Cloud Security: Not an Oxymoron

Enterprises want the economic and agility benefits of the Cloud without incurring additional risk. Given that there’s still widespread lack of knowledge and experience with Cloud, many enterprises are reluctant in their usage of the Cloud. Indeed, many enterprises have taken a half-way position, adopting “private” or “hybrid” clouds that trade off some of the economic and agility benefit of public Clouds for a supposed reduction in risk. However, this might be a false tradeoff. Many enterprise systems are far less secure and robust than the major public Cloud providers. The false perception of security is premised on a belief that something you own and control is safer than something you don’t. But this false belief ends up resulting in a real loss of economic benefit – the loss of the ability to shift the cost of operating, scaling, and maintaining cloud infrastructure to a third-party provider.

As a result, we see security fears motivating companies to make bad decisions with regards to Cloud computing. In reality, Cloud security issues exist for both public and private Cloud infrastructure, with the former being no more challenging or less secure than the latter. Companies that approach Cloud security from a rational, holistic perspective can make more informed decisions that will enable them to realize the full economic and agility benefits of the Cloud, while simultaneously minimizing risk.

Cloud Security Concern #1: Preventing Unauthorized Service Access

One of the primary concerns with  Cloud computing is making sure that the Services placed on the Cloud are only accessible by authorized users in authorized usage scenarios. But security in the Cloud is made more challenging by the fact that the trust boundaries have moved. We’ve talked about this many times before. Just like in Service-oriented systems, firewalls, traditional Intrusion Prevention Systems (IPS), and Intrusion Detection Systems (IDS) have a very limited, if any, role in protecting Cloud systems and services. A Cloud environment is by definition location independent and multi-tenant – that is to say, your Services are not the only Services that might be running on that infrastructure at any particular moment. Even if you have a “private” Cloud, you are still sharing infrastructure with multiple Services into which you might have little visibility. As a result, you can’t trust your network, server, or data storage. The boundary of the network and the server are no longer relevant in controlling access.

Without the  implicit trust of a system you control, you must authenticate and authorize every Cloud interaction, just as you must for every Service-oriented interaction. Identity & authorization is no longer about people – it’s become about systems and services. While many Cloud providers provide some level of granularity for authorizing access to Services, it’s often at a very coarse account or user access level. To make things more robust, companies need to apply the Identity and Access Management (IAM) techniques we’ve discussed that apply to SOA directly to the Cloud environment. Specifically, this means that companies should delegate authentication away from the Cloud runtime infrastructure and towards a centrally managed identity repository and runtime policy management infrastructure.

This means enterprises must adopt federated identity to make Cloud authorization and authenticate work securely. Companies should maintain security profiles separate from the Cloud infrastructure and have Cloud systems delegate authorization to those IAM systems.  Strong Cloud authorization and authentication is now possible with standards that emerged early in the Web Services days, including use of the Service Provisioning Markup Language (SPML), Security Assertion Markup Language (SAML), eXtensible Access Control Markup Language (XACML), and OAuth. OAuth especially is now being accepted more widely as a federated identity enabler by allowing users to share their private resources stored on one site (in this case, the Cloud) with another site without having to hand out their credentials. In the world of Cloud, federated, delegated authentication and authorization is the answer when you can’t trust your infrastructure.

In addition to handling authentication and authorization for Services and users already on the Cloud, companies need to tackle provisioning from a centrally managed IAM perspective. Provisioning is most often done on a proprietary basis per Cloud provider, so companies need to take over this responsibility rather than delegate it to the Cloud. Fortunately, IAM systems fill this gap as well, enabling enterprises to turn on and off Services as well as access to those Services. If you have an IAM system in place, you’re in good shape. If not, there’s a whole new class of Identity-as-a-Service provider emerging that is certain to fill the gap.

Cloud Security Concern #2: Maintaining Data Security

Another major concern for enterprises is the security of data used and stored in the Cloud. It goes without saying that enterprises should make sure that all conversations within and between Cloud providers are handled in a secure, encrypted manner, using SSL and point-to-point secure messaging protocols in every place possible. But SSL is not enough to protect your data.

The biggest problem that the Cloud presents for data security is the lack of physical separation of data. In the past, it was sufficient to lock down access to a data store. But in a Cloud, a data store is shared with many other people you don’t know. This is even the case in private Clouds where you might be comingling data with multiple other, unknown parties. Not only do you have little control over other parties sharing data storage infrastructure with you, you also have limited visibility into how or where data are stored. Data may be stored in one database or in multiple databases, “sharded” or partitioned across multiple data stores, stored in relational and non-relational databases, held in transient log files or temporary tables, and exist in memory cache distributed throughout the infrastructure. Basically, you should assume that once data is in the Cloud, it is anywhere and everywhere.

As such, the notion of physical data security makes little sense. You need to protect the data, not the data storage location – this means that data security is logical, not physical. Encryption, data policies, and data governance are incredibly important. For certain, all data in the cloud must be encrypted using keys. However, where would you store the keys? Obviously not in the Cloud, which means that enterprises need to have an approach for distributed key management. Smart companies use encrypted virtual machines, distributed key stores, and emerging homomorphic encryption schemes that allow data to be manipulated without being exposed. All this requires multi-entity key management, which is a technical challenge, but is warranted given the nature of distributed computing.

In addition, enterprises need to address three core Cloud data concerns: provenance, lineage, and “remanence”. Data provenance and lineage is about keeping track of where and when data was created and how it was modified. Can you guarantee how data was created and its origin? Where, when, and how the data was processed? What intermediary steps it went through? Data remanence is the process of making sure that all copies of data are deleted or otherwise rendered unusable in all locations where the data might have been stored. In an enterprise, when data is gone, it’s gone. But in a Cloud, you can never be sure that data is truly deleted, given the multitude of distributed data stores, logs, temporary tables, caches, and who knows what else. Some enterprises use data obfuscation, redaction, and truncation approaches that only store partial bits of data in the Cloud, and require Services or other activities to happen to bring data together in a usable way. However, there are no standard approaches for using these methods, even though they are gaining in popularity.

Cloud Security Concern #3: Ensuring Compliance in the Cloud

Just because your data and Services are hosted by a third party does not mean that you have eliminated any liability, risk, or compliance necessities. You still have to manage your data and systems as if they were your own. In particular, auditing is a problem for public Cloud users because logs stored by Cloud providers are comingled with other customer data, and as such, most Cloud providers won’t provide access to raw logs. Auditing standards, such as SAS 70 Type II, requires companies to have a historical report expecting certain controls on the network, but the Cloud is very dynamic and such auditing techniques are not really applicable and won’t really give companies the comfort they expect.

Of course, if you’ve been reading ZapThink research for the past decade, you know the answer: centralized governance. Getting a satisfactory level of governance over location-independent, virtualized, loosely-coupled, and agile systems is quite possible and has been tackled in the context of SOA in a way that is directly applicable to the Cloud. Compliance needs to be real-time because of the changing and multi-tenancy nature of Cloud service providers. Since you can’t count on the infrastructure being the same one day to the next, you have to create compliance policies that deal with data, services, and systems as they exist at that time. This means a move to continuous, runtime forms of governance and testing — topics we’ve talked about at length in the past. Using strong governance systems, processes, and policies that reside and are managed in the enterprise outside of the Cloud, enable organizations to create, enforce, manage, audit, and mitigate policies that relate to a wide range of data, process, Service, and system concerns.

The ZapThink Take

While this ZapFlash only addresses a subset of the Cloud Security concerns, in many ways, there’s little that’s new or distinct about Cloud security concerns than existing enterprise IT security concerns. If enterprises have adequately tackled IT security using the latest best practices, then much of those approaches can be directly applied to Cloud security concerns. Using these approaches, enterprises can get at least the same level of security in public Cloud environments that they can in their own internal environment (or perhaps even better than what they currently have).

Cloud computing is the latest evolution of network computing. Successive waves of LAN, WAN, internet, and Web technologies have each added to the scope and picture of what enterprises should and can secure in their distributed environment. The Cloud does not emerge into this landscape as a completely alien creature. Rather, the bulk of security approaches that have been appropriate in the past continue to be appropriate. All that the Cloud does is emphasize focus on areas where enterprises could have been lax in the past, and call out the fact that enterprises have less control over data and systems now than they did in the past.

Enterprise IT is increasingly moving to environments where the enterprise has less control. Whether this movement comes in the form of the Cloud, mobile devices, social networks, or distributed data stores, the fact remains that trying to own and control enterprise IT systems for the sake of security is becoming an increasingly difficult task. It makes more sense for enterprises to assume that their systems and data will eventually make their way onto platforms they don’t control. In this context, enterprises need to embrace security approaches that work in this distributed environment. Otherwise, they risk sacrificing huge potential productivity and economic gains for dubious security gains.