Pragmatic Insights into Pervasive Cloud Security – And a White Paper for you
Clouds were definitely on my mind this Monday just past (if you can forgive the pun! 🙂 ) I was cycling a stage of the Deloitte Ride Across Britain with a team of Cisco cyclists, to raise money for the ParalympicsGB charity to help paralympians attend the London 2012 Olympics. At 7am on Monday, we left Fort William in the highlands of Scotland and cycled up (literally!) into the clouds through the Glencoe Mountains at the start of the 122 mile stage to Glasgow. As you can see from the picture, we even brought our Cisco “NOW” Van – our Network On Wheels – to provide network access for the participants! It reminded me it was time to write my next blog around Cisco Cloud Enablement Services.
As a follow up on my previous blog on Pervasive Cloud Security, I recently sat down with Rik Herlaar, from our Cisco Data Center Services team. Rik is a Solutions Architect who has been involved in several large scale cloud computing design projects with some large customers. I was keen to hear from Rik on his thoughts and hands-on experiences on the topic of cloud security. I’ll relay some of his practical insights to you in this blog and also point you to a new Cisco Services white paper on cloud security, that expands on our original overview document you may have read already.
Cloud security has been highlighted in multiple surveys as being one of the major barriers to adoption for many organisations considering cloud computing. I discussed our own customer survey in one of my previous blog. We all hear from time to time – arguably too often – about security breaches in IT – for example the recently publicised Sony Playstation credit card data theft has attracted much commentary.
What then do we in Cisco Services hear from our customers considering use of cloud services, with respect to security? Let me relate this in two sections: first some of the headline concerns, and then some pragmatic advice from one of our Cisco Services solutions architects.
Arguably the top concern is around around loss of visibility and control – including access to, and control of, sensitive and/or confidential data, and exploitation of remote access vulnerabilities to gain access to protected data. Organizations are (rightly) concerned that their data could be stolen by hackers or disgruntled employees, mixed up with data from their cloud providers’ other customers, released by mistake, or just plain lost! Lost laptops and memory sticks seem all too commonplace! Any of the above would expose organizations to public embarrassment and/or lawsuits. Additionally, the time and expense of cleaning data and undoing other damage such as legal action can be substantial.
Further, there are concerns around how local laws and regulations apply to cloud computing, especially among multinational companies. Organizations need to be knowledgeable about local laws that restrict the storage of customer and employee data, or that open their data to government subpoenas and searches, potentially affecting their ability to adopt cloud computing. For example, European companies need to understand how they could violate EU regulations, or come under the jurisdiction of the another country’s laws, if they use, for example, US cloud service providers or European providers that move data to a server in the US.
The list goes on: loss of service – for example if a denial of service attack impacts access to key applications in the cloud; information security– both for data as transmitted and when stored; compliance requirements – for example PCI and HIPAA compliance; insecure or incomplete data deletion – data not fully wiped out when requested; and finally multi-tenancy brings its own set of security implications and opportunities which I discussed in more detail on in my previous cloud security blog.
So what can you do about these concerns? And how can Cisco Services help you avoid these issues? Let’s consider some of the pragmatic advice from one of our Cloud Solutions Architects, Rik Herlaar. Rik asserts that security should be seen in a broader sense. For example, your cloud security strategy should encompass a spectrum, from authentication and access control to the availability of your service.
Access control is not just an issue for public cloud. Even for internal private cloud, companies have to be concerned about the potential impacts of disgruntled employees. And more challenges exist for the public cloud, with public access, which requires additional lines of defence – as the Sony Playstation case illustrates.
Rik is also a champion of one of my favourite approaches to many tasks: “Don’t forget about the basics”. Some basic aspects, from Rik’s perspectives, are careful resource allocation strategies and solid change management practices.
“While some would advocate using VRF and VLANs to impose security controls, it should be noted that VRFs and VLANs are an expensive and finite resource. These can be the most costly assets in a cloud data center – so you need to be careful how you manage usage of these for security purposes, especially for low touch high volume residential subscribers”. According to Rik, “Current best practices – firewalls, intrusion detection and prevention devices – are key security design considerations for your public access. And we should underplay the dangers of mis-configuration, an all-too-common occurrence that can open up security gaps. As well as the more advanced techniques, let’s not forget about more fundamental techniques – including for example, audit trails, configuration archiving and rollback capabilities -these are all tools you should employ for your cloud’s defence.”
While there advanced techniques, frameworks and products, Rik maintains that “It’s not all about just because you can….” – in other words, think pragmatically about your range of customer requirements, their differing SLA needs, and what you can do versus what you should do to further increase security of your cloud environment.
Sharing of hardware between tenants – multi-tenancy – is now a clear requirement. But Rik’s experience indicates for your most important customers, you may still want to consider at least some elements of separate infrastructure for these customers, in order to further enhance the benefits you would gain from a secure multi-tenant solution. Perhaps it will give you a more secure solution if you consider one set of infrastructure for these more important customers, separate from that for your high volume public cloud services. “Be careful of ‘shared nothing’ to ‘shared everything’ … there is a middle ground. It’s all about how do you design for the varying requirements of your different customers and stakeholders”, say Rik. And in any case, you will more than likely need higher performance infrastructure for your most important customers or internal applications.
Building upon our customer concerns, our internal intellectual property and pragmatic customer experiences, Cisco Services has developed what we call the pervasive cloud security control framework. This framework helps ensure total visibility and active control in the architecture, design, and implementation of secure systems. For visibility, it helps identify, monitor and correlate threats, and for control, this framework ensures your cloud is hardened, and that isolation and enforcement and governance policies are developed to meet your specific cloud security requirements and challenges. You can read about this in more detail in our latest Cisco Services paper Creating Business Value with Effective, Pervasive Cloud Security and Cloud Enabement Services. And for more information on Cisco Services for cloud, see Cisco Cloud Enablement Services.
I’ll finish by turning the floor over to you. Feel free to get in touch and leave some comments on what you see are the biggest challenges you face with securing your cloud. And if you need assistance, Cisco Services and our team of experts, who have been leading the way in large scale cloud deployments, are available to complement your own team’s expertise. Thanks!