Cloud security case 2: BuildFax

Property history company layers monitoring and other security services on top of Amazon EC2 public cloud offering

For Joe Emison, vice president of R&D at BuildFax, scalability was the main motivator for moving the company's infrastructure to the cloud. But once there, Emison says, it quickly became apparent that IaaS was also a boon to security.

BuildFax is a leading provider of building-permit data and the only company to have consolidated this information in a national database. The database, which contains data on what BuildFax calls the life stories of buildings in 4,000-plus U.S. cities and counties, is used by insurance, financial-services, inspection and appraisal companies, and by buyers and sellers. Covering over 60 percent of U.S. commercial and residential buildings, the database contains over 6 billion data points that come from thousands of locations and are created in a variety formats, which must be processed and turned into cohesive reports.

[Also read Hybrid cloud security: Real-life tales | Cloud security basics]

BuildFax provides history reports about properties, similar to what CarFax does for cars. That means the company has to get data in about properties, process it and make it easier to read and get out.

Two tasks made scalability a major concern, Emison says: delivering the reports and processing millions of records in batch mode. BuildFax first tried hosting the reporting server internally but soon moved to a colocated solution.

Other stories in this Cloud Security series

Processing was a tougher problem to solve, Emison says. The average processing load required just two to three dedicated servers, but for some queries that could shoot up to 200 to 250 servers. "We didn't want to buy 250 servers for an average workload of two to three servers," he says. "We were stacking up these jobs with five servers and just having to wait, but our real need was for on-demand computing resources."

So a little over two years ago, BuildFax turned to Amazon's Elastic Compute Cloud (EC2) IaaS solution, which allowed it to sometimes run 500 servers at a time. It wasn't long before BuildFax also moved its reporting functionality to the cloud. "We realized how immensely powerful the cloud could be to us," Emison says.

Not that EC2 provided everything that BuildFax needed. EC2 is a stable virtual hardware and operating-system platform, Emison says, but it does not include monitoring, alerts, automated backup and other infrastructure needs that BuildFax was unwilling to reinvent. For that, it turned to RightScale's cloud-management system, which provides those capabilities through a single console. The combination of RightScale and EC2, Emison says, has cut the time it takes to roll out new reporting features by 75 percent. Virtual machines can now be provisioned within five minutes, in any capacity or size. Because this happens without increasing operational and staffing costs, "we pay less in annual hosting than similar companies we know pay for batteries in the data center," Emison says.

The real benefit, he says, is the virtualization of the Linux servers. "We realized that when we thought of the RightScale console as our server, our actual servers are really software, running on the RightScale 'server,'" he says. This thinking has created unexpected security advantages, Emison says. Typically, you would have to think of all the different uses the server has and all the different people who need to access it. But with this setup, servers have just a single function and one access profile.

"The server is like a single application, so anyone who needs to interact with it has been given access at the administrative level. As a rule, we don't have separate security profiles," Emison says.

Another security attribute that Emison appreciates is Amazon's Elastic Block Storage. In typical IaaS setups, you get a set amount of disk space with a server instance, and if you require more, you need to upgrade to a larger instance size. With Amazon, storage is resizeable, persistent storage that can be attached to any Amazon instance, he says.

Emison acknowledges that because the BuildFax virtual machines share physical hardware with dozens of other virtual machines that belong to other companies, "we're relying on Amazon to set this up securely." But because he and Amazon both use Citrix's XenServer virtualization software, he understands how it works and is comfortable that the security is sufficient.

"I'm sure there are people who would not be comfortable with it, but I don't think there's a reasonable concern," he says.

At this point, BuildFax has nearly all its business operations running in the cloud. The one exception is Microsoft Exchange, which hasn't been moved because the company operates out of two locations and there is no secure way to connect two offices using Exchange through the cloud.

BuildFax does not run its credit card operations through Amazon, instead relying on an outsourced solution. "We didn't want to deal with PCI compliance at all," Emison says, although he notes that Amazon is now PCI Level 1 compliant.

In some ways, Emison says, the publicness of cloud computing has made him even more security-conscious than he was when his operations were in-house.

"When things were hosted in the office or even at a colocated data center, you were always behind some kind of firewall, so you could be kind of lazy about it," he says. "In the back of your mind, you'd think, 'Well, I'm not super public.'" In the cloud, on the other hand, "you're stepping into a more public sphere, so you're thinking, 'I really need to lock down access,' and the way RightScale and Amazon do that is, they make sure there are no open ports." Between BuildFax's single-function servers and isolated ports, Emison feels more secure than he would if the servers were in-house.

He does have one caveat: "You need a staff that's willing to experiment and learn new things. You'll only get maximum benefits, or even minimal benefits, of cloud if you're willing to think differently about your servers."

Copyright © 2011 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.