Everyone is talking about moving to “The Cloud,” but not everyone is talking about the same thing. If you’re considering moving some or all of your network infrastructure to a cloud offering you may be baffled by what people mean when they talk about “The Cloud,” what type of cloud you should use, what new security or compliance challenges you might face, and which cloud providers support the type of cloud you need. There are many nebulous and overzealous claims when it comes to cloud infrastructure, and many of those claims focus specifically on security and compliance. You must take these into account when deciding on the type of cloud and a provider.
What is a Cloud?
The basic definition of the cloud is a service that provides computing infrastructure similar to a utility in that it’s generally a monthly service where you pay for what you use. Just like there are a variety of utilities you can choose to power your home, there are also a number of ways to power your cloud. While there are several variations, they all have the following in common:
- They provide computing resources like CPU, Memory, disk space, and bandwidth that can be scaled up and scaled down quickly, without adding additional hardware, depending on your needs.
- You pay only for the resources you use.
- You do not have to deploy any physical hardware, and some software, like an application server, may be provided for you as well.
- They all use a piece of software called a hypervisor as their backbone. The hypervisor allows multiple virtual machines (VMs), which emulate an actual computer with CPU, memory, disk, and network resources, to all run together on a smaller number of physical servers called virtual hosts. The hypervisor allows the cloud provider to achieve much higher utilization of resources on each physical server and therefore achieve a much better economy of scale while giving their customers more flexibility.
Although all cloud offerings have the details above in common, there are some significant differences as well. To understand how the offerings differ, it’s critical to understand what type of cloud you are talking about.
The most well-known and referenced variation of cloud computing is the public cloud. Some example public cloud providers are Amazon EC2, Rackspace Cloud, and GoGrid. These three companies have built very large cloud infrastructures, all based on the Xen hypervisor. Xen is an open source hypervisor that competes with VMWare and Microsoft Hyper-V, the two other major solution providers in the virtualization space. Some cloud providers have implemented public clouds with VMWare and MS Hyper-V, such as Hostway’s cloud, which uses Hyper-V. When you deploy a virtual machine into the public cloud your VM receives it’s own IP address but shares a server, network interface, CPU, memory, disk, and network with other customers.
A reasonable level of security can be achieved in the public cloud but typically the technologies, such as personal firewall software, IDS/IPS, and web application firewall software, have to be implemented by the subscriber. In addition, compliance with requirements such as PCI DSS currently cannot be achieved in the public cloud. The main reasons here are:
- You can’t achieve sufficient segmentation between your trusted environment and other untrusted environments on the same cloud infrastructure. The public cloud providers simply do not provide the control of the network necessary to create the segmentation nor to obtain evidence to an auditor to prove that the segmentation is satisfactory.
- There is no logging and audit trail information throughout the cloud stack available to cloud customers. It’s necessary to monitor access control logs, virtualization management logs, hypervisor logs, and virtual networking logs to be compliant. Further, if there are logs on the hypervisor system they are likely not segmented by customer, meaning no actionable information can be provided to an auditor.
- The physical environment that houses the actual servers where your VMs live may not be compliant. Requirement 9 of the PCI DSS, which sets guidelines for physical security, access and controls, has been achieved by Rackspace Cloud, but, unfortunately, if your auditor needed access to the hypervisor host and logs from your VM, they aren’t available, making the ROC pretty useless in actuality.
- You can’t monitor the traffic between VMs on the virtual host. Internal intrusion detection is required by the PCI DSS and is not achievable with Public Cloud technology today. VMWare provides an API to monitor internal virtual host traffic, but an equivalent API with Xen has not been implemented.
- Proof that there is sufficient access control for the management components of the virtual infrastructure is not accessible. The management consoles to a virtual system are the keys to the kingdom. You must know who has access to your virtual environment and what privileges they have once they’re in. You must also have access to an audit trail of when they accessed it and how.
- Trust in the maturity and security of the hypervisor is lacking. Since the compliance requirements do not directly address hypervisor security, it is left up to the discretion of the auditor to decide if the hypervisor layer can protect one VM’s resources from another’s. Auditors may not trust that there are no vulnerabilities in the hypervisor that allow untrusted VMs access to your memory and network traffic.
Figure 1: Today’s major gaps in security and compliance of the cloud stack.
So, today you can install personal firewall software and monitor your traffic using IDS or web application firewall software, but that is the extent of public cloud security. We’re likely still a ways away from real security and compliance in the public cloud since most of these providers are very focused on scaling their infrastructures.
Virtual Private Cloud
The main difference between the public cloud and a Virtual Private Cloud (VPC) is that your network is not shared with other tenants of the hypervisor. Typically, this is achieved using a combination of encryption and subnets. Your network environment will be assigned a routed or VLAN’d sub network with a different IP space for your virtual machines and a VPN to gain secure encrypted access to your network environment.
A higher level of security can be achieved with the VPC since you can place a separate physical or virtual security appliance between your environment and others and not rely on host based security software. Never the less, many of the same security and compliance issues exist with the VPC as with the Public Cloud. While virtual stateful firewalls exist to segment trusted and untrusted virtual environments, many cloud providers only provide VLAN Access Control Lists for segmentation, which is not sufficient for compliance. Intra-VM traffic monitoring technology is available for VMWare environments, but this is not typically offered by the cloud provider or supported by security applications. So, technologically we’re much closer to compliance in the VPC than the public cloud, but availability of the technologies is lacking. Amazon VPC and Rackspace Hosting as well as many smaller cloud providers such as Host.net, Peak 10, and others also offer virtual Private Clouds.
Hybrid cloud offerings bypass the security issues of the cloud by allowing you to host your critical data in a completely private environment, on your own physical hardware or virtualization server, that is linked via an encrypted tunnel to a public or private cloud environment. A hybrid cloud allows you to take advantage of the scalability and cost effectiveness of the cloud for your public facing applications which aren’t subject to strict compliance requirements yet secure your critical data in a more secure and segmented physical environment. While this may defeat a major purpose of the cloud – the ability to deploy systems quickly – it’s the best alternative today for organizations that are subject to strict compliance requirements.
Figure 2: Cloud computing types.
Every cloud might also have a silver lining…
Although it might sound a bit overwhelming from a security perspective, there are some aspects of the cloud and virtualization that have actual security advantages over physical environments. For example, the ability to baseline VMs and quickly restore a secure baseline nightly or in the event of a breach and a flexible architecture allowing for seamless business continuity. In addition, the lower costs of a virtual environment might free up budget allowing for broader security measures. All of these opportunities are exciting advantages of the cloud.
With the rapid growth of cloud use and compliance bodies beginning to address virtualization as a platform for compliance, expect security and cloud providers to follow with some really interesting offerings that fill the security gaps of the cloud. The trick moving forward will be, as always, to make sure your cloud and security or compliance solutions are specific and transparent so you know exactly what you are or aren’t getting and how safe your data is or isn’t.