Is cloud security really different than data center security?

October 30, 2009

Is cloud security really different than data center security?

Almost every conversation I have had over the past year or so always comes back to security in the cloud.  Is it really secure? Or we are thinking about implementing the cloud but we are worried about security.  There are, of course, good reasons to plan a cloud security strategy. But in a sense, it is no different than planning a security strategy for your company. But it is the big scary cloud! Well, before I list the top then issues I would like to say one thing: if you think you need an entirely different security strategy for the cloud, you may not have a comprehensive security strategy to start with.  Yes, you have to make sure that you cloud provider has a sophisticated approach to security. However, what about your Internet service provider? What about the level of security within your own IT department? Can you throw stones if you live in a glass house (yes, that is a pun…sorry)?  So, before you start fretting about security in the cloud, get your own house in order.  Do you have an identity management plan? Do you ensure that one individual within the data center can’t control all of the data within a single environment to minimize risks? If you don’t have a well executed internal security plan, you aren’t ready for the cloud.  But let’s say that you have fixed that problem and you are ready to really plan your cloud security strategy. So, here five of the issues to consider. If you have others, let’s start a conversation.

1. You need to start at the beginning with understanding the characteristics of your cloud provider. Is the company well funded? Is its data center designed with security at the center? Your level of scrutiny will also depend on how you are using the cloud. If you are using Infrastructure as a Service for a short term project there is less risk than if you are planning to use a cloud to store important customer data.

2. How is your cloud provider implementing security in a multi-tenant environment? How do they ensure that one customer’s data doesn’t impact another customer’s data?

3. Does your cloud provider give you the ability to monitor security of your data in the cloud? This will be important both for compliance and to keep track of your own security policies.

4. Does your cloud provider encrypt your critical data? If not, why not?

5. Does your cloud provider give you the ability to control who is allowed to access your information based on roles and authorization? Does the cloud provider support federated identity management? This is basic security best practices.

Now you are probably saying to yourself that this isn’t rocket science. These are fundamental security approaches that any data center should follow. I recommend that you take a look at a great document published by the Cloud Security Alliance that details many of the key issues surrounding security in the cloud. So, I guess my principle message is that cloud security is not different than security in any data center.  But the market does not seem to understand this because the perception is that a cloud is somehow not a data center that can be secured with regular old security. I think that we will see something interesting happen because of this perception: cloud vendors will begin to charge a premium for really good security.  In fact, this is already happening.  Vendors like Amazon and Salesforce are offering segregated implementations of their environments to customers who don’t trust their ordinary security approaches.  This will work in the short term primarily because during this early phase of the cloud there is not enough focus on security. Long term, as the market matures, cloud vendors will have to demonstrate their ability to provide a secure environment based on basic security best practices. In the meantime, cloud vendors will rake in the cash for premium secure cloud services.

About Judith Hurwitz

Judith Hurwitz is an author, speaker and business technology consultant with decades of experience.

  1. I think a questionnaire will be very useful.

  2. At future CSA Security Guidance, there will be summary description on security considerations under IAAS/PAAS/SAAS scenario. Yes, that’s a very long questionnaire you should finish before you make your decision to move to public cloud. However, some of them are similar to the traditional vendor/outsourcing evaluation. Personally, I think the key points are control and accountability.

  3. Datacenter security and Network security are entirely different things. In the case of Cloud Computing (as it is defined at the moment) you have to trust your Cloud provider to handle both. In the case of datacenter physical security it is in the provider’s best interest to have a secure facility. In the case of an “EDDoS” scenario one could argue it is NOT in the provider’s economic best interest to block an attack. Traffic equals client scaling, which equals more revenue for the provider. So long as the traffic is not overwhelming the shared resources (bandwidth, routers, the larger server pool, other clients, etc.) why should the cloud provider make any attempt to filter it?

  4. You make a good point. In order to avoid this situation you need to have a very well designed security infrastructure. It is no different than what you should prepare for with your own data center environment

  5. 9. How does your cloud provider differentiate between legitimate traffic, and an attempt to economically DDoS attack your cloud instance(s)?

    Let’s say somebody (disgruntled ex-employee, a competitor, or just some random human) decides to point a huge botnet of hosts at your cloud based app. (if they are smart they’ll slowly ramp up traffic rather than hit you a tsunami) Traffic looks legit, but doesn’t do anything besides chew up compute cycles. Your provider auto-scales your resources as designed. Meanwhile your real costs just go up and up. Soon you are paying huge invoices to your cloud provider and getting nothing in return as revenue.

  6. These are great addition! Thanks for adding to the conversation.

  7. 6. When you delete something in the cloud, is it REALLY gone?

    7. When your cloud presence scales down from a scale up, is your data scoured as it retreats? Apply the same question to data that is geographically diverse as well.

    8. When you close your account with a cloud provider, how do you CONFIRM your data has been deleted from their systems?

    The answer to all these questions is you’ll never really know. You’ll have to trust the provider. Or just build/deploy a private cloud.

Leave a Reply

Your email address will not be published.