The Crux of Pervasive Cloud Security
In my previous blogging, I’ve noted how customers have been very clear in our market research on their concerns around cloud, and security is top of that list When I first became involved in Cloud Computing, as part of my role in Cisco Services product management defining our Cisco Cloud Enablement Services, you couldn’t read an article on cloud with our hearing about “security” as one of the major issues, if not indeed the major issue, for cloud. What I noticed was that many of these articles talked about cloud security as a major challenge to cloud adoption (which it is), and some would talk about point solutions to specific problems. However, most didn’t say much from a holistic perspective on how to address the challenges of cloud security. Thankfully, since then, organizations including Cisco Services’ security consultants and industry forums such as the Cloud Security Alliance have put some meat on the bones, so to speak. So in this blog, I will give you a brief introduction to the approach our experts in Cisco Services take to ensure cloud security, and I’ll also point you to a free Cisco introductory paper on this topic.
The first customer meeting I attended on cloud computing last year still sticks in my mind. It was a summer’s day when we hosted a major European service provider in Cisco’s office in London. As can happen when you go into a situation for the first time, I had my own thoughts on what issues the customer would raise. And as usual for first time experiences, the outcome was different to my initial expectations. I came home with 3 key messages: multitenancy, multitenancy and multitenancy: the customer’s over-riding concerns centered on the security, performance and verification of multitenant cloud architectures.
The concern was easy to understand – this cloud provider – as are others who plan to share infrastructure with other organizations in a multitenant environment – is concerned about how one end customer, who, knowingly or unknowingly, introduces a security threat that impacts another end customer. Thankfully we’ve developed solutions for this – for example the Cisco, VMWare and NetApp Secure Multitenant architecture. (The Radiant Communications Secure Multitenancy case study is an excellent example of the credibility of this architecture). However this alone doesn’t address the range of security challenges that can impact cloud computing deployments. This is why in Cisco Services we’ve taken a pervasive approach to cloud security in the Cisco Cloud Enablement Services.
Cisco’s approach is to build security into a cloud deployment from day 1, taking an architectural approach, ensuring that both visibility measures and security controls are built in where appropriate. It’s not sufficient to stop after you’ve implemented security in specific applications – so for example, an email scanner is necessary but insufficient. A pervasive approach is required.
Our experience in Cisco Services from the current cloud computing deployments shows that each cloud environment will have potentially unique security concerns. That’s why we recommend appropriate security audits and governance process improvements in advance of devising your architecture, so that we can spot any specific security risks in your cloud plans. At a very high level, we see 3 areas of potential risk, depending upon your cloud plans: risks and threats that may still exist in your current data center (assuming this is part of your basis for cloud), risks in your planned cloud architecture, and also (and often overlooked), risks and threats that can manifest during your migration process. So we recommend you look at overall cloud governance, risk and compliance, current and planned security architecture, and migration process security risks.
Going back to my headline – what really is the crux of cloud security? It’s about taking a pervasive approach, at all levels of your architecture and interfaces. It’s about dealing with the security implications of multi-tenancy, which so happens to be, in my opinion at least where Cisco’s capabilities really differentiates against the competition. And it’s more besides these.
You can read more about our approach in the introductory security article, Pervasive Security Answers Cloud Worries. Here you can learn more about the security framework for pervasive cloud security practiced by the cloud security consultants in Cisco Services. And watch out for future, more detailed content from the cloud security experts in Cisco Services.