Getting best value from clouds demands proactive, tailored security
In recent years, cloud computing has been a major focus of attention in the world of IT...and that attention has been amply justified. Cloud architectures promise superior service levels, reduced business risks, and accelerated innovation: a truly optimized platform of service delivery as measured by almost any metric.
If cloud computing has an Achilles heel in the mind of decision-makers today, though, it's probably the security ramifications.
In a highly virtualized, automated environment such as a cloud, where resources are allocated on demand and many services are running in parallel on shared hardware, questions may rise as to how secure those services really are. This is particularly true in the case of public clouds that support not just different services, but different clients altogether. In such an environment, it's not enough merely to deal with external threats; it's also crucial to isolate services from each other, and thus prevent problems from escalating from one context to another.
And underlying all such specifics of cloud security, of course, is the issue of trust. How trusted are clouds as service delivery platforms, and what can organizations do to improve that level of trust via security strategies?
Toward answering that question, two significant issues to consider are how proactive the security is and how tailored it is. The old proverb from the world of medicine—"an ounce of prevention is worth a pound of cure"—certainly applies to cloud computing.
And because each organization is characterized by a unique context—processes, resources, risks, goals, and other factors—each organization will also require a custom security strategy and architecture designed to suit that context as closely as possible.
Many factors to consider in developing a cloud security strategy
"Cloud architectures promise superior service levels, reduced business risks, and accelerated innovation: a truly optimized platform of service delivery as measured by almost any metric. If cloud computing has an Achilles heel in the mind of decision-makers today, though, it's probably the security ramifications."
One of the more abstract issues to be considered before even choosing a cloud model is governance and compliance.
A private cloud implementation, hosted within and owned solely by an organization, implies greater operational control—and with it, simplified overall governance. However, that extra level of control may not be required for less sensitive services or data; in many cases, a public cloud might be just as well suited (and may also convey economic benefits derived from a pay-as-you-go pricing model).
The key is to consider the various factors pertinent to governance and compliance and establish in advance how they apply in each case. What are the regulations that come into play, based on each service you're considering migrating to a cloud? How is data stored and accessed within that service? Will data be managed securely at every phase in its complete lifecycle—even including necessary backups?
Cloud services may span governmental boundaries; if so, multiple sets of regulations may apply. This, in turn, may mean different levels of encryption have to be applied in different circumstances to secure data adequately. And auditing/reporting functionality may be required to demonstrate that compliance has been achieved in the event of a government audit.
Closely related to governance, of course, is the more general question of data—what kinds of data will be hosted in the cloud, how they will be used, and what kinds of security complexities will emerge as a result.
In cloud architectures, for instance, it will be important to establish in an ongoing way where data resides—and how that changes over time in response to the dynamic nature of the cloud's operations.
If data shifts from one host to another, for instance, in order to better respond to workload spikes or fulfill the terms of service level agreements, is the security of that data going to change as well? If data is backed up, is it backed up to another geographical site completely (as it should be) or merely to a new logical location at the same site?
If data needs to be deleted, can your organization be sure that all copies of it are truly gone? This issue might apply even to unorthodox contexts, such as proprietary application code, or to backups created for business resilience.
Administrator access to cloud data is another important factor to weigh. It will be necessary to balance the administrative power needed to make operational adjustments against the extra risks that might come from unauthorized data access by those same administrators.
The cloud's basic architecture should also play a part in the security strategy.
Consider, for instance, the fact that clouds leverage automation at a deep level to spur efficiency. This automation implies both extraordinarily consistent operations, as well as a theoretical security issue in the sense that a single successful attack vector might lead to many different breaches.
Suppose a given server image has a security weakness, and suppose that same image has been used to create dozens of virtual servers. In this scenario, the cloud's automation has, in theory at least, multiplied the weakness.
Alternately, consider the case of the hypervisor—the underlying layer that serves as a liaison between virtual servers and the hardware of their host. A successful exploit of a hypervisor could have potentially catastrophic consequences to every service running on that host. Both cases demand careful, proactive attention well in advance of service rollout.
In multi-tenant environments such as public clouds, secured isolation of systems and applications may be harder to achieve due to the shared architecture—yet it's crucial.
Every client's unique security policies will have to be implemented; does the cloud provider have the infrastructure and expertise to do that, including such specific aspects as user IDs, user passwords, access tokens, and identity federation?
Web applications have become increasingly popular mechanisms to deliver services to users, clients and customers. They've also become increasingly popular attack vectors. According to some studies, in fact, Web applications have been the source of more than half of all disclosed vulnerabilities since 2007.
Securing them in a cloud will mean taking many factors into account. For instance, how are applications proactively assessed for vulnerabilities? If vulnerabilities are discovered, how are those vulnerabilities addressed?
In many cases, security patches may not even exist, yet some sort of action will be required nevertheless. And if patches do exist, they will need to be applied everywhere they are needed, including to images in the cloud's image library.
Assuring services are as secure as possible is no simple feat—and different complexities apply to both cloud service providers and their clients/customers.
For instance, suppose an organization decides to offer access to its cloud to external customers, to host their own services. New security assurance issues will immediately apply, such as the analysis of log data. In the past such logs would only have contained internal data, but now the organization has the more complex task of analyzing logs, and addressing any discovered security issues, without compromising their customers’ privacy and security.
For organizations that work with multiple cloud providers, there is the question of establishing holistic assurance. Each provider's cloud, and each provider's methods/expertise in the area of security investigations and auditing, will likely vary to some extent. And if a given provider should go out of business, how difficult would it be to reestablish those services via some other means?
IBM can be the trusted partner you need
Toward mitigating these risks and complexities, many organizations will benefit from a trusted partner—a partner with extensive, proven expertise not just in cloud computing, but in business computing in a larger sense, including the full array of security complexities that clouds may involve.
IBM is ideally positioned to be that partner. Among other strengths, consider IBM's thought leadership: the real-world insight, gleaned from hundreds of successful customer engagements, needed to get the best business value from any cloud initiative.
One example is the IBM Security Framework and Blueprint—a way to assess security from every important standpoint comprehensively and in advance, and only then implement services in a cloud. Via the Framework, organizations can significantly improve the odds that a cloud architecture will deliver the desired business functionality and value while also minimizing the risk of new security problems.
Additionally, in 2010 IBM created the IBM Institute for Advanced Security. The Institute is chartered with not just providing IBM's own security expertise and insight, but also serving as a shared forum in which governmental agencies, leading IT solution providers, and business leaders can collaborate to identify and address emerging security issues of all kinds.
As new architectures such as cloud achieve momentum, and new security topics appear in parallel, the Institute will be an invaluable resource organizations can tap to understand the threats they face and what the best options are in dealing with them.
And, of course, IBM also boasts an exceptionally rich portfolio of security solutions and services. These are in many cases not only suitable for clouds, but actually specifically designed for clouds. By combining them as suggested by their unique needs and goals, organizations can create a tailored security architecture to proactively mitigate many different classes of security risks—despite the ever-increasing variety of cloud models and cloud service complexities.
In the fall of last year, for instance, IBM unveiled the IBM Virtual Protection System. This rootkit-detection system is particularly useful in virtualized environments such as clouds because it can identify rootkit-related issues inside virtual systems, despite executing outside of them. It also provides a single point of control—one solution to address many different virtual systems.
And organizations in the early phases of cloud service development would do well to consider three new IBM services: Cloud Security Strategy Roadmap, Cloud Security Assessment, and Applications Security Services for Cloud. Via these services, businesses can get a much clearer understanding of just what the security complexities of migrating to a cloud are likely to be—then make choices to get the best possible value from that cloud deployment.