The Cloud and the Enterprise: Key Security Considerations
In my last post I laid out what I think are the top 5 considerations that the SMB needs to take into account when planning their migration to the cloud. This blog post will cover the key security considerations that an enterprise datacenter infrastructure needs to take into account before and during their migration to the cloud. There’s no doubt that at first glance the Cloud can seem like a daunting and scary place to put your entire datacenter infrastructure in. However, with the right understanding and good technical discussions it can be a much less frightening task in which the benefits far out weigh the concerns. The first and main concern enterprises have with the cloud is security. Is the cloud secure? Can I trust my applications to be secure? These are just a few of the concerns which we will address throughout this post.
Securing Your Data in The Cloud
The last thing anyone wants to do is hand over all of their data and virtual machines to an entity that they have no trust in. Securing your applications, virtual machines and data is first and foremost the most important consideration for the enterprise datacenter. How can you foster that trust in a provider or cloud solution? According to one of the top virtualization security bloggers today, Edward Haletky, “It depends on quite a bit actually but the main concern is understanding how the cloud protects or does not protect your data. It is all about the data.” That really sums it up, how does the cloud protect or not protect your data? An enterprise has to first understand that before they can safely venture into the cloud with their datacenter infrastructure.
5 Cloud Security Concerns for the Enterprise Datacenter
5: You no longer have complete physical control over your datacenter
This is scary for many large enterprises. In your current datacenter that resides physically on your site, to provision a new server into the DMZ you have one of your engineers actually physically go and do it, hands on. Also, your engineer would have to be on the company network to do so. The idea of some engineer on the provider side of the cloud accidentally provisioning a server that’s not supposed to be in the DMZ, could be disastrous. You are putting your datacenter into the hands of an cloud provider that may or may not fully understand the sensitivity of your network or data. This is a very key consideration and concern to think about when planning to relocate your infrastructure to the cloud.
4: Loss of visibility into your infrastructure
What’s funny about the cloud is it’s just that, a cloud. What happens when your airplane flies through the clouds, you lose visibility. For that few minutes that you are cruising through the clouds, you can’t see anything and for a second I stop to think “I hope the pilot knows what he’s doing” Unfortunately the same applies to the cloud. Migrating your datacenter to the cloud creates a loss of visibility into your infrastructure. This is something to think about, are you comfortable not knowing what’s going on with your infrastructure? Are you ok with less visibility into your infrastructure? How is your data being monitored? As you choose a cloud provider, make sure to push them on how much visibility you will lose when you migrate to the cloud.
3: What kind of cloud security best practices are in place?
The cloud is becoming more and more prominent as the years pass, and each year there are many new companies that join the fray of all the cloud providers that are already out there. With all of this activity and so many different companies it makes you wonder if there is any cloud security guidelines. If there are such guidelines are they mandated by the government? By banks? Credit card companies? Are the security guidelines standardized or do they differ from provider to provider? During my chat with Edward Haletky he said:
“What security best practices are in place? How is their “cloud” secured? This is something that we just don’t get to know unless we are a large fortune 500 company that will open up their wallet and pay for that information. Pick up the phone and call one of the big cloud providers today (name withheld) and ask them to send you a copy of their security documents, chances are they’ll say no. Now, as a fortune 500 company I could call up my cloud provider and they respond positively because there’s a large amount of money on the table-and this was made part of the agreement when I signed on. If you are big enough they may be willing to modify their normal agreements for you, it will cost however. Regardless, challenge your provider to show you their security measures.”
The government actually has laid out cloud security guidelines thanks to the National Institute of Standards and Technology (NIST). Regardless of whether you are private or public sector you need to take a look at Guidelines on Security and Privacy in Public Cloud Computing (SP 800-144). Weighing in at 80 pages, authors Wayne Jansen and Timothy Grance define what cloud computing is and how it is expected to be secured. Here’s the abstract of what this document aims to achieve:
Cloud computing can and does mean different things to different people. The common characteristics most interpretations share are on-demand scalability of highly available and reliable pooled computing resources, secure access to metered services from nearly anywhere, and displacement of data and services from inside to outside the organization. While aspects of these characteristics have been realized to a certain extent, cloud computing remains a work in progress. This publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment.
2: Exposure to the Internet
Nobody wants their sensitive data out on the Internet, however, in most cases you access your infrastructure by hitting a web portal of some sort. This leads back to #4 consideration, you lose the visibility to see what exactly is going on and where your data is being placed. This isn’t a deal breaker by any means, the whole idea behind the cloud is that you can access your data anywhere in the world over the Internet, but if you can, who else can? Something to think about.
1: It’s 3am, do you know where your data is?
Really this all boils down to, is your provider going to protect your data like you would protect as if it were on site? Secondly, can you really access your data at any point in time? The most important thing to do when migrating your infrastructure data to the cloud is to ensure that the security that is put in place is placed nearest the actual data. If your data resides in a particular virtual machine, make sure that the virtual machine has the security installed on top of it, or very close. You have to ensure that whoever you chose to provide your cloud service has their services set up so that your data can make it there and back. The last thing you want is to have your data go in and never come out. Taking that into consideration, always ensure that you have data replication going somewhere other than your cloud as well. This ensures that if your cloud provider doesn’t cut it and makes a grave mistake you can go and grab your data from where your replicated it to.
Don’t let this scare you!
Please don’t get up from your desk after reading this and throw away your plans to migrate you enterprise datacenter to the cloud. This is not meant to scare you away from cloud migration, but to inform you of what security preventative measures to take so that it’s a happy migration and not a nightmare. Read NIST SP 800-144, choose your cloud provider based on how they align with the guidelines laid forth in that document and make sure you have everything replicated in the event of data loss or corruption.
Learn more about NIST at their Cloud Computing Collaboration Site
Read more about Edward Haletky at The Virtualization Practice