The term ‘cloud’ in isolation of context has often had its meaning imaginatively exploited either by those with a vested interest in doing so, or through lack of understanding, or both. It appears the buzzword of ‘cloud fatigue’ has now entered into the lexicon!

In the previous post, the intersection of technology drivers was noted as creating transformative new opportunities for businesses. The mobile device has become the primary form factor and information distribution point, and is becoming wearable and embedded (Pervasive Mobility). Then there is an upheaval in social and marketing interaction of connected communities, and the concept of the digital persona which can be marketed and sold to by those willing to exploit algorithms which mine our interactions (Social). Add to this the explosion of data and emerging analytics tools which provide the opportunity to tie relevance and context to user information and data (Information). The public cloud as the fourth pillar, offers the promise of mass scale, elastic delivery of IT resources, consumed on demand. Cloud enables the delivery of information, and allows the other drivers to evolve.

Cloud, and specifically the software that controls it, disintermediates users from the underlying technology. Open Source tools and software frameworks have had a democratizing effect on both consumers and users of technology. Disruption is occurring on both the supply and demand side: the value chain is shifting, and new business models are emerging resulting in value creation, and value destruction.

Using servers as an example, the data centre has already been commoditized. The hyper-scale web providers bypassed leading traditional vendors and in favour of ‘white boxes’ -  low cost, stripped down hardware, often directly sourcing processors, customizable to match their own customer workloads, orchestrated and managed with their own proprietary software. Open Compute plans to take this a stage further by standardizing specifications for ‘vanity free’ hardware based on interchangeable components, with the aim of reducing further cost and waste at the hardware layer and creating a foundation for customers and businesses to build custom and modular servers. Many of those traditional vendors have been hit hard, with value and share shifting to the thriving ODMs.

Open Source technology has also evolved and matured over recent years, and is being increasingly used as a tool to drive disintermediation and alternative business models. If we look at Open Source clouds, storage or networks, for example, we see the development of a “mixed source” ecosystem to maximise product distribution and ecosystem development on the back of the primary ‘for free’ software. Primary contributors hope for related increased commercial activity in adjacent areas, for example, servers, hypervisors, and support services. Other models include dual licencing, open and closed source offerings with full support, or discrete commercial packages available as-a-Service for white label distribution by a Service Provider. What we are seeing is a maturity of business models within and around Open Source, and importantly, increased comfort within the developer community, where the current generation is provided with (and expect) excellent tools, documentation, tutorials and support.

If we extend these concepts further to the latest buzzwords – Software Defined Networking (SDN) and the Software Defined Data Center – further opportunity exists to abstract management and control to storage and network infrastructure layers. Networks have traditionally been overprovisioned and hard to manage from an enterprise and service provider perspective, and there has been no standard way of managing network devices remotely. Extending the principles of server virtualization to network switches, firewalls, devices and potentially higher level services running on virtual machines, offers huge potential benefits of provider automation, cost reduction, economies of scale, as well as greater feature velocity and innovation.

There is complexity, however, and it is still early days, in particular for the enterprise. Today, the major networking vendors provide a complete stack of networking hardware and software, whose products interoperate at the network packet level, but management and provisioning of their devices plus certain services remain proprietary, enabling higher margins and product stickiness. Levels of true sustainable openness, interoperability and programmability – i.e. whether Openflow will truly be adopted as an open industry standard – are theoretically viable, but sceptics point that this is likely to be determined by the tactics of incumbent vendors, either by those looking to protect their installed bases in legacy hardware, or those seeking greater customer lock-in (ergo, the sky-high valuations and acquisitions of SDN start-ups in 2012).

Despite this, there is already thriving and evolving SDN ecosystem at various levels of the SDN ‘stack’ and above, including virtual controllers, switches, routers, and overlay management and orchestration services. Technology democratization has already arrived to networking.

So while this is all very interesting from a macro market and competitive analysis standpoint, how is this all relevant to Enterprise IT? While many enterprises have already reaped cost and efficiency benefits from server virtualization, and some are extending virtualization into private cloud domains (often locked into a management platform), in many cases they have yet to exploit the potential of the public cloud from a mass scale and efficiency perspective to deliver ‘IT as a Service’.

The main ‘issues’ with public cloud infrastructure tend to be specific to a combination of : a) SLA’s for reliable performance in the provider platform; b) availability, predictability and compliance; c) true configurability enabling developer autonomy and self-service; d) price, but not at the expense of a), b) and c).

If we look at provider approaches to delivering infrastructure as a service, they are generally split across two models:

1)      Web-Scale Providers: with massive scale using clustered servers and cheap components, used and designed for their own web businesses. Advantages include developer-friendly tools and aggressive pricing, which is sustained through an almost entirely self-service model. These architectures present significant challenges for enterprises looking to leverage the public cloud into business process design, in terms of predictable performance, availability and security.

2)      Cloud Service Providers (including Verizon Terremark): scale depending on global footprint, with a focus around automation of infrastructure. Advantages: high performance and reliability, embedded security, SLA’s for 100% uptime (Verizon Terremark), managed and unmanaged options. Limitations include configurability of different server hardware, developer tools, and pressures on maintaining the platform at an acceptable cost/price ratio.

A single platform does not yet exist that blends “the best of both worlds” – high availability and performance, hybrid ready and configurable, enabling workload flexibility combined with quality of service selection and SLAs, embedded security and integrated networking, AND Web-Scale cost competitive based on true performance. This is when cloud can truly enable the delivery of information at mass scale, and what enterprises and their users require.  You will be hearing a great deal more about this evolution throughout 2013.

For the sixth consecutive year, the most comprehensive security investigations report was released earlier this week, taking away countless headlines and revealing the how’s of data breaches in 2012. Additionally, backup and disaster recovery best practices are shared by the experts right before the start of hurricane season.

Vast majority of global cyber-espionage emanates from China, report finds

The Washington Post

April 23, 2013

The 2013 Data Breach Investigations Report (DBIR) analyzed hundreds of documented data breaches and found that hackers affiliated with China were by far the most energetic and successful cyberspies in the world last year. To get the 2013 DBIR, click here.

Disaster Planning and Recovery

Bloomberg TV

April 24, 2013

On the eve of hurricane season, backup and disaster recovery solutions discussions are rekindled. Verizon Terremark Chief Technology Officer, John Considine participated in a panel at the Bloomberg Technology Enterprise Summit, where existing and emerging disaster recovery strategies were  debated and analyzed, including what has changed in the wake of Superstorm Sandy. Lean more cloud-based disaster recovery here.

Verizon shines light on low number of cloud data breaches

Cloud Pro

April 24, 2013

Despite the increasing popularity of cloud services, the 2013 DBIR found little evidence of breaches involving cloud-specific technologies. One of the authors of the report said “We are not seeing are breaches involving cloud providers that would result in multiple virtual machines cascading into a [large-scale] failure, for example.” The reason for this could be that hackers prefer a path of ‘least resistance.’

As more and more firms are moving sensitive data into cloud infrastructure, there are questions about the right type of encryption solution. Some firms are looking for encryption solutions from a compliance standpoint while others are looking for a general security control to protect sensitive data.

Like any other technology, no single solution fits all scenarios. A solution that works well in an IaaS (Infrastructure as a Service) cloud may not work well in SaaS (Software as a Service) cloud environment. Similarly there are many considerations related to transparency of solution and ease of management. There are also issues related to who owns, manages, and has access to encryption keys. This post is to provide a high level overview of encryption options and categories of available solutions in different scenarios. I will dig deeper into specific options in a follow up blog post.

Options for Encrypting Data

There are multiple options for encrypting data in the cloud. Each option mitigates risk in specific use cases and implements some trade-offs. At a high level, these options are as follows:

1. Full disk encryption option is available for customers with full access to the operating system.
2. Filesystem encryption is achieved either using native operating system or by installing an agent to enforce encryption policy. These solutions also provide granular level access controls for different file types.
3. Database encryption (table or field level) can be achieved in many ways in the cloud. Solutions are available from major database vendors as well as third parties. Encryption gateways (described next) can also be used for database encryption. Third party solutions work by intercepting JDBS/ODBC or other types of database calls or by implementing stored procedures.
4. Encryption gateway based solutions are available from multiple vendors for cloud environment. An encryption gateway is placed between the cloud environment and private network/data centers to encrypt/decrypt data in real time.
5. Hypervisor based encryption solution enable IaaS customers to run another virtualization layer to implement encryption at hypervisor level. From a functionality perspective, this is similar to full disk encryption.
6. Data Backup – Organizations using cloud services as data backup can use encrypted backup solutions. These solutions are available in the form of backup software as well as encryption gateways.

Management of Encryption Keys

Encryption key management includes generation, storage, use, and ultimately destruction of encryption keys when no longer needed. Many cloud customers are wary of the cloud provider having access to encryption keys. Key management also becomes crucial in hybrid cloud scenarios where applications access data in private and public cloud using same encryption keys.

Transparency

Encryption is a complicated business. For an effective and easy-to-use encryption, it has to be transparent to end users and, if possible, to the applications. Adoption to encryption solution becomes challenging if it needs modification to applications or relies on end-user training. All solution categories listed above can be implemented in a transparent fashion in the cloud. However, the implementers must understand the solution and be able to manage encryption keys.

Encryption Solution Selection

Depending upon cloud service model (IaaS, PaaS, SaaS), customers can select a specific type of encryption solution as described below.

• IaaS Cloud – IaaS provides the most flexibility in selecting an encryption solution. Full disk encryption, filesystem (agent-based and agent-less) level encryption, hypervisor, and database encryption solution can be used depending upon specific situations.
• PaaS Cloud – Native database encryption as well as row/column level encryption solutions may be appropriate.
• SaaS Cloud – The encryption gateway solutions are more appropriate in SaaS cloud. In SaaS cloud, customers don’t have access to underlying infrastructure to implement any other type of encryption easily. Typical scenarios where gateway solutions are very useful are encrypting data in SaaS providers such as Salesforce CRM, online storage, online applications such as Microsoft Office 360, Gmail, and so on.

Encryption as a Service (EaaS)

Some vendors provide encryption solutions as a service, just like other cloud technologies. These services are useful for small to medium size organizations where it is difficult to hire a full time encryption expert for the management of cloud encryption solution.

I will explore some of these solutions in detail in follow-up posts on this blog.

This week, the potential impacts of an overhauled immigration law on technology companies and open-source news continue to make headlines. In addition, cloud providers discuss cloud SLA’s.

Migrant Bill Seems to Fit Tech Sector Wish List

New York Times

April 16, 2013

The proposed changes to U.S. immigration law include an easier way to get green cards for foreigners educated in America, in math and science. Academics and professional degrees may end up at the core of the immigration reform, which could greatly benefit technology companies hire and retain human talent.

Cloud Computing Gets Deeper and More Strategic, Survey Shows

Forbes

April 15, 2013

Findings of a new survey reveal that two-fifths of organizations run private clouds and one-fourth are using public clouds for enterprise applications. And by next year, 50% of surveyed participants “expect to be running substantial parts of their workloads within private clouds.”

Verizon Terremark backs Xen-CloudStack combo for clouds

The Register

April 16, 2013

As the open source Xen hypervisor and CloudStack cloud controller continue to gain momentum and support from different providers, Verizon Terremark invests in open source development tools, for the first time. The purpose? See the market mature quickly and provide businesses with flexible and cost-effective cloud-based solutions.

Your cloud computing SLA can’t be a marketing gimmick

Search Cloud Computing

April 17, 2013

Many cloud providers use their Service Level Agreements (SLA’s) as a tool to gain their customer’s trust. However, it is interesting to see the reporter’s perspective, where she mentions that “any SLA terms should be based on what providers can truly guarantee, not what they think customers want to hear.” Understanding your own limits and strengths is the first step to avoid SLA violations and the second step is to be confident with your ability to exceed the guarantees promised.

This week, we continue to see how cloud adoption grows in the healthcare sector, we learned what tops the priority list for IT in the federal space for 2014 and PCI compliance continues to make headlines. 

Administration proposes 1.7% increase in IT spending

Federal Times

April 10, 2013

Despite initiatives toward reducing IT spending, President Obama’s 2014 budget increases the federal IT budget by 1.7 percent. After months of serious incidents, the public sector has placed cybersecurity at the top of their priority list. Coming soon, the Verizon 2013 Data Breach Investigations Report (DBIR) will present an in-depth analysis of data breaches and will include data from 19 global security organizations, a more than three-fold increase from the previous year.  To be among the first to receive Verizon’s 2013 DBIR, be sure to register here.

A Medical Service Using the Cloud

New York Times

April 9, 2013

Organizations in the healthcare sector are embracing new technologies today more than ever before. In fact, “Practice Fusion is a company that offers cloud-based electronic medical records software for managing relationships with patients and big parts of the health care industry.” According to its CEO, Practice Fusion has a network of 27,000 doctors who can take advantage of real-time information on patient medical history and availability of prescription drugs. Be sure to read Verizon’s previous blog post, where Verizon Terremark’s Chris Davis discusses five reasons why the cloud is ready for health IT.

PCI-compliant cloud services an art, not a science for providers

Search Cloud Computing

April 8, 2013

Successfully completing a Payment Card Industry (PCI) assessment by a third party can be challenging for many cloud providers.  In the Infrastructure-as-a-Service market, PCI compliance shows the cloud environment follows security best practices when storing and processing credit card information. It is interesting to see reporter Gina Narcisi say that “cloud security is a two-way street,” as we certainly agree that both, the customer and the provider should have a clear understanding of where each party’s responsibilities begin and end.

Two weeks ago, we level-set the knowledge on what DDoS attacks consist of and what the real and perceived impact has been on businesses across the globe.

In addition to the commotion perceived in the business world, DDoS attacks have likely brought some disturbance in your personal life too. And that’s due to our insistence on accessing up-to-date information on-demand through our financial institutions, on-line retailers, and even such services as our benefits and digital content providers.  Case in point, after speaking with hundreds of organizations throughout the world—I make these three general observations and recommendations:

• The business values of internet circuits are unknown.  State Uncertainty refers to incomplete knowledge of the components of a system.  And uncertainty is generally accepted to be a negative item needing to be controlled or anxiety will result.  To reduce this uncertainty, a fundamental understanding of why each rule exists in a firewall will go a long way into understanding and quantifying the importance of internet circuits.  A thorough Business Impact Assessment (BIA) is one tool that an organization can utilize to explore an organization’s business continuance plan.   The exploratory nature of the BIA reveals and quantifies vulnerabilities in technology, costs associated with failures, and the importance of critical dependencies of business processes. The data from the BIA is then fed into an appropriate security governance model for improved decision making.  In other words, the BIA will address what should be protected, and how much it should be protected.  In that way, the affects of a DDoS attack can be pre-conceived and safe-guarded appropriately.
• Modern and secure network architectures are elusive.  Many organizations are facing 21^st century security challenges (such as repeating, morphing, and multi-vector DDoS attacks) with 20^th century network architectures.  The BIA can aid in discovering the business usage of each ingress/egress circuit, but unnecessary redundancies and overlap are common BIA findings in network design.  And of course this is not surprising.  As organizations actively pursue expansion through core competencies, product development, and M&A—the network has ebbed and flowed as a result.  But the size and importance of the network often gets lost in the shuffle.  What was once a good design for the business (and the times), may not be keeping up with current internal or external environmental pressures.  Analyzing where and why a circuit exists, how many ingress/egress points exist, and the size of the circuits are all vital to reducing the complexity of the controls that may need to be placed on these resources (again found via the BIA!).  Does the widely-distributed network still make sense?  What are all those old T1’s for?  Or does a simpler, larger circuit design with less ingress/egress points fit the job?  What are the pros and cons of a multi-carrier environment?  Are your preferred controls supported on your circuits?  All of these questions must be asked and addressed if your technology’s not to become an obstacle for your business. In order to defend against tomorrow’s network threats, we must challenge today’s network architecture status quo! 
• Anti-DDoS prevention is commonly thought of as a reactive service. Protection mechanisms for high-value web targets, DNS, VoIP, SMTP, and other business-critical services from DDoS attacks are most effective if contemplated and devised well in advance of an attack.  The regularly scheduled (annually) BIA will settle the business impact discussion part of the risk formula.  However, let’s ignore technology for a moment.  Time and again the far left side of the risk equation (likelihood) is nebulous; and threats and vulnerabilities are simply not well understood. But DDoS threat activity is a function of uncontrolled vulnerabilities, reputation of an organization, cooperative behavior, external signals, and wildcards—or luck as you would have it.  Let’s face it; reputation is not something likely to be resolved during an attack.  The nature of an organization’s mission and behavior within society must be carefully calculated and afforded as an ongoing effort.   And if there’s evidence suggesting there are gaps within an organization’s risk posture, moves must be made to improve the position. Technology controls for DDoS attacks are just as reliant on preparation and investment. Understanding normal behavior of an organization’s information systems is a critical step in the formulation of DDoS defenses.  When does the network spike on a normal basis?  Will the new phone system being deployed create anomalous behavior?   Do national holidays disturb network behavior?  How does a Hybrid Cloud affect a network?  In other words; do the controls understand the business?  For a successful DDoS mitigation strategy, the answer must be yes.

Guess-work engineering is not going to reduce anxiety; proactive moves will.  Even in the uncertain areas of the risk environment—formal techniques have been devised to fashion the odds in a motivated organization’s favor.   I’ll set aside the details of each category below for your own research and unique application; however, the following risk assessment cycle can be used to guide or measure your own maturity in DDoS attack preparedness. And as a final note (and borrowing from Drucker again), “the best way to predict the future is to create it.” So as previously stated, a bias for action is a central theme for market leaders. So lead the way and be prosperous.

A couple of weeks ago, I wrote about how challenging the search for the right cloud provider is and presented some of the most important questions an enterprise should ask its prospective providers. Every week, I meet with different organizations to explore their needs and address their concerns. Below you’ll find some of the best questions I have received from prospects that are looking to embrace cloud technologies in their organizations.                                

Does your cloud provider’s security and IT compliance match your policies and requirements? Are you sure?

When moving to the cloud, security is one of the most common concerns for IT and the business. IT has the difficult job of maintaining consistent policies on the virtual and physical IT infrastructure. Sometimes that means a change to the customer’s policies to adapt to the cloud provider. However, the more sensible approach should be the opposite. Cloud providers should be flexible enough to develop IT security and compliance procedures to accommodate the customer’s physical requirements. 

The IT buyer needs a service provider that closely resembles what their corporate security and compliance department would require of them. And they need their cloud provider to help them accommodate those compliance requirements. 

Make a point to ask about the policies, processes and procedures that the service provider adheres to as a matter of conducting their own business. This means seeing their security policies in action.  Don’t just look at the physical aspects of security, but examine how they operationally sustain the delivery of cloud services, including an inside look at their data centers.

Terremark adheres to a practice of transparency. We spend a lot of time developing security programs in the cloud like role-based access control, multifactor authentication, security encryption, all the same types of things that a customer’s security officer would want to see if it were within their four walls. We provide multi-layer security services in the cloud to help defend your web sites, applications and data from attacks. In addition, we provide customers with a team of trained and experienced security professionals.  More importantly, we give you access to our data centers to see firsthand how we do it. Because in the end, you have to trust the infrastructure before you can trust anything else.

Can the enterprise cloud provider provide service where you need it?

This is a fairly simple question that if not asked could lead to some very complex management problems. If your service provider doesn’t have operations where you need them, you might be forced to purchase cloud services from multiple vendors. This complicates your ability to sustain a consistent level of quality and services. By doing business with a single provider of cloud services with a presence in multiple countries/locations, you can streamline budgeting, invoicing and relationship management.

Verizon Terremark’s cloud operates in more than eight data centers around the world, including North America, Latin America, Europe, and the Asia Pacific, giving our global customers a single point of contact for ultimate accountability.

Can the enterprise cloud provider match your technology infrastructure and meet your overall needs?

Before signing the agreement, do you know if you’re matching a square peg with a round hole?  For example, does your virtualization infrastructure match with the provider’s hypervisor? Are they skilled in the same kind of virtualization technologies? If not, then moving workloads from point A to point B over to the cloud is going to be more difficult than you think.

Good service providers extend tools that help ease the migration of the virtual infrastructure from the customer’s data center out into the cloud, such as migration utilities, on-boarding services or even professional services for customers moving for the first time to virtualized environments.  

Verizon Terremark offers a broad spectrum of professional services and tools to ease migration to the cloud.  Our enterprise cloud is virtualized by VMware for a virtualization layer that is compatible with the vast majority of environments, providing a consistent and reliable virtualization layer.  In addition, Terremark is one of a few cloud providers that offer the full range of cloud infrastructure including cloud services, colocation and managed hosting all under the same roof.

The effects of a Distributed Denial of Service (DDoS) attack are by this time well known to most of us. But as a refresher, a DDoS attack is simply an availability impact assault on information resources. But that’s not really new is it?  Attacking supply lines and logistics has been practiced for centuries by war commanders.  Remember the Ho-Chi-Minh trail?  A lot could be learned by studying that robust system.  Technology experts NOT required! Today the stakes are even higher according to United States EMP Commission’s report on Critical National Infrastructure.  The attention given to the possibility of a mega denial-of-service attack on civilian infrastructure has led some nefarious nuclear equipped nations to develop the principles of the so called “Super-EMP” weapon.  A weapon designed to render useless the technology that drives modern society.  A bit dramatic, I know. But the principles are the same!  Denial of Service attacks can severally damage an organization as well as a nation or society.  And as such, the lessons of offense and defense in the genre are foretelling—and understanding comes not by seeing one side, but both.

The emergence of the DDoS attack as a means to advance idealism through hactivism has created a bit of a firestorm—especially in the US banking sector as of late.  DDoS attacks have caused havoc to many organizations and their customers; even causing some of these organizations to question the reliance on the Internet itself! But with 2.4 billion internet users and counting, and a nearly 80% adaption rate in North America—companies who fail to securely deliver their goods and services via this public exchange network will deliver their customers to the competition.  And since a business exists entirely to create customers, that’s not a workable strategy.  In order to maintain a long term strategic competitive advantage, an organization has to make critical moves based on both external and internal factors.  An organization should never accept convergence to “me too” or “average” status in the industry.   A bias for action is a central theme for market leaders.  What’s left is to find a scalable and effective solution for DDoS threats. But first a thorough understanding of the business impact of an organization’s internet circuits must be known.  That is to say, there is no singular solution to DDoS protection for all organizations. 

In their latest Worldwide Infrastructure Security Report, Arbor Networks asked respondents to characterize Factors Impacting DDoS Threat Awareness.  The results are not surprising, but somewhat indicative of who within an organization commonly responds to these questionnaires (70% technologists).   While overall awareness of DDoS attacks has “greatly increased”, the unfortunate reason is because respondents themselves have been targets of DDoS attacks or have heard about highly-publicized attacks in the press.   But to dig further into the results, an underwhelming 45% of respondents stated that brand reputation, financial, or legal liabilities were Factors Impacting DDoS Threat Awareness.   So in other words, there is a greater fear of the threat than the actual impact. 

Well, that’s just silly right?  So let’s get back to the respondents, the technologists.  We are taught as information security professionals to have a laser focus on governance while practicing our craft. To that end, ISACA has surely done its part in getting the message out with governance being a core part of both the CISM and CGEIT certification tracks.  But I’m afraid those certifications are not as popular or sexy as other more technology focused credentials; and the result is that the governance message has not carried through into practice as far as necessary to reduce risk and maximize business.

In the next part of this two-fold story, I will provide three general observations and recommendations gathered during hundreds of conversations with organizations throughout the world. Stay tuned.

Busy schedules and hundreds of daily emails may be keeping you from seeing relevant cloud, data center and security news. Therefore, today and starting next week, every Thursday, we’ll recap the top three news stories of the week, to help you sort what’s relevant and what you should keep on your radar.

Cloud Computing: A CFO’s Perspective

Data Center Knowledge

March 20, 2013

According to Gartner, 26 percent of IT investments need direct approval from the organization’s CFO. Those who have been in IT long enough may recognize that ‘shadow IT,’ which refers to the use of IT systems without the proper approval, is rapidly decreasing in popularity and important IT decisions, such as cloud adoption are being driven by the C-suite.

DHS shifting to cloud, agile development to boost homeland security

Computerworld

March 20, 2013

The Public sector continues to make great strides in the cloud market. This week we learned that the U.S. Department of Homeland Security is making considerable changes in its operations as an effort to embrace the cloud – and its economic benefits. Cost efficiencies are not the only driver behind this initiative, performance and information-sharing have also been deciding factors. 

Next Steps in Data Center Security

InformationWeek

March 18, 2013

In a time of growing cyber-attacks and data breaches, the proactive protection of systems and data continues to be essential in the public and private sector. For federal agencies, resources are limited and the pressure CIOs face to protect their assets is incredibly high. Interesting view from the editor in this piece; he mentions that “throwing money at the problem isn’t the answer.”

In previous posts, we discussed some of the ways in which clouds are built, and major ways in which they differ—and don’t differ—from non-cloud infrastructures from a security perspective. In this post, we’ll discuss some of the security challenges that are more or less unique to a cloud environment. These include privacy and data separation issues, isolating operational impacts, and dealing with well-meaning but uninformed courts and law enforcement.

A major issue that comes up in cloud conversations is privacy. Multi-tenancy on shared hardware necessarily implies a logical, rather than a physical, separation of customer data. At a fundamental level, this means that various pieces of software must be entrusted to keep different environments inaccessible from each other.

The key piece of software is the underlying hypervisor software, which has evolved over time, so the core technology is fairly well trusted. The biggest risk comes from configuration management—it’s imperative that a cloud provider implements the virtual environments without any errors or oversights in the isolation settings.

For example, when a cloud provider collects performance data, or performs any kind of forensics, it’s critical that the provider not accidentally access and potentially reveal other customers’ data. The possibility of mistakenly revealing data creates a need for multiple logical control layers to compensate for the potential human error. Nevertheless, a single setting in the control configuration can prevent data leakage, so it’s important for providers to have strong operational discipline and change management practices.

Another related security challenge in a cloud environment is the need to isolate operational impacts. There are various ways in which a single customer can impact the performance of the underlying cloud infrastructure and the other customers sharing it, creating a potential denial of service situation. Malicious activity by the customer is an obvious one, but cloud-users should understand that an external entity might compromise a virtual server within a customer’s environment, and take malicious actions without the knowledge or consent of the customer. This malicious activity could be designed to impact the cloud infrastructure, as in the case of a packet flood, or the damage to the cloud infrastructure could be collateral, as in the case of a spam flood, which could cause the cloud’s IP subnets to be placed on various blacklists.

Even in the absence of malicious intent, a single customer might unwittingly create a denial of service situation. A simple example—during the normal operation of a (poorly behaved) application virtual infrastructures can be susceptible to IO-intensive activities, such as forensic data gathering and analysis for incident response, subpoena service, etc. For these reasons, it’s important for a cloud provider to implement robust workload distribution across clusters, and to consider the impacts of specialized activities. There is no room for operational fragility.

Finally, an often-overlooked area in cloud management is collaborating effectively with courts and law enforcement. Courts and agencies are often used to dealing with non-cloud environments. They may be trained in the use of physical disk imaging tools that are recognized by the courts, and these tools may not deal efficiently with virtual storage technologies used in cloud environments.

What’s more, these agencies often don’t understand the impact of their requests within the context of a cloud infrastructure. We’ve seen overly specific subpoenas that describe steps to be taken—steps that simply won’t work in a cloud infrastructure, or would take an entire cloud cluster offline while every drive in that cluster is imaged for forensic analysis! There are often more effective and more efficient techniques available, and cloud providers should cultivate relationships with local, state, and federal agencies to encourage the use of improved tools and techniques in a cloud environment.

In the next article in the series, we’ll discuss some solutions to the issues that underlie these challenges.