5 steps that your organization can take now
The rise of public cloud computing and its adoption by enterprises of all sizes is presenting challenges to professionals who are charged with the security of the organization's data. One major issue is that individual departments and even employees can purchase public cloud services -- often by using a corporate credit card -- without the knowledge or oversight of the IT department. Such purchases can lead to significant governance challenges, introduce unknown risks, and even prevent the organization from meeting its statutory and regulatory compliance obligations.
Public cloud computing is desirable for many reasons, including increased IT agility, reduced time to roll out a new product or service, access to the latest technology not available inside the enterprise -- and even a strategy to work around restrictions put in place by the IT departments, such as a limit to the size of email attachments or the types of files that can be sent or received through the email system. For these reasons, many IT departments are considering deploying private clouds, which departments can access and use instead of public clouds. Examples on record include State Street Bank (which expects to see significant savings as well as improve operational efficiency and security of customer data), engineering and construction firm Bechtel Corporation, and chemical company Sinochem Group.
However, private clouds aren’t inherently more secure than public clouds and can even be far less secure. In this article, I'll discuss some pitfalls and make recommendations for securing private clouds.
Overview of Private Clouds
One difficulty that security professionals encounter is a variety of perceptions amongst IT staff, senior management, and end users about what a private cloud really is. For example, many believe that private clouds are exclusively on-premises, residing in a data center that the organization controls, and therefore are more secure than a public cloud, which is hosted by a public cloud provider. Another common misconception is that a private cloud always uses virtualization to create a pool of virtual machines (VMs), which can be allocated to departments and users as needed.
Related: Top 10 FAQs for the Private Cloud
Although it’s fair to say that most private clouds that are deployed or under consideration today are on-premises, provide Infrastructure as a Service (IaaS), and use virtualization technology to create a pool of resources that can be allocated as required, the reality is that a private cloud is simply a cloud that is dedicated to an organization for its sole use. The private cloud can be on- or off-premises, and indeed several extremely reputable private cloud providers use their own data centers to host private clouds for their customers. Some of these private cloud providers (e.g., Microsoft) also offer public cloud services. Nor are private clouds limited to IaaS offerings. Many can and do offer Platform as a Service (PaaS) or Software as a Service (SaaS) as well. Virtualization, especially in SaaS clouds, is not a prerequisite. Organizations might find it useful to consult the National Institute of Standards and Technology's (NIST's) Special Publication 800-145 for a better understanding of cloud computing, including private clouds. (See the sidebar "Cloud Definitions" for more information.)
Threats in Private Clouds
The Cloud Security Alliance (CSA) published its Top Threats to Cloud Computing research report in March 2010. Although the document is several years old and is currently being revised, it remains extremely relevant today. Of the seven threats identified in the report, each applies to private clouds, whether hosted on- or off-premises. All seven apply to IaaS, six apply to PaaS, and five apply to SaaS clouds. The threats, in no particular order, are as follows:
- Abuse and nefarious use of cloud computing
- Insecure APIs
- Malicious insiders
- Shared technology vulnerabilities
- Data loss or leakage
- Account, service, and traffic hijacking
- Unknown risk profile
The CSA has published guidance and tools that cloud consumers and providers can use to jointly tackle these threats. These tools are freely available on the CSA's website.
The reported threats aren’t considered the only threats to cloud computing, though. Experience with private clouds has highlighted specific areas of concern for enterprises. As I mentioned earlier, most private clouds provide IaaS and use virtualization to make VMs available to departments and users within the organization, on an as-needed basis. Both Microsoft and VMware provide the necessary technology to build private clouds from the ground up. Excellent open-source tools, such as OpenStack, work with a range of hypervisors such as Citrix Xen and Linux Kernel-based Virtual Machine (KVM), as well as Microsoft and VMware hypervisor technologies. For that reason, I will focus on IaaS risks for the remainder of this article.
Risk #1: Abandoned VMs
Private clouds have led to an explosion in the number of VMs in existence. Private clouds are used to develop and test line of business (LOB), or Tier-1, applications and customer-facing web-based applications, as well as to host production environments. Organizations often develop entire libraries of VMs that can be deployed at a moment's notice, to handle additional workloads or to accommodate specialized testing. Creating new VMs can, in some cases, be as easy as copying the configuration files that define a VM and the file or files that comprise its virtual hard disk (VHD). This explosion has led to a problem whereby VMs are created and used but rarely deleted. When a VM is no longer necessary, it is often simply turned off and left intact, just in case it ever needs to be used again. This approach might mean placing it back in a library. This phenomenon is facilitated by the relatively low cost of storage used to house the VM libraries.
The risks to the enterprise from such practices are many. For example, VMs that are simply turned off typically are not turned back on to apply routine software updates. When a VM is used only during periods of peak demand, it might go weeks or even months between uses, by which time it might have several critical vulnerabilities for attackers to exploit as soon as it comes online.