The Cloud has become essential Internet architecture for enterprises.
Increasingly, CIOs and CTOs are seeing the Cloud as not only a more cost-effective way to deploy computation resources and storage than in traditional data centers, but also a better way.
Cloud services can be more scalable than physical servers in corporate racks, but can also be sited closer to customers. The challenge? Securing the service chain from end to end.
It’s not merely about stopping “bad guys” from hacking into Web servers or online databases; it’s making sure that malware doesn’t go from data centre to data centre, or from end-user devices (like smart phones or laptops) through public WiFi or cellular data networks into the cloud.
The cloud industry is gearing up to address the security challenge. Iben Rodriguez, Director of Cloud and Virtualisation Testing for NSS Labs, put his finger on one aspect: Defining a security perimeter in a Bring Your Own Device (BYOD) world.
“For the traditional enterprise with a solid perimeter, we had a security model where you protect all your sensitive assets inside your network,” Rodriguez says.
“That might have worked well when you were just going to buy a firewall and some intrusion detection solutions for it, but now with cloud and virtualization, you have data spread all over the world, and you've got people using mobile devices, BYOD.
"How are they going to have a firewall put around them? You can't do it any more.”
Hongwen Zhang, CEO of security firm Wedge Networks, focuses on the ingress and egress points to the cloud as an excellent opportunity for deploying cloud security controls; “With the merging of data center and cloud centres, we see a very good place where security can be centralised.
"We are talking about more connections going to the cloud — and if we can secure this part, we would actually secure the digital life of the whole planet."
By applying network functions virtualisation to security Wedge has pioneered a way to deliver security as an elastic service embedded within the cloud network.
It inserts highly complex, real-time security decisions directly into the switching fabric to enable a “clean pipe” that secures content delivered to and from the cloud. Built for software-defined networks, it auto-scales with network load.
The multi-vendor stack adds complexity to cloud-security the concerns, going far beyond what you’d find in a typical data centre, adds Dennis Moreau, Senior Engineering Architect for Software Defined Security at VMware, one of the leading companies in the virtualisation and cloud industry.
“Whether that's web application firewalls, next generation firewalls, IPS systems, sandbox detection of advanced threat stuff,” there are many, many vendors and solutions, Moreau adds.
“In those circumstances, nowhere is the cloud value proposition working better than as presenting either targets for malware or distribution vectors for malware to endpoints.
What's missing in this circumstance is an effective way of dealing with the complexity that occurs from doing this. The complexity comes from several places.
"When we bring the cloud into the data centre discussion, we are bringing in multiple provisioners into the stack. You no longer are provisioning everything you would have in an on-premise enterprise data centre," Moreau adds.
That requires coordinating multiple actors, he said — and their policies, which might overlap, and which might even conflict.
“We've got to drive the complexity out. The principle problem, then, is the architecture for being able to deploy protections, keep them aligned through movement and be able to give enough context to have an actionable result from all of those logs that are going to be telling me about what's going wrong and where.
"If I don't have that context, I won't be able to move.”
According to Paul To, the multilayered security approach is the right one, despite the proliferation of different vendors, different technologies and different solutions you’ll find in the cloud – or in solutions spanning multiple clouds, carriers and service providers.
To, the Director of SDN & Cloud at test tools maker Spirent Communications, said, “Security guys always talk about the layered defense, Map the layered approach to what's going on in the software-defined networks world, where everything is virtualised and then everything is programmable.
"Each of the horizontal layers, at the compute layer, at the storage layer, the overlay and the underlay, each of those horizontal layers have programmability. One of the main goals of all the new architecture is separating abstract and control planes and so on.
“Each of those layers can become a coordinated policy enforcement engine. Every single layer, to parallel the layered defence that might be needed for a given situation.
"From the enforcement and analytics point of view, each of those layers can provide the intelligence necessary to do threat assessment and intrusion detection.”
That coordination is in the future, To was quick to add.
“There’s a huge opportunity to look at how we orchestrate all those layers. There's a huge opportunity for the industry and from the different players of the different layers to really work together to provide a cohesive security solution.”
The move to cloud-based IT and virtualised networks naturally consolidates risk, moving it from multiple points in the service chain — such as firewalls and intrusion detection systems in physical data centres — to a more centralised, orchestrated security system.
While centralisation can simplify administration and reduce costs, risk consolidation paradoxically can introduce new risks, says Steve Pate, Chief Architect of HyTrust, a cloud security management firm.
“We've gone from tens of thousands of physical servers managed by many administrators in different buildings, in rooms with locks on the doors to single box storage and compute with thousands of virtual machines, managed by a single or a few separate administrators,” he says.
“We've got administrators with uncontrolled amounts of power. We've got to have a lot more control over administrators, we've got to understand what they're doing.
"A two-man rule and multi-factor authentication needs to come into play. We've got a whole set of issues around virtualisation, especially with data security, that people really don't understand.”
Encryption is another challenge that becomes magnified in a cloud-based world. Encryption is necessary, not only of communications between servers, and between end users and servers, but of data as well.
But how to encrypt information in the public cloud and the private cloud? How to store and secure the keys? How to make sure that keys aren’t lost over time?
HyTrust’s Pate explained that encryption changes when you move to the cloud; “As soon as my data leaves the building and goes to the public cloud, I want to be in control.
"I've now got a different set of administrators who manage my data, replicating it, backing up, I don't know where that data is. Some of them may offer encryption but if they hold the encryption key then it's as good as putting your jewels in a safe deposit box and giving both keys to the bank.”
Encryption is a balancing act, adds Spirent’s To, between locking everything down tight and providing access to essential services. “Let's face it, a lot of cloud services have to share data."
VMware’s Moreau agreed; “If I encrypt everything fully then I limit how much de-duplication I can take advantage of.
"Requirements for security and access are in tension and so we will need policy-directed decisions on how to balance those competing interests.
“When you do encrypt, the encryption mechanism, both the key protection, key distribution, key generation, all of the stuff associated with that has to work at scale, just as reliably as the rest of the system, because if you lose the keys...” You can imagine the rest.
Clearly, security is on everyone’s mind.
As HyTrust, NSS Labs, Spirent, VMware and Wedge Networks have shown, many excellent solutions are available today for cloud providers and cloud consumers.
Yet security technology is evolving quickly, and there are many questions still to be answered – and still to be asked.
As service providers scale the offerings, expect security to be front-and-center, along with cost, scalability and performance as enterprises continue the rapid migration to the cloud.
By Alan Zeichick - principal analyst, Camden Associates, a leading technology analyst firm serving the IT industry