by Chris Richter, Vice President of Security Services
In just the last few months there have been scores of articles written about the security risks of cloud computing in enterprise data centers. With a broad brush, commentaries have painted cloud computing environments as insecure infrastructures where tenants can more easily view other tenants' data, and even hack into their virtual servers, launching attacks on neighboring virtual machines without the victim knowing. One writer compared cloud computing environments to a multi-tenant office building where thieves can break through walls and steal content from the other side. Such views are fomenting a general perception that cloud computing is synonymous with high security risk. While some of these concerns are well founded, many are not. I believe the generally negative opinion about cloud computing security is based on the belief that all cloud computing environments are created equal. They are not.
There seems to be as many definitions of cloud computing as there are blogs about this subject. Ultimately, what cloud computing comes down to is the architecture and processes supporting the provider's infrastructure. All cloud infrastructures are located in one or more physical data centers which host various forms of server virtualization, networking and storage systems deployed in a myriad of ways. Some cloud providers tie in services from third-parties to build a "community" of services that are delivered in the cloud. But the differences between providers lie in the practices governing how these systems are deployed, configured, and managed, all of which can also vary greatly. The same basic principals of data security that apply to dedicated infrastructures must also apply to cloud computing environments. If the IT environment is not properly architected and managed, security risks will abound.
While I would still argue that most cloud infrastructures are far more secure than most of the dedicated environments in existence, I am not suggesting that enterprises select a provider without proper due diligence. Providers should demonstrate the "guts" of their environment. At the very least they should be willing to share details regarding:
- How their virtual machines are segmented from those of other customers
- How their data is isolated and handled, both at rest and in motion
- Who has access to the network, security and server/hypervisor management components
- Standard and optional security controls
- Overall architecture of the service provider's cloud computing infrastructure
- Level to which the service provider works with the technology vendors whose products make up the environment
- Who those technology vendors are
- General practices used in the provisioning and management of components within the provider' infrastructure, including but not limited to patch management, change control, and monitoring
Without adequate transparency about how service providers help their customers manage IT security risks, the perception that all cloud computing environments are plagued with inherent security issues will persist. We, as an industry, can change that to ensure that enterprises no longer view security as an obstacle to embracing cloud computing.
