The debate over public cloud versus private cloud continues to rage within the IT industry. As most organisations take an ad-hoc, evolutionary approach to new technologies, the environment over the next five years is likely to be a mixture of the two.
IT leaders will not only have to deal with a hybrid cloud environment, they will, in most cases, have to manage both traditional, non-cloud, and cloud infrastructure. Within this complex management challenge, security will remain a key concern.
The infrastructure can be made safe enough to avoid costly breaches that can not only damage the infrastructure but can also incur reputational damage to the enterprise.
So what are the steps needed to ensure sufficient security and what technologies are at the IT manager’s disposal to carry out the job?
At the lowest level of the stack, it is essential to secure the hardware. Networks have to be intruder-aware and processors must have to carry hard-wired within the silicon that allow professionals to monitor infrastructure for any potential breach.
Intel and AMD have embedded security onto the chip that can flag up potential threats to security systems deployed on the infrastructure. In general, attackers are looking at firmware, processors and Bios as a means to compromise systems.
For Intel this involves its Trusted Execution Technology, which looks at software component integrity and provides a hardware security check before a virtual machine boots. Meanwhile, its Advanced Encryption Standard New Instructions set strengthens data protection encrypting and decrypting data ten times faster than software-based encryption. Its virtualisation technology also provides hardware-based isolation of virtualised workloads that share a common set of memory and I/O.
AMD offers similar root protection of the hardware before a VM is launched as well as alleviating Bios, Bios Extensions and bootstrap loader vulnerabilities. It also offers on-chip virus protection that sets aside parts of system memory as “data only”. There are extensions to the instruction set that pre-authenticate the hypervisor or VM image before users can decrypt and load them. IBM offers similar solutions with chipsets in embedded systems and smart devices.
When moving to a hybrid environment, IT managers should always ask detailed questions of potential cloud providers and check they have clearly defined service level agreements for service provision and security standards.
Most IT industry security standards, which evolved in the pre-cloud era, require the enterprise to have the ability to monitor and control access to networking, systems, applications and data. Whether your apps, systems and data are managed internally or outsourced to an external provider; a cloud environment must offer the same ability. Regularly scheduled audits using industry-recognised methods and standards, such as SAS 70 Type II, the Payment Card Industry Data Security Standard, ISO 27001/27002 and the Cloud Security Alliance Cloud Controls Matrix, should also be conducted, to ensure that security standards are meeting industry benchmarks.
According to Gavan Egan, Head of Cloud & Security Solutions (EMEA), at Verizon, companies should also bear in mind that migration to the cloud elevates the issue of security from an IT department to the board level.
"Instead of being solely about ‘securing the perimeter’, data security is now about understanding the value of your data and what reputation, compliance and cost implications could be felt if that data got into the wrong hands," he says. Where especially sensitive data is concerned, the enterprise must have complete visibility into where it is being stored. If it resides in the cloud, the portions of the environment containing the data must be isolated, by implementing virtualised versions of firewalls and intrusion prevention systems.
Isolation of data or infrastructure is particularly vital in the public cloud, to protect one organisation’s data from other in multi-tenanted environments.
"Public cloud security can be very difficult to implement, but when done right it does force security managers to think hard about shrinking security boundaries down to the application level and implement a true defence in depth model," says Scott Morrison, chief technology officer at security company Layer 7 Technologies. Morrison adds that this results in a more resilient security model than that found in most traditional enterprise IT operations with their on-premise computing resources. "The irony here is that public cloud, because of the security imperative, can actually be more secure than conventional enterprise IT."
Mandeep Khera, executive vice president of security log management company LogLogic asserts that, while public cloud providers have come along way in terms of security, there is still a way to go, and IT managers still need to consider securing data at the application level.
"While most of the [public cloud providers] are providing basic security services like firewalls, IDS, anti-virus etc., some areas like application security are still not being provided as a standard offering," he says. "This is one of the reasons why large enterprises are moving to their own private clouds where they can manage their own destiny."
But the overriding challenge for the private cloud is that there is no security forcing function says Morrison.
"Security can once again be an afterthought at best, or ignored at worst, because private cloud inherits the security architecture of the existing enterprise. As a result, private cloud simply recycles perimeter security and never converges on a true defence-in-depth model."
He adds that once entrenched, private cloud security will only ever evolve with the ‘glacial’ pace of conventional enterprise security. "It is a tremendous opportunity lost."
Vladimir Getov, Senior IEEE Member adds that even if a "private cloud is hosted by a third party, the fact that it relies on external architecture means that IT Managers are no longer in sole control of their data.
"Security remains a major adoption concern, as many service providers put the burden of cloud security on the customer, leading some to explore costly ideas like third party insurance," he says. "It is a huge risk, as well as impractical, to insure billions of pounds of company data – potential losses from losing major trading or logistical applications are enormous."
Service providers need to reassure customers that insurance is not needed. One solution might be a regulatory framework that would allow cloud subscribers to undergo a risk assessment prior to data migration, helping to make service providers accountable and provide transparency and assurance, suggests Getov.
He goes as far as to say that hybrid cloud is by definition, never 'yours', which is where the security concerns stem from.
“If we are talking about true 'private cloud' – hosted entirely on your own premises, then the security concerns for an IT manager are no different to those associated with any other complex distributed system.”
When using a hybrid cloud model the IT manager has to accept that the data will, by definition, be outside of the on-premise infrastructure at some time. Matt Hawkins, founder and MD at IT infrastructure solutions provider C4L, warns that hybrid cloud security is just about data, but also where you put it.
"Businesses need to ensure that the physical location of their data has the right logical and physical security and meets all relevant ISO data centre standards," says Hawkins. "This is one area where, due to economies of scale, a cloud provider could do better than in-house IT." He adds that the IT manager should expect cloud providers to house their data in data centres with multiple layers of physical security including biometrics, security cameras, multiple layers of access control and personnel on-site 24 hours a day, seven days a week.
That is not all. According to IT consultancy QuoStar Solutions a company that stores data anywhere, both on-site and within a cloud infrastructure, must perform risk assessments on their data storage and IT infrastructure as a whole.
"It must understand every possible risk and assign proper controls to those risks," says managing director Robert Rutherford. Just because you outsource a degree of IT infrastructure and service into the cloud, it doesn’t mean that you can outsource responsibility - doing so is negligent, he adds.