Send Us Your Feedback

  • We'd love to hear from you. Let us know how we're doing and how we can make your experience here more enjoyable! We are always looking for ways to improve.
  • [blogs-support@cisco]

December 12, 2008

Cloud Security, commentary on a GigaOm article…


Alistair over at GigaOm penned an interesting piece on the role of security in the cloud.  Alistair raises some interesting points-  that since there are less humans involved in cloud architectures, that processes are more stringent, and that it is not your employees these architectures can be trusted more implicitly.  I would say ‘I agree IF…’  (big IF)...

- What are the security policies, processes, guidelines, within the cloud?
- Who will have access to my data, is it encrypted at rest and on the fly?
- Who owns the encryption key for the PKI infrastructure that better be there to encrypt/decrypt my data?
- Who can see the logs of where accesses are coming from into my ‘infrastructure’?  Can I?
- What mechanisms of segmentation are used between tenants in any location where multi-tenancy exists?
- How far ‘down’ are these tenants shielded from each other?  Data plane separation at the data link layer- VLANs?  Or something more elegant at L2, L3, and on the Control Planes of the devices?
- Is the security policy protecting my workloads auditable?
- Is the policy protecting my workload consistent with my IT departments requirements, or tuned for the application?

Couple all of this with the want, need, desire for portable workloads across autonomous systems and you have a set of questions that, if answered well, will increase the value of the cloud to potential customers, but if not addressed and visibly addressed will continue to be an inhibitor of cloud services to the more cautious customer sets.

dg
-

Douglas Gourlay Posted by Douglas Gourlay at 01:31PM PST

Permalink, Comments (4), Trackbacks (0)

Tags: cloud computing data infrastructure it security

4 Comments

Rodos Dec 12, 2008

Douglas, do you think providers should public audits of security reviews that cover these items? What can providers do to give the confidence required?

Roland Dobbins Dec 13, 2008

As you indicate, existing Best Current Practices (BCPs) for hosts, OSes, applications, and network infrastructure cover cloud computing models, just as they do non-cloud models.  In a cloud infrastructure, organizations are much more likely to benefit from the implementation of these BCPs by default at the infrastruture level, simply as a self-defense measure by cloud providers in order to keep cloud customer #1 from interfering with cloud customer #2, or external attackers from interfering with either (same as in current non-cloud deployments).

There’s no call to devise or invent any new or unique security mechanisms, processes, or procedures for cloud computing; simply the need, extant already for non-cloud systems, to implement the requisite BCPs to ensure confidentiality, integrity, and availability.  On the regulatory/legislative/compliance front, there certainly is a need for additional clarification and understanding - mainly effort to educate and ensure that implementors and auditors understand that the same principles apply in the cloud, and how they apply.  As you’ve alluded to in previous posts, questions of jurisdiction must be sorted; the reality is that these matters are very much subject to interpret today, it’s just that the cloud paradigm brings them to the forefront of consciousness.

Christofer Hoff Dec 18, 2008

I’d really like to see proof points that there are “less humans” involved in Cloud architectures.  It’s a “squeezing the balloon problem,” the workforce/labor pool simply shifts.

Automation is still not currently at levels that allows for the sort of self-governing architecture…yet.

Further, many of Alistair’s examples cited as sources for his statistics are years out of date.

I talk about this scale/eyeball issue in my response to Alistair’s post here:

http://rationalsecurity.typepad.com/blog/2008/12/alistair-croll-on-cloud-security-the-sky-is-falling-and-apparently-logicfacts-are-too.html

/Hoff

Rizwan Ahmad Feb 12, 2009

this all have been said so by Gartner

Post a comment

Join the conversation!

We encourage your comments, questions and suggestions. All comments are moderated and will appear as soon as they are approved by the moderator.

Please increase the validity of your comment by providing a valid first and last name. Spam, off-topic or offensive comments will not be posted.

Name:
Email:
URL:

Comments:

Notify me of follow-up comments?

Submit the word you see below:


Post a trackback

Ping this URL to post a trackback:
http://blogs.cisco.com/trackback/6672/60MhAWF4/

More blog posts

Previous post:
An interesting thought/attribution from the analyst community...

Next post:
The Death of Net Neutrality?

Recent posts:
November 2009 Archive

Search

DataCenter Radio

Data Center TechMinute Podcast

What We're Reading

Subscribe By Email (info)

What's on the Cisco Tube?

Video

Archives