imageWhen it comes to cloud security, many times I have heard people simply claim it is not secure, yet fail to give specifics. And consequently all too often a cloud security discussion soon turns into a religious or linguistic debate, instead of focusing on what the concerns are and how to address them. Another interesting observation is that somehow an assumption seems fundamentally put in place is that if it is not compliant, it is not secure. Which is incorrect as explained later. This blog examines a few important concepts and strategies to better understand how to approach cloud security in general.

Compliance vs. Security

In cloud computing, we must recognize that security and compliance are two topics and not necessarily consequential. There are some scenarios that perhaps cloud computing is not able to become directly complaint due to an inability to provide all required security specifics. This however does not necessarily suggest cloud computing is not secure. For instance, a customer may demand an affinity or some predictability of an application and the physical server that the application is  running upon. This is a fundamental disruption in cloud computing. Notice one of the 5 characteristics of cloud computing is image resource pooling so that resources can be identified, allocated, monitored, managed, and de-allocated dynamically and on demand while providing high availability and location transparency of service instances, which is a necessary condition for offering elasticity (also one of the 5 characteristics) with current technologies. Resource pooling means upon which server a cloud application instance will run is based upon the availability of a targeted resource in an intended pool at the time of allocating. To specify on which servers an application can run will abolish the ability to sustain high availability and on-demand capacity of a running instance. By default, cloud computing can not and should not offer affinity of hardware and a running instance. Does this mean cloud computing is not secure? The answer is “Huh?” since compliance and security are here two different matters.

Context and Scenario

Cloud is a broad topic and adds a few layers of abstraction. So be specific on an examined topic. Reference the 5-3-2 principle and consider separations of responsibilities to set the context and describe the scenario that you believe security may be an issue.

  • Specifically, what or which layers/functions/processes/operations in cloud computing are in question? And how can it happen? 
  • Based on separation of responsibilities, is a consumer/subscriber or a cloud service provider is responsible for what is in question?
  • Is the security concern introduced by specifically cloud computing or it applies to on-premises computing as well?

imageOne should first answer the above questions to make certain an issue is relevant to specifically cloud computing and if a consumer or a service provider is responsible. If it is not cloud computing specific, it should not be discussed as a cloud computing issue. The abstractions of cloud computing all too often confuse people and complicate an issue more. If one is able to discover what it is, how it can happen, who is responsible, and if it is a cloud specific issue, there is a great opportunity that a solution will service itself.

Notice that a key enabler of cloud commuting is virtualization. And cloud security is conceptually not that much different from security considerations for virtualization and on-premises computing in general. There are various layers in cloud computing, as highlighted in the schematic on the left, and defense in depth is directly applicable and a best practice. In on-premises computing, corporate IT has control over all layers. Now in cloud computing, depending on which delivery method and deployment model in cloud computing, there is a separation of responsibilities among a service provider and consumers, and resources under certain layer are owned and managed by a service provider. For instance, a service provider will manage all layers in SaaS. So a user does not need to know where and how the system is maintained and managed, other than the URL of the subscribed service and an authorized account to use the service. Microsoft Office 365 and Online Services are SaaS offerings. And both offer customers enterprise email, collaboration, and unified communications capabilities without the need to own IT infrastructure which encompasses all layers as shown. Which also means a subscriber will have no control over any layer. Meanwhile, in PaaS a user will have control on Applications and Data layers, but not those below. Microsoft Windows Azure is a PaaS example, provides an environment for development, deployment, and management, and enable IT to code/test/publish/manage a cloud application delivered with SaaS in public cloud. It is a very powerful, efficient, and strategic platform that cloud applications can be developed, deployed, and managed highly transparent with on-premises establishments with IPSec connectivity. The IPSec connectivity can be easily achieved upon the availability of Windows Azure Connect. In IaaS, layers above virtualization are managed by a subscriber. Namely a customer now has the responsibilities to harden and patch OS as well as all applications and services running in a virtual machine deployed by IaaS. Microsoft’s IaaS solutions are focused much on private cloud. For many, the concept of IaaS remains a bit remote and foreign. The good news is that with the upcoming release of System Center 2012, building and deploying a private cloud will be a relatively straightforward and easy process. Expect a few of my upcoming blogs to examine some of the key concepts on Windows Azure Connect and System Center 2012.

It’s About Trust

Either on premises or in cloud, at some point you just have to start trusting whoever is going to provide the service. If one thinks about it deep enough, it should become apparent that trusting is one of the root issue on cloud security. Will you trust someone to keep you data? No? Looking around and think again. We all have in fact already been trusting many others in carrying out our everyday business. We trust our Exchange admins whoever they are to run our email and inspect our inboxes with or without a notice, internet service provider to route our messages and connect us with customers and partners, couriers to deliver our confidential packages among branch offices, etc. Hosting applications and data is certainly serious and critical to business. However not all data are confidential and must be in a vault guarded with only employees. What needs to happen first is to examine data relevant to business and identify those which absolutely can not be off premises. Then assess if it makes sense to go to cloud with those data basically can be outsourced.

From a cloud computing consumer’s point of view, in addition to establishing best practices on those resources within one’s control, the ultimate questions are the trustworthiness of a service provider and if a consumer can trust someone else to host one’s data, application, and infrastructure, as applicable. This question is rudimentary and a key concept towards employing IT as a service.