It’s Friday, and I finally don’t have an interview scheduled. Time to post another long winded entry. Someone ought to hire me and take away all this free time… (My golf-pro career move didn’t fly well with the wife…) Let’s talk about cloud computing again.
Cloud computing is a technological advance that can bring great benefits to almost any business. Like all major shifts in technology, adoption of cloud computing brings with it inherent risks. My opinion on cloud computing thus far is based on reading, discussion with others, and some limited observation. I have not implemented a cloud solution, audited a cloud environment, or managed a cloud environment. Yet. I have been observing the technology as it has developed for the past 6 years or so, and although I do not consider myself an expert by any means, I have an understanding of the concepts and have formed an opinion.
Over the past few years, I have talked to a lot of people involved in the cloud computing and virtualization space, mostly but not entirely from a security point of view. Many of these folks are focused on maturing the technology, scoping the solutions available, and solving the challenges for Enterprise cloud computing adoption. I have summarized these interactions here, and will add to them as I continue to learn and understand cloud computing better.
What Is Cloud Computing
The biggest challenge for cloud computing adoption as I see it remains the fact that it is just so hard to grasp. IT is used to protecting a perimeter and touching a server farm. With cloud, you can’t just head on down to the server room and visit the farm to reassure yourself that all is well. For the IT folks like me that majored in the “buck stops here” school of IT management, where command and control of the IT infrastructure are the core of the security mind-set, handing over the keys to the kingdom to some third party is initially viewed as an act of treason.
As I understand it, at its most basic concept, cloud computing involves the concepts of distributed processing and server virtualization coupled with an “as a Service” model, offering Software, Platform and/or Infrastructure as a Service (SaaS, PaaS, IaaS). As a model, an application is built using resources from multiple services, and potentially provided from multiple locations. Behind the service interface is usually a collection of systems providing the actual computing resources, typically hosted by one company and consisting of a homogeneous environment of hardware and software built to simplify support and maintenance tasks. Once you start paying for the services and the resources utilized, the model becomes one of utility computing. Pay for usage.
The idea of IaaS where network infrastructure is managed by a provider has been around for a long, long time. Web hosting providers have been offering PaaS for many years now. The concept of using a website to provide an application interface and not requiring any specialized software on the desktop is not new, and is essentially SaaS. What’s new is that the cloud computing model separates and clearly spells out these concepts, bundling them for consumption.
The customer using the services doesn’t really care about how the services are being implemented or delivered, what technologies are used on the back-end, or how it is all being managed. They are only concerned with accessing the service, getting their data when they need it, that it has an acceptable level of reliability, and meets their consumption requirements. For the developer, the underlying networking hardware and software layers still remain, but there are now higher level service capabilities available to build and provision customer facing applications with. Behind the services are immense data and computing resources which appear to the user to be consistently responsive and available, no matter where they are accessed from. On the IT side, cloud computing shifts the focus from provisioning and managing expensive to scale applications, servers, routers, switches and cable plants to the business, to that of providing scalable services to the consumer.
Cloud computing demands that services remain “elastic”, in tune with the users’ dynamically changing needs. An application user or service developer requests access from the cloud rather than a specific endpoint or server resource. Multiple infrastructures consisting of one or more application frameworks are tied together and presented to the requestor on demand. There are no massive up-front capital expenditures for the application provider, and operational expenditures are based on actual volume of usage. You don’t need to buy, provision, and maintain the entire service, you just rent the framework. This is great for the Small to Medium Business because costs can be managed effectively. The frameworks typically offered provide mechanisms for:
- Automatic reconfiguration
- Self monitoring, metering, and alerting
- Self-healing ability
- Resource discovery and registration
- Service level agreement fulfillment and reporting
From the perspective of a user or application developer, only the request is made of the cloud, everything else required to provision the request happens invisibily. If requests for service increase, bandwidth, CPU and other resources are made available to accomodate the need. As service requests decrease, so does the provisioning of the service resources. You pay for what you need, as you need it. Smooth and efficient.
So the cloud is all about saving money and optimizing resources. But what about the data? Is the data in the cloud? Does it stay in the cloud? Can it be removed from the cloud? Can it be recreated if it is removed from the cloud? Who is responsible for keeping the data confidential, consistent, and unchanged in the cloud? Security is all about the data, and the data needs security.
Here are a few key questions to consider when evaluating the move into the cloud:
- What data will be stored in the cloud?
- Will your organization’s data be stored in a way that intermingles it with the data from other companies?
- Will your data include unencrypted personal information?
- Where geographically will data be stored, and will the customer have any control over the ge0-boundaries?
- What laws, regulations, industry standards, contractual obligations, and organizational policies cover the data to be sent to the cloud?
- Who will be able to access the data, and what rights will the cloud service provider have to the data and its metadata?
- Does the cloud computing service have established and documented information security policies and supporting procedures?
- When and in what format will data be returned to the customer at contract termination?
- What commitments does the cloud service provider make with regard to data access, retention, protection, and security?
- What are the availability commitments for the cloud service? Are they documented within a Service Level Agreement?
- Are backup and recovery processes in place? Are they adequate for your organization’s needs?
- What audit trails are generated and maintained for your data?
- How quickly will you be able to obtain information about data access and associated logs?
- What SLAs and incident handling plans are in place to manage a denial of service attack, or an attack on the “pay-as-you-use” model itself?
Basically you need to ask all the same questions that you would during a third-party, vendor, or business partner security program review, in addition to knowing some specifics mentioned above that are unique to cloud computing services. The Shared Assessments Program provides a useable “Standardized Information Gathering” vendor security assessment questionnaire at http://www.sharedassessments.org/. Membership is required, but FREE. You also need to ensure your policies and procedures are up-to-date, reflecting your new cloud computing activities.
Some of the issues to address within your policies and supporting procedures include:
- The increased risks of inadvertent or deliberate disclosure of data and PII by using cloud computing services and sites.
- The potential increased exposure to malware through these sites.
- The increased risk of unauthorized use of the data on the cloud computing sites.
- How data protection requirements apply to information stored in the cloud.
- Retention requirements for information put into the cloud.
- Can all vestiges of information and metadata be permanently and completely removed from the cloud once it is placed there?
- What logs need to be generated and maintained for access to data in the clouds?
- Do logs show how information is posted, accessed, copied, modified and otherwise used?
Organizations should also perform a privacy impact assessment (PIA) when considering the move, or any type of software-as-a-service (SaaS) solution. Map your PII data flows as part of the PIA to identify the vulnerabilities and threats and to determine security and non-compliance risks.
It will be challenging to balance the benefits of cloud computing with the actions necessary to protect business information assets. Committing to a cloud computing service without first considering the legal and compliance risks, and without knowing the security controls that exist could result in significant business impact from non-compliance and/or security incidents. This could be well beyond the savings that using the cloud service brings to the business.
Also, don’t overlook training and ongoing awareness communications for your staff about how they can and cannot use specific cloud computing services. Make sure they know and follow procedures. This new model of computing is yet another opportunity to add security to the culture of your organization and get everyone thinking about it daily.
I believe the cloud offers Small to Medium sized Businesses (SMB) many potential performance and security benefits. Frequently SMBs struggle with limited or non-existent in-house IT resources, InfoSec resources, and their associated budgets. The cloud market is still very new and security offerings are negotiable and developing. Take advantage of this and set the bar high.
The good news to me as a security professional is that the very nature of the cloud itself may be driving more real thought about security into IT than ever before. The bad news is that a poorly written application can be just as insecure or worse in the cloud, than it would be with just an exposed interface to the Internet. Cloud architectures don’t automatically gurantee compliance with regulations or policy for end-user data or applications. Applications written for the cloud must be constantly tested, checked and monitored. There is an invetment in time, tools and understanding that must be made to handle this appropriately. It is important to spell out the responsibility for security management and reporting when negotiating with cloud service vendors. The majority of the responsibility for implementing security measures lies with the application designer, and ALL of the accountability for security, compliance and monitoring still sits in the lap of the the business.
Most cloud providers will tell you that centralizing your data will result in less data leakage. I would partially agree with them, as the cloud brings thin client technology back into the light. Centralized storage is also easier to control and monitor. Rather than trying to figure out all the places where company data resides, and what is “sensitive” data, having all of the data in one place allows it to be protected more effectively. Be sure to invest well in your safeguards though, and test, test, test. One mistake, and you could lose it all.
For Incident Responders, it is possible to build a dedicated forensic server in the same cloud as the data, offline and ready for use as needed in an IaaS environment. The only cost is for storage until an incident happens, and the virtual server can be brought online with the click of a button. If a server in the cloud does get compromised, it can instantly be cloned and made available to a forensics server. No worrying about freezing the asset for imaging or procuring storage space. Bit for bit transfers are exponentially faster in the cloud too. The forensic workload can then be distributed to multiple responders and investigators by providing them with access to a copy of the subject VM.
Logging no longer has to remain an IT afterthought either. It can be baked right into your soultion. Provision enough space through your service contract for acquiring log files, and replicate them. Extend your logging to be more granular without worrying about the performance hit or log size restrictions present in the current client/server environment. Granular logging makes compliance monitoring and incident investigations easier and faster. With your logs in the cloud you can index those logs in real-time and benefit from instant search results, providing a true, real-time view of your environment.
Inefficient processes will bubble up to the top view as process accounting comes back into wide use. Since the model is utility driven, a poorly tuned business or security process will become evident through billing. This will drive the development of better performance and management of all tools as they are built for the cloud.
The inclusion (and requirement) of virtualization in cloud computing will encourage better overall system builds. IT staff will be encouraged to minimize the O/S service surface that a particular VM enables in order to minimize costs. This brings server hardening out to the mainstream where it belongs. A company will typically have a minimum hardening standard that they will implement in their “Gold Image VM” that all VM’s will be based on. As the service being provided requires, additional O/S and application services will be justified, documented and turned on as required, through change and release management processes.
Patch mananagement and testing become less of a headache in the cloud as well. It is now possilbe to duplicate your entire environment, or any portion thereof, for testing. Implement a change, and test its effects in a mirror image of production. Servers are all virtual machines, so they can be patched offline, brought online once tested and stable, and then smoothly switched over to in production without any disruption of traffic or transactions. Microsoft recently demonstrated this capability to me in their lab. It was seamless.
Cloud computing is relatively new and still evolving. The most wonderful thing about technology is that it’s always changing. The most difficult thing about technology is that it is always changing. Be prepared to deal with changes in service offerings, fees, and even the emergence of the “next cloud” technology. Creating the strategy and concept for a cloud application will probably take all of about 45 minutes. Don’t expect to setup a tollbooth on an existing service, charging more for it while providing less. Expect to spend weeks and months fine tuning the application and developing additional functionality. Having your cloud solution in place means that your monitoring and improvement process has just started. Be prepared to make adjustments, remain flexible, and keep one eye on your usage meter and the other on your SLAs and revenue streams.
While we are looking to move our server-based applications to the cloud, the user and consumer markets are moving to more mobile form factors. If you recall IT in the ’80s I’m sure you had the same waistline issues that I had. Not donuts, I had a pager, a cellphone, and Personal Data Assistant all strapped on. I asked the question, why do I need all of these little devices? RIM and Apple responded with the Blackberry and then the iPad. Expect smartphones and tablets to continue to proliferate, and capabiities within these products to grow. Application and web developers must be aware and conscious of the limitations of each of the potential displays that their customers will be using to consume these services and accomodate them.
Compliance with regulatory requirements and specific guidance around PII and Privacy may prove to be problematic, depending upon the data that you are gathering, storing, or sending across the cloud. Geographical boundaries are completely erased in many cloud computing environments. Make sure that you understand what the laws and regulations are in all of the areas that your cloud computing vendor operates in and utilizes. Ensure that your contract takes these concerns into account and provides the data controls that you require. Consider and manage the entire Information Lifecycle from data creation and acquisition, storage and distribution, usage, maintenance, and destruction.
Consider the denial of service threat and how it may impact your cloud-based services and business. In the current model, where your applications are managed with fairly static provisioning, if an attacker launches a DoS or DDoS campaign against your resources, you can over-provision, switch to another service provider, move the target IP around, filter the offending addresses, or take other evasive actions. The damage is temporary, depriving your business of a single revenue source (with possibly multiple streams). With cloud computing, denial of service can have a similar affect, but now the over provisioning happens automatically, impacting your revenue directly through billing, possibly impacting your sources of revenue as the service provider takes the bandwidth and resource hit on your behalf, and you may end up paying the costs for all of that wasted capacity.
Latency has always been an issue on the Internet, and remains just as much an issue in the cloud. Performance within the cloud doesn’t mean much if it takes forever for results to show up on the client end point. Latency can be beaten down with an intelligently planned infrastructure and smartly-written applications written for where and how they’re being run. According to an article on latency in High Scalability, every 100ms of latency cost Amazon 1% in sales. An extra half second in search page generation dropped traffic by 20%. A broker could lose $4 million in revenues per millisecond if their electronic trading platform is 5 milliseconds behind the competition.
Things that work on a small or even medium scale will not always work when scaled out further. Testing and debugging in a distributed computing environment is not for the faint of heart, requiring a specilaized skill set. Multicast and QOS come immediately to mind as potential problems that may need a solution in the cloud, or may simply be dependancies that make an application unfit for cloud-based implementations.
Cloud-based applications and the capacity of cloud computing itself are only going to ramp up in the future. That means a race against latency increases is coming as well. Desktop PC’s biggest bottlenecks are often storage and memory, not CPU, and the sources of latency within the cloud must be identified and improved upon. Vendors may over sell their ability to deliver in order to stay competitive. Test your vendors’ ability to deliver capacity as well as capability.
Cloud computing’s main focus is about achieving massive scale. Database vendors offer new techniques and technologies for delivering massively scalable storage systems. This is often done by sacrificing data consistency and integrity checks in favor of replication and less reliable read/write methods. Choose your back-end systems wisely, and consider the manner in which data is checked in and out of these systems.
Authentication and access control are of paramount importance. Data resting in the cloud needs to be accessible only by those authorized to do so, making it critical to both restrict and monitor access through the cloud. In order to ensure the integrity of authentication, companies need to be able to view data access logs and audit trails. These logs and traces also need to be secured and maintained for as long as the company needs them, or legal purposes require. As with all cloud computing security challenges, it’s the responsibility of the customer to ensure that the cloud provider has taken all necessary security measures to protect the customer’s data and the access to that data.
Cloud computing is not just a buzz word, marketing hype, or as I originally considered it back in 2006, a return to glorified maiframe computing. It is not a fad that is going to quickly fade, but it is not the end of computer or networking developments either. Scoped and implemented appropriately, it offers great benefits and advantages to businesses and consumers alike. Adoption of cloud computing is not a straight forward task, however with guidance and planning, the move can be accomplished well and relatively quickly. The Cloud Security Alliance offers excellent resources and guidance for those considering the cloud computing model. Security must sit at the center of any cloud, and it can be ignored or acted upon. The choice is yours.