Cloud security case 3: Inavero

Small research firm meets different security challenges in different cloud models

By now, many people understand that the cloud is not one thing but a variety of possible architectures and options. Nathan Goff, operations director and partner at Inavero, can attest to the truth of that. Goff is using a wide range of cloud offerings from Rackspace, including its IaaS, platform-as-a-service (PaaS) and managed-host offerings.

Inavero is a research firm that provides satisfaction surveys and real-time online reporting for professional-services firms.

One of Inavero's key challenges is the huge peaks and valleys of survey traffic. "When we send out invitations, we might get hit with 5,000 to 10,000 people at once," Goff says. "It took our system down a couple of times, and we realized that couldn't happen again." But with just 10 people at the company, Inavero could not manage these peak loads on its own.

[Also see SaaS, PaaS and IaaS: A security checklist for cloud models]

It began testing Rackspace's Cloud Server offering and soon turned nearly its entire technology platform over to the cloud, minus a couple of file-sharing servers and a virtual machine that does browser testing.

"It made sense, given our size, and we wanted a portable workforce that could be home or in a coffee shop and operate the business without missing a beat," Goff says.

Other stories in this Cloud Security series

Inavero's operations make use of a range of Rackspace offerings:

PaaS: Inavero uses Rackspace's Cloud Site for its Web applications, such as its blog, its surveys and a dashboard that shows clients their survey results in real time. The platform is utility-based, enabling Inavero to add and subtract capacity as needed and pay for only what it uses. "We have [SSH] FTP access and send our PHP code to the site, but we don't have any server control," Goff explains. These servers are essentially containers that hold PHP apps and scale up and down automatically.

IaaS: For its Java applications, Goff uses Rackspace's Cloud Server offering, which is a set of virtual Linux servers that he can manage. These servers run the development environment, bug-tracking system, reporting engine and other back-end functions. "I can log in and manage these just like a real piece of dedicated hardware, but it's virtual, so it's sitting on some sort of cluster of real hardware," he says.

Managed servers: Goff moved to Rackspace's traditional, nonvirtual managed server offering for its bulk e-mail and database. He tried to run both on Cloud Server, but for these heavy input/output applications, "it was not an ideal situation," he says. He could have added more resources to the Cloud Server, "but it was cheaper and a better situation to move to dedicated hardware for these applications that read and write heavily to disk," he says.

The security issues vary by platform. With Rackspace's Cloud Site, security is completely hands-off. So far, Goff says, there has been one intrusion into the company's blog platform, which Rackspace detected and provided specific instructions for resolving. Because hardware is shared, he says, "most of our really secure, private data is housed on our dedicated piece of hardware, where no one could access it but us." Data captured on Cloud Site is stored on the managed server.

"There are some things on Cloud Sites that I wouldn't trust because the environment is truly shared," he says. He has also experienced performance degradation due to other companies' applications consuming a lot of resources.

On Cloud Server, it is up to Inavero's staff to patch operating systems and manage firewalls, access control and intrusion detection. Rackspace does offer a service that performs these functions, which Goff considers from time to time, "but it would be a lot more money," he says. All in all, he says he feels a lot safer on Cloud Server because he has complete control.

"Even though the physical infrastructure is managed by someone else, I know the data is encrypted, and I can control it. It doesn't feel any less safe than if it were on a server sitting back here in my office," he says.

The Cloud Server offering has endured one outage, he says, during a denial-of-service attack, which got in the way of clients accessing their real-time dashboards. "It wouldn't be bad to have the ability to spin up another server that was physically not in the same location," Goff says, whether at Rackspace or another provider.

On the dedicated server, Goff's team has root-level access, but security is handled by Rackspace, which issues alerts down to the application level. "If it went down, they would be notified, along with us," he says. "In some ways it's a shared responsibility, but they're responsible for the core operating system, physical hardware, network and security."

Rackspace offers the ability to implement a VPN to connect these offerings, but so far, Goff has not done this. "It would add an additional level of security because we could move data from the cloud to our dedicated servers, and it would only pass through a secure, encrypted network."

Copyright © 2011 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.