Real-time computing. Real-time news.
July 21, 2008
The State of Cloud Security (Pt. 2): It Starts with a Conversation
1 | 2 All »
Although cloud computing presents new risk of security fiascos, there are many things providers and customers can do to take advantage of on-demand resources in a safe, reliable way. Smart people have been giving this a lot of thought.
Dave Durkee, CEO of cloud provider ENKI, says cloud security has to start with fundamentals and good hardware defenses -- emphasis on hardware. “I’m a big believer in hardware firewalls,” he says. “It’s not really enough to know the signature of an attack. You need to know where the traffic is coming from in order to block it. If they fill your upstream connections, you can be shut down.”
ENKI builds its system around AppLogic, 3Tera’s grid engine, which “allows us to manage the connections inside the virtual datacenter, so you can specify the interconnections between each server,” Durkee says. “You can go from server A to B but you can’t get to C. We’re able to build this layer of security into the architecture. But you also need to go the traditional route and have hardware-based intrusion detection and a firewall sitting in front of all that grid stuff. You need multiple layers of protection, just like in the middle ages with the moat and outer walls keeping invaders from getting inside the castle.”
While virtualization technology might enable its own security risks, it also allows system designers to build security in from step one. “The key is to build security in at the planning stage, when you’re designing your virtual machines,” says Tamar Newberger, vice president of marketing for Catbird, which provides security monitoring tools for virtual and physical networks. “You have to design in policies like ‘No financial machines can leave the country,’ for example. If you don’t want employees being able to send certain types of virtual machines to, say, Tokyo, then you build that into your policies and then into your virtual infrastructure. You can have monitoring tools that alert you if someone tries to do something that violates security policy.”
IBM takes advantage of virtualization capabilities within the servers it uses in cloud centers to implement security measures, says Dennis Quan, chief technology officer for High-Performance On-Demand Solutions at IBM. Most important, he says, are isolation techniques to keep customer data and resources separate.
“A lot of work still needs to be done to secure the channels that reach the cloud outside your enterprise,” Quan says, but the company has developed solutions around its current technology. “We build isolation into the hardware, but network-based isolation is also necessary. This can be provided as part of a virtual LAN or we can use different routing technologies. In the cloud we set up for the city of Wuxi in China, we had to implement a lot of different forms of security. They have multiple software companies making use of that facility, and those companies have clients that are large enterprises around the world. So they need to have isolation. We implemented a VPN to make sure all the traffic going into the cloud is authenticated. We use virtual LANs and virtualization technologies to keep virtual machines completely isolated between different tenants in the cloud. There’s a lot more we need to do to strengthen authentication as the cloud evolves, and that’s part of what we’re learning as we build clouds around the world. The security products have had to improve to satisfy the demands of customers using these clouds.”
Security tools will have to adapt to the cloud’s pay-for-what-you-use model, says Craig Balding, technical security lead for a Fortune 500 company and proprietor of cloudsecurity.org . Real cloud security will require “dynamic provisioning and configuration of firewalls and network security monitoring devices to watch traffic from virtual compute instances spun up on demand, perhaps across multiple continents,” Balding says. “What happens when the situation suddenly changes due to demand? This will only get solved by smart security autonomics.”
Needed: A Standard Stick
Some sort of formal agreement on who is responsible for what will help improve security for cloud customers. Dominique Levin of network security provider LogLogic suggests something like the standard developed by credit card companies for data security, known as PCI (Payment Card Industry). “PCI defines a set of minimum measures that all organizations should implement to protect sensitive information. These include things like using a firewall, limiting unnecessary risky services on your network, and user activity monitoring through log data.”
Article Tools
Share Options
(Digg, Technorati, more)
