Moving from internal infrastructure to the public cloud has its risks, but the potential rewards are great. Some people avoid the cloud altogether because they say cloud security can’t be trusted. That’s
Cloud naysayers say you should keep your virtual machines (VMs) out of the cloud because of cloud security concerns -- limiting the businesses they serve. Worse, their gloom-and-doom storyline about VM security may be winning the hearts and minds of IT pros.
This draconian position on cloud security undermines the potential benefits of moving from a virtual environment to the cloud, namely elasticity for computing resources, cost reductions as a result of economies of scale and universal ubiquitous access (or something less than universal, if that’s your goal).
Cloud naysayers’ arguments about VM security sometimes feel bulletproof. “We abdicate data ownership once it hits the cloud” is a common cloud security argument. Another strikes fear into the heart of any IT pro: “The cloud means losing IT jobs.” But cloud security concerns are often just a case of fearing what you don’t know.
You can counter the cloud naysayer’s arguments with the following points.
Counter-argument 1: The cloud ain’t for every VM
Cloud naysayers base their position around a false assumption: that cloud computing is an all-or-nothing proposition.
They worry about VM data security, the inability to protect sensitive corporate assets, and the possibility that someone else might be peeking into your data stores. But this argument assumes that all VMs must be treated equally, meaning all VM data must be protected equally. That is simply not true.
Best practices documents relating to compliance and data security recommend creating islands of security -- hard lines that logically separate sensitive data from data you can afford not to care about.
Separating data this way creates a logical partition of servers and services, helping you decide which VMs make sense to host in the cloud. Without delving into the technical conversation on encryption and authentication protocols, you can immediately nullify the naysayer’s first objection by segregating sensitive VM data.
In other words, if you don’t care about the data inside some VMs, then the cloud security argument is moot.
Counter-argument 2: Security technologies work in the cloud too
When it comes to sensitive VM data, VM security technologies already exist to protect it in the cloud.
Technologies already exist that protect cloud-based VMs at rest (encryption and logon authentication), in transit (host and hypervisor-based firewalls in addition to transport security), and even in processing (via the logical functions of the hypervisor itself).
You can easily provision a VM to a cloud provider, enable its firewall and tunnel its communication exclusively back to your network with a reasonable assurance of VM security. The same Kerberos protocols that prevent your users from logging into your Domain Controller, for instance, protect that VM from your provider’s prying eyes. Protocols such as the Advanced Encryption Standard that secure VM data in your virtual infrastructure work just the same when you store that data in a cloud.
Meanwhile, VM security tools designed for on-premise virtual environments have been extended to work in the cloud. VMware’s vShield security platform, for instance, provides firewall, encryption, security, edge protection and anti-malware in both virtual and cloud environments.
Counter-argument 3: You can federate compliance
Cloud naysayers operate on the assumption that what you don’t know can hurt you. How do you know a cloud provider is doing its job correctly? How do you know they’re not migrating your VMs to some unexpected country of ill repute? How can you be sure the provider is following protection policies, particularly when you’re not allowed to verify them firsthand?
In fact, there are numerous ways to ensure compliance. Firsthand verification is not required for compliance. The Security and Exchange Commission doesn’t directly audit every public company, for instance. They rely on trusted third-parties such as accounting firms and auditors.
The IT industry already has the beginnings of federated auditing in place to ensure that cloud providers accomplish the level of VM security they say they will. The Statement on Auditing Standards 70 and newly released Statement of Standards for Attestation Engagements 16 use a trusted third party in combination with published processes to accomplish the task. The International Organization for Standardization has its own ISO 9001 standard for defining and following policies. These also provide a legal foundation for problem remediation that goes far beyond flying your internal security officer out to their building for a personal site visit.
Combine these auditing capabilities with today’s VM security technologies, and you’re well on your way to solid cloud security.
The argument that there’s no security in the cloud fails because the argument itself isn’t necessarily technological. A cloud isn’t just a technology; it’s a service, so cloud security encompasses more than simply authentication, authorization, encryption and access controls. You must plan your cloud environment well, provision the right VMs to maintain security, and understand third-party cloud security auditing.
Taking a non-technical approach to ensuring VM data security is often more important than focusing strictly on bits and bytes.
This was first published in October 2011