I am always amazed when I read the daily cloud blogs, articles and news headlines. Any given day will bring conflicting points of view by cloud industry experts and pundits on how secure clouds are, both private and public. There never seems to be a real consensus on how far security in the cloud has evolved. How then can any corporate CIO sort through the conflicting information and make an informed decision? The good news is that several cloud industry publications; security vendors and research organizations are making a concerted effort to cut through the hype and provide CIO’s with non-biased and researched driven data to help with the decision-making process.
According to Gartner’s 2011 CIO Agenda survey, just 3% of the CIOs surveyed say the majority of their IT operations are in the cloud today. Looking ahead, 43% say that within four years they expect to have the majority of their IT running in the cloud on Infrastructure-as-a-Service (IaaS) or on Software-as-a-Services (SaaS) technologies. This article will review the security issues that are holding back CIOs right now, and what will be needed to accelerate that growth.
CIOs have a fiduciary duty and the ultimate responsibility (legally and ethically) to ensure that the corporation’s sensitive information and data are protected from unauthorized access. CIOs also have limited budgets and resources to work with so they are always researching new and emerging technologies that will reduce cost, increase security and scalability, and maximize efficiencies in their infrastructure. Independent studies have demonstrated that both IaaS and SasS cloud models decrease cost, increase scalability and are extremely efficient when it comes to rapid deployment of new systems. So what are the main security issues that have CIOs delaying a move to the cloud?
Perceived Lack of Control in the Cloud
To a CIO, control is everything; on the surface hosting your sensitive information on an outsourced, shared, multi-tenant cloud platform would seem like a complete surrender and loss of control. How can you control risk and security of an information system that resides in someone else’s data center and is co-managed by outsourced personnel?
There are several secure cloud service providers that understand this concern and have built their entire core business around providing facilities, services, policy and procedures that give their clients complete transparency and control over their information systems. Most secure cloud service providers have adopted and implemented the same security best practices, regulatory and compliance controls that CIOs enforce inside their own internal organization such as PCI DSS 2.0, NIST 800.53, ISO 27001 and ITIL.
In fact CIOs can leverage a secure CSP’s infrastructure and services that may otherwise be cost prohibitive to implement internally thus giving them greater control over their information systems and sensitive data than they might have if hosted internally.
Another area of concern for CIOs is the perceived outsourcing of the risk management of their systems. There is a great level of trust between a secure CSP and a CIO. The CIO is dependent on the cloud service provider for patch management, vulnerability scanning, virus/malware detection, intrusion detection, firewall management, network management, account management, log management and the list goes on and on. Certainly outsourcing all of these critical tasks would constitute loss of control right? Wrong! As part of their standard service offering most secure cloud service providers provide customers system access, dashboards, portals, configuration and risk reports in real time giving CIOs complete control and transparency into their systems. In fact CIOs should consider secure cloud service providers as more of an extension of their own IT departments.
Multi-tenant Cloud Security – is it possible?
One area that keeps CIOs and potential cloud adopters awake at night is the idea that their virtual machines and data would reside on the same server with other customers VMs and data. In addition, multiple customers would also be accessing the same server remotely. As discussed in the previous paragraph, to a CIO control is everything. So is it possible to isolate and secure multiple environments in a multi-tenant cloud? The answer is YES.
So how do you secure a virtual environment hosted in a multi-tenant cloud? The same security best practices that apply to a dedicated standalone information system would also apply to a VM. Virtual machines live in a virtual network on the hypervisor. Hypervisors are the operating system that your virtual machines run on top of. Through VM isolation you isolate your VMs on its own network thus isolating your VMs from other tenants VMs. There is no way for other tenants to see your VMs, or your data. The same goes for network security. You would simply implement firewalls in front of your VMs just as you would in front of a dedicated system.
Another area of concern for CIOs that should not be left out is the topic of disk wiping and data remanence. In a public cloud, multi-tenant environment customer data is typically co-mingled on a shared storage device. Conventional wisdom says that the only way to truly remove data from a disk drive is to literally shred the drives. Degaussing disk is time consuming, expensive and not practical for a public cloud environment. So what can a cloud service provider do to address this problem and provide assurance to CIOs system owners, security and compliance officers that their data has been completely wiped from all storage in the public cloud? Again, the approach is the same as it would be for a dedicated system. Using a DoD approved disk wiping utility you can boot the VM with the utility and perform the recommended number of passes to properly wipe the data from the shared storage.
In summary, there are a variety of reasons CIOs are delaying their move to the cloud from lifecycle management consideration to budgetary reasons. One area of concern that should not delay the move is cloud security. If architected and configured properly, utilizing security best practices both a private or public cloud can securely host and protect your information system and sensitive data.
Mark McCurley is the Director of Security and Compliance for FireHost, where he oversees security feature development and management of the company’s cloud hosting platform and pci compliant hosting environments. Prior to joining FireHost, McCurley played a key role in the development of a large managed service provider’s compliance practice, focused on delivering IT Security, compliance and C&A services to commercial and Federal agencies. His career has centered around data centers and customer IT systems that need to adhere to federal, DoD and commercial compliance mandates and directives. He holds CISSP, CAP and Security+ certifications, and specializes in Security and compliance for the following federal, DoD and commercial compliance mandates: DIACAP, FISMA, SOX, HIPAA and PCI.