When it comes to cloud security, many times I have heard people simply claim it is not secure, yet fail to give specifics. And consequently all too often a cloud security discussion soon turns into a religious or linguistic debate, instead of focusing on what the concerns are and how to address them. Another interesting observation is that somehow an assumption seems fundamentally put in place is that if it is not compliant, it is not secure. Which is incorrect as explained later. This blog examines a few important concepts and strategies to better understand how to approach cloud security in general.
Compliance vs. Security
In cloud computing, we must recognize that security and compliance are two topics and not necessarily consequential. There are some scenarios that perhaps cloud computing is not able to become directly complaint due to an inability to provide all required security specifics. This however does not necessarily suggest cloud computing is not secure. For instance, a customer may demand an affinity or some predictability of an application and the physical server that the application is running upon. This is a fundamental disruption in cloud computing. Notice one of the 5 characteristics of cloud computing is resource pooling so that resources can be identified, allocated, monitored, managed, and de-allocated dynamically and on demand while providing high availability and location transparency of service instances, which is a necessary condition for offering elasticity (also one of the 5 characteristics) with current technologies. Resource pooling means upon which server a cloud application instance will run is based upon the availability of a targeted resource in an intended pool at the time of allocating. To specify on which servers an application can run will abolish the ability to sustain high availability and on-demand capacity of a running instance. By default, cloud computing can not and should not offer affinity of hardware and a running instance. Does this mean cloud computing is not secure? The answer is “Huh?” since compliance and security are here two different matters.
Context and Scenario
Cloud is a broad topic and adds a few layers of abstraction. So be specific on an examined topic. Reference the 5-3-2 principle and consider separations of responsibilities to set the context and describe the scenario that you believe security may be an issue.
One should first answer the above questions to make certain an issue is relevant to specifically cloud computing and if a consumer or a service provider is responsible. If it is not cloud computing specific, it should not be discussed as a cloud computing issue. The abstractions of cloud computing all too often confuse people and complicate an issue more. If one is able to discover what it is, how it can happen, who is responsible, and if it is a cloud specific issue, there is a great opportunity that a solution will service itself.
Notice that a key enabler of cloud commuting is virtualization. And cloud security is conceptually not that much different from security considerations for virtualization and on-premises computing in general. There are various layers in cloud computing, as highlighted in the schematic on the left, and defense in depth is directly applicable and a best practice. In on-premises computing, corporate IT has control over all layers. Now in cloud computing, depending on which delivery method and deployment model in cloud computing, there is a separation of responsibilities among a service provider and consumers, and resources under certain layer are owned and managed by a service provider. For instance, a service provider will manage all layers in SaaS. So a user does not need to know where and how the system is maintained and managed, other than the URL of the subscribed service and an authorized account to use the service. Microsoft Office 365 and Online Services are SaaS offerings. And both offer customers enterprise email, collaboration, and unified communications capabilities without the need to own IT infrastructure which encompasses all layers as shown. Which also means a subscriber will have no control over any layer. Meanwhile, in PaaS a user will have control on Applications and Data layers, but not those below. Microsoft Windows Azure is a PaaS example, provides an environment for development, deployment, and management, and enable IT to code/test/publish/manage a cloud application delivered with SaaS in public cloud. It is a very powerful, efficient, and strategic platform that cloud applications can be developed, deployed, and managed highly transparent with on-premises establishments with IPSec connectivity. The IPSec connectivity can be easily achieved upon the availability of Windows Azure Connect. In IaaS, layers above virtualization are managed by a subscriber. Namely a customer now has the responsibilities to harden and patch OS as well as all applications and services running in a virtual machine deployed by IaaS. Microsoft’s IaaS solutions are focused much on private cloud. For many, the concept of IaaS remains a bit remote and foreign. The good news is that with the upcoming release of System Center 2012, building and deploying a private cloud will be a relatively straightforward and easy process. Expect a few of my upcoming blogs to examine some of the key concepts on Windows Azure Connect and System Center 2012.
It’s About Trust
Either on premises or in cloud, at some point you just have to start trusting whoever is going to provide the service. If one thinks about it deep enough, it should become apparent that trusting is one of the root issue on cloud security. Will you trust someone to keep you data? No? Looking around and think again. We all have in fact already been trusting many others in carrying out our everyday business. We trust our Exchange admins whoever they are to run our email and inspect our inboxes with or without a notice, internet service provider to route our messages and connect us with customers and partners, couriers to deliver our confidential packages among branch offices, etc. Hosting applications and data is certainly serious and critical to business. However not all data are confidential and must be in a vault guarded with only employees. What needs to happen first is to examine data relevant to business and identify those which absolutely can not be off premises. Then assess if it makes sense to go to cloud with those data basically can be outsourced.
From a cloud computing consumer’s point of view, in addition to establishing best practices on those resources within one’s control, the ultimate questions are the trustworthiness of a service provider and if a consumer can trust someone else to host one’s data, application, and infrastructure, as applicable. This question is rudimentary and a key concept towards employing IT as a service.
This blog post lists out terms frequently referenced in Windows Azure Platform. They are presented in a hierarchical order based on the context shown in the following schematic. Each term is described concisely with key concept and pertinent information. The content is intended for IT pros and non-programmers.
A collective name of Microsoft’s Platform as a Service (PaaS) offering which provides a programming platform, a deployment vehicle, and a runtime environment of cloud computing hosted in Microsoft datacenters
Essentially Microsoft cloud OS which provides abstractions and shields the complexities of implementing and managing collections of hardware, software, and instances
A Windows Azure service for executing application code based on a specified role including web role, worker role, and VM role
A service definition to deploy a VM with IIS 7 for hosting a web application
A service definition to deploy a VM without IIS for running application code in the background similar to Windows processes, batch jobs, or scheduled tasks
A service definition to upload a VM to cloud (i.e. Windows Azure Platform) for deploying an application with a custom or predictable runtime environment and provided as a last resort for addressing issues including:
A Windows Azure service for allocating persistent and durable storage accessible with HTTP/HTTPS (REST) and .NET
Binary Large Object for storing large data items like text and binary data
Structured storage in the form of tables which store data as collections of entities for maintaining service state
A page BLOB and formatted as a single-volume NTFS virtual hard drive to be mounted within a Windows Azure role instance and accessed like a local drive
Non-persistent storage local to a role instance
Owner of datacenter including hardware, software, and instances and ultimately the brain of the cloud OS
A self-initialized application deployed with the root partition of a Windows Azure Compute node to form the fabric
A self-initialized application deployed with the base image of a Guest OS to form the fabric
A user interface to configure IPsec protected connections between computers or virtual machines (VMs) in an organization’s network, and roles running in Windows Azure
An add-on feature to Windows Azure subscription to cache Windows Azure BLOBs and the static content output of Compute instances at Microsoft’s caching servers near what the content is most frequently accessed
A cloud-based relational database service with SQL Azure Reporting, a report generating service
To provide secure messaging and connectivity capabilities through firewalls, NAT gateways, and other problematic network boundaries and enable building distributed and disconnected applications in the cloud, as well hybrid application across both on-premise and the cloud
A hosted service providing federated authentication and rules-driven, claims-based authorization for REST Web services with integration with Windows Identity Foundation (WIF) like Active Directory Federation Services (ADFS) v2
A subset of the on-premise distributed caching solution, Windows Server AppFabric Caching, for provisioning a cache in cloud to be used with ASP.NET or client applications for caching requirements
Capabilities similar to those of Biz-Talk to integrate Windows Azure Platform applications with existing LOB and databases and third-party Software as a Service (SaaS) applications
For building applications with a composite of services in the cloud and on premises, components, web services, workflows, and existing applications
The first business to understand cloud computing is to know what the term, service, means since it has been used autonomously and extensively to explain cloud technologies. Service in the context of cloud computing means “capacity on demand” or simply “on demand.” Notice that on-demand here also implies real-time response and ultimately with anytime, anywhere, and any device accessibility. The idea is straightforward. Basically, as a service bell is ringed, the requested resources are magically made available. So, IT as a Service means IT on demand. And now it should be apparent what news as a service, catering as a service, or simply my business as a service means. And we can clearly explain the three cloud computing delivery methods. SaaS means software on demand; simply an application can be readily available for an (authorized) user. PaaS offers a programming environment (or platform) enabling the development and delivery of SaaS. And IaaS empowers a user with the ability to provision infrastructure, i.e. deploy servers with virtual machines, on demand. Further, at an implementation level with current technologies, cloud computing also destines that virtualization (namely an abstraction of the underlying complexities of topology, networking, monitoring, management, etc. from provided services) is put in place. Such that a user can consume or acquire SaaS, PaaS, and IaaS without the need to own and deploy the required hardware, reconfigure the cabling, and so on.
The term, cloud, regardless public, private, and everything in between means the 5-3-2 principle of cloud computing (see above) is applicable. The 5 characteristics listed in the 5-3-2 principle are the criteria to differentiate a cloud from a non-cloud application, and also concisely outline the benefits of cloud computing. This recognition is the essence of cloud computing. And in my view, much of the confusion in cloud computing discussion has been due to lack of an understanding of the 5-3-2- principle. For instance, many are confused about and mistakenly consider remote access or anything via Internet as cloud computing. This assumption is incorrect and inconclusive. My rule of thumb is that those exhibiting the 5 characteristics are cloud applications and those who don’t are not. Above all, the 5-3-2 principle, or more specifically NIST Definition of Cloud Computing, scopes the subject domain of cloud computing with current technologies and presents a definition that is structured, disciplined, and with clarity.
So public cloud is a cloud and the 5-3-2 principle applies. The term, public, in the context of cloud computing, refers to Internet, general availability, and for subscription when applicable. Windows Live and Hot Mail for example, are Microsoft SaaS offerings in public cloud for consumers, while Office 365, Microsoft Online Services, and Microsoft Dynamics CRM Online are for businesses. They all are cloud applications because:
The 5 characteristics exhibiting in the above mentioned cloud applications are vivid and without ambiguity.
At the same time, private cloud is also a cloud and dedicated, hence private, to an organization. As explained in Highly Virtualized Computing vs. Private Cloud, ubiquitous access and pay-as-you-go model may not be essential in private cloud. Still the applicability of the 5-3-2 principle to all cloud applications including private cloud should be very clear here. So, for example, the reasoning to answer the following question is actually straightforward.
First, with the 5-3-2 principle, we can easily determine if an application is a cloud applications. Then the strategy is to discover which of the 5 characteristics are missing and how relevant they are to the business requirements. For instance:
And it is certainly up to an organization to decide how critical the 5 characteristics are and if all or selected ones are applicable to a targeted delivery. The lesson here is not necessarily an academic debate if a particular feature like self-service should be a requirement of private cloud. The crucial element is to have a predictable way (namely the 5 characteristics) to identify what are relevant to business requirements.
One interesting observation of cloud computing is that many seem having some understanding, yet few with a complete picture since this is a subject touching very much every aspect of IT. Many can highlight some points of cloud computing, yet few with a structured and disciplined approach of explaining cloud computing since cloud computing is a very complex proposal on both business and technical sides. I believe a productive way to discuss cloud computing is to focus on the fundamentals, and have a clear understanding of what cloud is about and why, before framing it with a particular business or implementation. Employ the 5-3-2 principle to organize the message and describe cloud computing with your own words. You will find out that once grasped the concept, you can navigate through a cloud computing conversation with clarity, substance, and productivity.