only because they bring more technological security for cloud servers, but also because they simplify the process side of data security. Through their various APIs, management consoles, and portals, IT teams can manage rules and configurations for multiple servers, and monitor the security status of servers much more closely.

Closing the chain: Responsibility

The final piece of the puzzle, when it comes to security, is responsibility: how can we mitigate the risk of not being responsible for the computing environment, especially in a public cloud situation? Cloud vendors try to do this with aggressive SLAs, but the fact is that most SLAs are no guarantees. A close look at any of the fine print out there will quickly show us that the only kind of compensation offered by the vendors today is service credits, and these are usually limited to a single month's worth. For mission critical applications from large enterprise, this is simply not enough.

This is where insurance comes in. Just like you can insure your business against forces of nature, there are companies, such as CloudInsure, now offering insurance for cloud outages or other "disastrous cloud events". These are obviously going to be very complex (and possibly costly) insurance policies, but they are a good step in mitigating the responsibility risk associated with the cloud. I believe that we will gradually see greater adoption of insurance-like compensation models for cloud outages, especially by the larger vendors as they look to differentiate themselves from the competition.

By mixing and matching these different solutions and services, it is now possible to make the public cloud much more secure than before. While a cloud environment will never be as secure as an internal data center, I believe that we are reaching a point where cloud security is becoming "good enough" - as long as the proper tools are used - to support almost any application scenario. This should, in turn, help to speed up adoption of the cloud computing model by large companies everywhere.

About

After working for a database company for 8 years, Thoran Rodrigues took the opportunity to open a cloud services company. For two years his company has been providing services for several of the largest e-commerce companies in Brazil, and over this t...

4 comments
Deadly Ernest
Deadly Ernest

if the cloud service providers are going to offer their services in other countries and provide ironclad evidence of a company's data being stored at ONLY the sites in that country. This is big one due to the various laws on privacy and data storage in some countries. The moving of the data off-shore is unlawful and a major breach of the privacy laws in some countries. Another aspect is the differences in the laws between countries and the security of the data when stored elsewhere. An example of this is data stored on a server in the USA could be inspected by US law enforcement while looking into a case against another company using the same data storage service. The data could get compromised and then all hell breaks loose as they try to decide who's at fault. We've already had an example of this type of problem with the MegaUpload case. It's these types of security issues that really worry a lot of IT and management people around the world. It may not be such a big worry for the USA companies, but it is for non-US companies.

Michael Kassner
Michael Kassner

I assume that you have tested the tools mentioned in the post. How did you prove that they are effective when it comes to security -- the encryption tool for example?

thoran.rodrigues
thoran.rodrigues

and this is why many solution providers are partenering with existing infrastructure providers to be able to run in as many countries as possible. There is also another problem, which is the other side of the issue you mentioned: storing data in other countries can actually help to hide criminal activity, by stopping law enforcement from being able to reach data for investigation, for instance. This is one reason why some governments have strict laws against moving data off-shore. And some service providers can make the issue even more complicated: a service could operate in one country, store encrypted data in a second country, and store the decryption keys on a third country.

thoran.rodrigues
thoran.rodrigues

I tested some (but not all) of the tools. Some I mentioned only for comparison. I tested the encryption tool with some simple tasks, such as taking snapshots of the disks and mounting them on other servers and so on. I did not, however, go into deep detail or really challenge them. As I mentioned in the post, I don't think they'll ever be as effective as keeping everything internal, but they are "good enough" for many application scenarios. There are always going to be problems, however: if people create servers with all ports open in the public internet and "password" as the password for the admin account, no ammount of encryption is going to save their data...

Editor's Picks