Cloud security 101: Start cramming now

People still come up to me claiming that cloud computing is nothing but network computing with a “10-dollar word” attached to it. They’re wrong, though: Cloud computing represents a fundamental shift in information technology, in myriad ways. If you’re a security admin — whether for applications or infrastructure — your job is going to change.

There will be internal (private) and external (public) clouds that you will have to deal with, but they are so much more complicated than the traditional terms — LAN, WAN, intranet, and extranet — can describe. For one, the term cloud denotes a fuzziness about where the application bits and data are hosted. This is not only because of the business requirement for fault-tolerance and performance (which means the application servers and data are usually hosted at multiple locations), but also because virtualization is becoming almost an essential component of cloud computing. 

[ Also on InfoWorld.com: The perils of patching in the cloud. | Get the no-nonsense explanations and advice you need to take real advantage of cloud computing in the InfoWorld editors’ 21-page Cloud Computing Deep Dive PDF special report. | Get your weekly dose of security and cloud computing essentials with InfoWorld’s Security Central newsletter and Cloud Computing Report. ]

In private clouds, advanced virtualization functionality is used to shift applications and data on the fly between various data centers depending on needs. Gotta patch a slew of servers? No problem. The virtualization software will (temporarily) shift the active sessions and data to nodes in another location. Involved in a disaster recovery scenario? Virtualization will ease the process of bringing up the apps and data in an area away from the disaster.

In public clouds, the issue of identifying where the application and data are stored is even more daunting. Often the cloud providers themselves don’t know where a particular app or dataset is located. How much more difficult is it to secure an asset when you don’t even know where it is located?

Further, in public clouds, the inherent characteristics of multi-tenancy (i.e. multiple, separate, customers) introduce risks that are not always present in private networks (although many companies are forced to deal with multi-tenancy even on their private networks). Cloud vendors must create functionality that separates each customer’s data, even as they exist on shared resources.

Cloud traffic control

As cloud computing matures, vendors are being forced to create processes to track an individual customer’s data, using homegrown methods of data tagging. Some customers need to know where their data is physically located. Some customers can’t send their data outside their home country, and others can’t do so without ensuring additional mitigations are present. Again, this problem can be more difficult because often the cloud provider doesn’t really know where the data is in the cloud, especially as virtualization automatically shunts loads back and forth between different data centers.

If encryption is also required, data tagging becomes more difficult to accomplish without creating new side channel attacks. Data tagging requires the creation of (unencrypted) data indexes that are useful enough to find the encrypted data but not so transparent that they reveal too much information (which has always been one of the main challenges in enterprise encryption). And as I’ve often stated before in this column, virtualization adds additional security risks that are not present in physical systems, including guest-to-guest and guest-to-host vulnerabilities.

A lack of good SLAs (service-level agreements) and security policies runs pretty rampant throughout the cloud industry right now. You’ve got a few major players offering performance and availability commitments, but they often don’t share their internal security policies (e.g. how often they patch the underlying host systems, whether customers will be informed of known security vulnerabilities, what internal security policies they have in place, etc.). If the vendor allows old and unpatched software on their internal company’s network, that can impact the security of the cloud service (one example being the Chinese Google hack). Have the cloud vendors done thorough security review and vulnerability testing on their clouds? Are they sure one tenant can’t see another tenant’s offered resources? Several recent studies show that it might not be all that difficult for one tenant to encroach on another’s resources, using newer angles of attack that we haven’t previously faced.

Application risks have always been the hardest piece of the computer security puzzle to solve. If your company uses public cloud applications, how well does the cloud vendor review its own applications? What are the business rules and logic? Is the application susceptible to cross-site scripting attacks, SQL injection, buffer overflows, etc.? If the vendor says, “Yes, we do all the right security things,” do they share the review results or even the processes used to evaluate the cloud? I’m not sure you’ll find many, if any, cloud providers that are willing to share their internal processes (unless you are a customer with significant buying power).

Choice cloud resources There are numerous primers available to help technologists get up to speed on cloud technology and security. The two best books I can recommend are both published by O’Reilly. The first is “Cloud Application Architectures” by George Reese (ISBN 978-0-596-15636-7). It’s a good primer, although the only real-life cloud example it focuses on is Amazon’s cloud services. (The book was published before Microsoft’s Windows Azure release.) The second book, which I like even better, is “Cloud Security and Privacy” by Mather, Kumaraswamy, and Latif (ISBN 978-0-596-802769). It codifies the different cloud architectures (software-as-a-service, infrastructure, and so on) better than any other source I’ve read and focuses on cloud security basics.

There are hundreds of cloud-related websites. NIST’s cloud section is a great place to quickly get up to speed on cloud terminology without reading a book. The Cloud Security Alliance site represents a good collection point for enterprise-level cloud-related security. Look under the New Research section. Also, Black Hat has an interesting webcast on cloud attacks, called Chewing the Cloud: Attacking Cloud-Based Services.

Of course, it never hurts to read information from some of the world’s leading cloud providers. I’d start with Amazon’s Elastic Compute Cloud, Microsoft’s Azure, VMware, and Salesforce.com. Salesforce.com is probably the world’s leading SaaS (software as-a service) provider, whereas the others are platform-as-a-service (PaaS) or infrastructure-as-a-service (IaaS) vendors.

Our future world will be one of multiple clouds, both private and public. A significant part of the cloud security challenge will be getting those clouds to talk to each other, to allow users (and cloud services themselves) in one cloud to access resources and services in other clouds. It is likely that multiple “sub-clouds” will create larger, more feature-rich aggregated cloud services. Think of it like object-oriented programming but on a grander scale. I only hope that we’ll end up with one or very few open cloud-integrating authentication protocols instead of a myriad of competing “standards” as often happens without cooperation (e.g. see all the Linux distributions).

It can’t hurt to take a look at OpenID, oAuth, and Microsoft’s Geneva projects to get a sense of how it will all come together. The latter choice (I’m a Microsoft employee) is included as an example of how private networks can be integrated with cloud services using multiple methods (e.g. gateways, services, etc.). I encourage you to read through the five-part Geneva series, because just understanding the basic framework of how it might work in the future will make you a better technician. Even if Microsoft is not in your cloud picture, your future network is likely to look similar to one of those authentication designs.

For a multitude of reasons, cloud security is changing our jobs. In the computer world, and even more so in the computer security field, you are only as good as your knowledge from the past two years. If you think cloud computing is going away or is not going to change your job much, you’re going to end up like those Cobol programmers who either find the company that isn’t moving forward, retire early, or have to travel the world to make decent money. If you’re not researching cloud security, you should be.

This story, “Cloud security 101: Start cramming now,” was originally published at InfoWorld.com. Follow the latest developments in security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com.