In-Depth

Can You Trust Public Cloud Security?

The safety of data remains the key reason many enterprises won't use cloud hosting services.

• By Jeffrey Schwartz
• 08/07/2012

A swath of the largest enterprises are steering clear of public cloud services because of security fears, says a survey by the Open Data Center Alliance (ODCA). The ODCA is an association of large enterprise IT executives that formed two years ago. It's chartered with formulating industry requirements for the migration to cloud computing. ODCA members shy away from the cloud due to the risk of a breach, or the risk of running into regulatory and compliance rules.

"Our requirements are very clear: Cloud providers have to be able to deliver at least equivalent to enterprise IT security," said Deutsche Bank AG Chief Scientist Andrew Stokes, at the group's Forecast 2012 conference in New York. "Without that, we can't even start. That's a critical requirement."

Stokes talked about an ODCA survey, where 40 percent of respondents cited security as the No. 1 inhibitor to using cloud services, followed by application migration regulatory issues and cloud on-boarding. Stokes said customers, vendors and cloud providers all must agree to deliver standardized security levels across products and providers.

Pragmatic Expectations
Others argue the situation isn't so dire. Steve Coplan, research manager at 451 Research LLC, says his company's studies show IT is becoming more comfortable with the security key cloud services providers offer, though concerns linger.

"Many are pragmatic about what they can get, and use the public cloud appropriately," Coplan says. "You can say public cloud is insecure, but the question is, it's insecure for what? It may not be secure enough for the workload you're considering but it's secure enough for a growing number of workloads."

Coplan credits the Cloud Security Alliance (CSA) for setting the bar for how service providers and hosting facilities should implement best practices and provide better disclosure. The CSA's Security Trust and Assurance Registry (STAR) -- rolled out late last year -- aims to provide detailed disclosure of the controls cloud providers have in place. The registry allows them to describe those controls based on a detailed questionnaire provided by the CSA.

So far, however, only a handful of companies have submitted profiles to the registry, among them Microsoft, the Verizon Communication Terremark unit, Box and SHI International Corp., says Jim Reavis, CSA executive director. Reavis tells Redmond that he anticipates most major cloud providers will start to contribute later this year.

Expectations for cloud security are expected to loosen. "I think as people get more and more familiar with the technologies and how they work, security will drop as a reason for not adopting cloud," says Rackspace US Inc. CTO John Engates.

Wary IT execs realize the economic and business realities will force a cloud move. "When we think about cloud adoption, whether it's private cloud or public cloud, some of the questions we have to answer are: ‘Are we introducing a new threat vector? And if we are, how are we going to manage it? What's the risk of implementation, and how are we going to deal with that risk?'" asked UBS Group CTO Andy Brown, in a keynote at the June ODCA conference. "I think it's easy to say no. Sometimes you have to work out what the cost of saying no is, as well as saying yes."

Harden Your Virtual Machines
Cloud providers need to educate prospective customers on how they're securing data, particularly in multitenant environments where multiple customers' workloads are served on the same hardware, says George Gerchow, director of the VMware Inc. Center for Policy and Compliance.

"Customers right now are very leery of moving highly regulated workloads to virtualized cloud environments," Gerchow says. "Security and compliance are the main inhibitors. We have to educate the marketplace on the solutions in virtualization that make it easier to do it and more secure, while giving you that visibility that you need to be able to keep up with the demands of the business."

To do so, VMware in June released guidelines for hardening its vSphere cloud virtualization platform using the vCenter Configuration Manager. VMware often talks up the security features in its new vSphere 5 cloud-computing platform, which includes the vShield 5 hypervisor-based firewall that's installed on each vSphere host. This creates trust zones based on policies, and has scores of templates with predefined industry- and country-specific regulatory policies.

Seek Refuge in VPCs
One way security experts recommend using public infrastructure is to provision virtual private clouds (VPCs). VPCs are more costly than multitenant clouds, but they host customer applications and data on dedicated hardware.

"All workloads on that server are your workloads. It's almost the same as deploying your own private cloud in your own datacenter because it has the same level of sharing as an actual private cloud," explains Dave Asprey, VP of cloud security at Trend Micro Inc. "It's just that you don't have to do it in your own datacenter and you don't have to own the hardware."

Whether or not enterprises opt for VPCs or multitenant IaaS cloud hosting, customers need to be mindful of securing data in motion as well as encrypting the data on the hosts, according to Asprey. The data encryption problem comes about because if you own your own datacenter, an IT pro can physically manage encryption keys. When a server attempts to connect to an encrypted volume on a disk, the IT pro physically walks a private key to the server, typically a USB drive. But in the cloud, the customer obviously can't do that, Asprey explains.

The way to compensate for this lack of physical access is with policy-based key management. In Trend Micro's case, the company provides a SecureCloud service. Before any server instance running in a private or public cloud can access an encrypted volume, SecureCloud verifies its credentials. It also has to show that no illegal processes are running and that it's actually your machine image, according to Asprey.

"We set a policy that allows us to check out everything about the server before it gets access to the encrypted volume," he says. "And that prevents a hacker from copying your server image in the cloud and running it somewhere else to get access to your data. It's a new requirement that comes about, but it's the same complexity in public or private clouds."

Most enterprise security software providers have turned their sights to protecting data running in the cloud. Earlier this year, one of the largest data security companies, Symantec Corp., took a major shift in that direction with the debut of a cloud security platform dubbed O3. It can run on-premises, hosted or a combination of both. The first component of O3 consists of identity- and access- management software.

Later this year, Symantec will add data-loss prevention and encryption services. The forthcoming release will also record security incidents for compliances purposes. "The public cloud is effectively becoming as secure as private cloud," says Dave Elliott, senior product global cloud marketing manager at Symantec. "People see security and data access control as the primary inhibitor of moving to the cloud. This gives enterprises, for the first time, control over those public cloud interactions."

Awaiting CloudAudit
While cloud and security vendors are prepping more secure wares, some in IT demand the very highest level of assurance, and won't put certain data and workloads in the public cloud until there are standardized, advanced auditing procedures in place.

These IT pros should perhaps be watching the progress of the CSA CloudAudit effort, which aims to provide a secure, open and automated way of providing real-time monitoring of audit, assertion, assessment and assurance controls of IaaS, Platform as a Service (PaaS) and SaaS environments. The goal of CloudAudit is to standardize and hence simplify the way auditors gather these controls from different cloud providers. Right now CloudAudit is a draft Internet Engineering Task Force (IETF) spec that's in pilot among some cloud providers. It could be a couple of years before a workable standard is available, CSA's Reavis says.