by Jennifer Marsh, software programmer with Rackspace Hosting
It’s easy to see why cloud computing is causing a seismic shift in the business models of companies as well as in the everyday computing habits of the general public. You don’t have to look hard to see its advantages. Cloud computing reduces expenses (hardware, software, network management), saves storage space, provides remote access, affords scalability, and improves productivity. But all that being said, just how secure is it?
The general answer is that it’s a lot more secure than it used to be and improvements in security are happening every day. In fact, cloud security is an issue that has generated intense scrutiny over the past several years. In a report, Assessing the Security Risks of Cloud Computing, published back in 2008, Gartner identified seven security issues customers should consider when selecting a cloud vendor:
- ? Access control: Who is allowed to see or manage your data?
- ? Regulatory compliance: How faithfully does the vendor adhere to security certifications?
- ? Location of data: Where is your data physically being stored?
- ? Data segregation: How well is your data kept distinct from other data?
- ? Recovery mechanisms: What happens when disaster strikes?
- ? Investigative support: How open and accessible is information?
- ? Long-term integrity: Will your data be available if the company folds or gets swallowed up by a larger company?
Since that time, significant strides have been made. Cloud service providers (CSPs) have become increasingly active in implementing aggressive measures to address the issues raised by the Gartner report as well as other related security concerns. Here are some of the initiatives that CSPs have undertaken to enhance cloud security:
Intrusion Detection Systems (IDSs): Traditionally, various types of IDS systems have been implemented and used successfully on high-volume networks to monitor and record activities in order to detect potential intrusions, malicious activities, or policy violations. Some of these systems also take actions to stifle intrusion attempts but just about all of them are effective in identifying and reporting potential incidents.
In a cloud paradigm, the stakes are higher and so are the challenges. Intrusion attempts are potentially more impactful (for example, the intruder may be the competitor of a cloud client) and the complexity of the cloud can stretch the limitations of a traditional IDS. Fortunately, multi-threaded distributed intrusion detection models such as the one described in a September 2011 article in the International Journal of Advanced Science and Technology, have been shown to work very effectively in the cloud. Deployment of IDS sensors on separate cloud layers (application layer, system layer, and platform layer) managed by a multi-threaded queue and couched within a coordinated communication mechanism over a single platform can significantly mitigate the complexities inherent within the cloud environment.
Security Information and Event Management (SIEM) Systems: Traditional SIEM systems address key security needs at several levels: monitoring, alerting, report generation, trend analysis, and security compliance. What these systems do is to continuously collect system data and generate reports, which are then correlated and analyzed. They also respond automatically to resolve security incidents.
The big breakthrough in recent years has been the ability to deploy SIEMs in cloud environments. This has been made possible largely through technological advances in speed (faster collection rates) and volume (ability to handle millions of log sources daily). Thanks to these advances, many CSPs are now able to offer log report generation and management as common services within the cloud.
Firewalls: Security challenges posed by the cloud make firewalls more of a necessity than ever. But typically, Web application firewalls (WAF) have been tied to hardware devices, causing a serious dilemma for cloud service providers. Security and efficiency work against each other when CSPs are forced to support a large array of dedicated WAF machines (one per customer) when what they are trying to achieve instead is a fully virtualized environment.
Fortunately, this problem is being solved by the onset of distributed application firewalls, which are able to accommodate the wide variety of traditional and virtual technologies employed by CSPs to operate their clouds. In a related development, CSPs are also making liberal use of application-level proxies implemented inside a perimeter firewall to transparently understand and interpret data propagation in the command protocol of a particular application. These proxies are based on decentralized information flow control (DIFC) models, which feature a decentralized creation and management of security classes at runtime — a crucial dynamic when working in federated cloud environments.
Industry Security Standards: Perhaps the most significant development in cloud security in recent years is the proliferation of industry standards and certification requirements related to security of information. These include:
ISO/IEC 27001 certification, which specifies standards that a management system needs to meet in order to ensure that a measurable and sufficient level of security and risk management of data is in place. The ISO/IEC 27001 is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
While not cloud specific, this standard has been adopted as a cloud industry staple and a benchmark of security compliance by CSPs. In order to become certified, vendors are required to satisfy a three-stage audit process undertaken by independent auditors and checked on a regular basis thereafter.
Registration with CSA STAR (Cloud Security Alliance’s Security, Trust, & Assurance registry): In 2011, the Cloud Security Alliance (CSA) launched a new initiative to encourage transparency of security practices within cloud providers. STAR is a free and publicly-accessible registry that documents the specific security controls provided by various CSPs. The registry is open to all cloud providers, who can submit self-assessment reports that document compliance with CSA’s best practices. STAR is easily accessible and searchable, making it a great resource for cloud customers to review the security practices of different providers. In many ways, it is a major leap forward in industry transparency and in the motivation of CSPs to exercise extreme diligence and thoroughness in their cloud security measures.
The Cloud Control Matrix (CCM) is a baseline set of security controls created by the CSA. Organized by categories, the matrix is comprised of a large list of security controls mapped to a variety of well recognized industry security standards. The CCM is another valuable tool that can assist prospective cloud customers in assessing the security risk associated with a cloud computing provider.
The commonly-held belief that a site-specific infrastructure is inherently more secure than an infrastructure managed by a service provider in the cloud can now be safely classified as a misconception. Although cloud security has always posed great challenges, these challenges are being met and the security beast is slowly being tamed.
There is no question that security continues to be among the top concerns that potential customers have about cloud computing, and rightly so. But the huge strides made in this area in recent years are real and measurable. And it’s becoming increasingly clear that security threats in the cloud environment are nowadays no greater, and in many cases less prevalent, than those faced by on-site systems.
Jennifer Marsh blogs for Rackspace Hosting. She is a software developer, programmer and technology writer with a special interest in security issues. Rackspace Hosting is the service leader in cloud computing, and a founder of OpenStack, an open source cloud operating system.