Submitted and written by Derek Garnier, Data Center, Network, Cloud Computing Specialist and Industry Veteran
Rather than focus on specific security issues faced by service providers, this article will discuss two areas of security concern for Enterprise users:
- Cloud Based Storage Services
- Managed Virtual Machines
CLOUD BASED STORAGE SERVICES
Cloud based storage systems are generally very easy to use. Web interfaces make file storage as easy and drag-and-drop for upload with convenient URLs for sharing or download. The main question for IT departments is how to enforce security policies for company employees. Most companies with which I speak to have no security policy in place other than intellectual property agreements signed by employees. Limiting access to some secure information, such as pricing lists or detailed product information, would only create a roadblock to business transactions and therefore to company revenue. So how does a company lock down such information before it hits the cloud?
There are software packages that can provide detection of local or intranet stored documents as well as software packages to enforce document restrictions against security policies. Sounds like good news, right? Unfortunately, creation of policy is the difficult part of this equation. Limit too much and you stifle productivity. Limit too little and you have weak security.
The way most policy detection and enforcement systems work is either by a file type or a search against file contents. But what do you want to limit? If you limit against keyword, then how do you distinguish between a customer pricing quote and a company pricing or cost sheet? I have yet to see effective policy enforcement from such systems.
Cloud-based storage also runs across a secure connection using HTTPS protocol, and therefore cannot easily or effectively be scanned by network policy systems. Another thing to remember is that any file uploaded to a cloud-based storage system run by another company can theoretically be read by that company. Even the idea of forcing local file encryption per document prior to upload is difficult at best. So what are the choices as a company?
The government handles this problem by making the sharing of classified information a crime. Companies do not have this luxury however and few employees want to hear about the stick more often than the carrot. The best current method I have witnessed is one where the company provides the cloud storage system for its own documents that are accessible to its clients. This does not solve the rogue employee, but it definitely keeps honest employees from making security mistakes.
MANAGED VIRTUAL MACHINES
Managed virtual machines also pose a security risk for IT departments. If a service is provided by a third party, then that third party not only monitors the virtual machine, but also has direct administrative access. All of the security that is provided to prevent an intruder from accessing the virtual machine or host is therefore worthless if the security threat comes from a trusted source.
Some providers have forced the adoption of dedicated infrastructure for each client, but this really is a managed colocation solution disguised as cloud computing or virtualization. Other providers will deliver a non-managed virtual machine, but with direct access to the host devices as well as the hypervisor itself, the provider still has access to your data.
Our suggestions to customers that rely on cloud based compute is to directly ask the provider how security is accomplished to limit access, even by their employees, as well as separate data access from any other clients.
If you are spinning up and down machines using a credit card without ever speaking to the cloud provider, then let the buyer beware. Any IT department should have a direct relationship with the provider. Any provider that cannot ensure security, backed by strict SLAs, is probably one to be avoided.
Reality is there is little to no standardization in product offerings in the cloud or how virtual services are engineered and delivered. I know both myself and the team at Open Spectrum are still working with clients to find better solutions to these concerns and work with specific security consultants who can help you address these concerns and many others.