Multiple Cloud Formations Require New Security Approaches

As cloud services gain more traction at all levels of IT—and that includes high-level enterprises down to single users at home—providers are coming up with new ways to keep everything tight.

New Factor: Multiple Types of Clouds to Secure

Another factor in cloud computing security is coming to the fore as more of these service systems come online: Private clouds are now interacting with public cloud services and each other—especially in large enterprises with numerous partners, affiliates and contractors in the production chain. These multiple cloud formations require a whole new perspective on security.

CloudPassage, a 3-year-old San Francisco-based startup founded by CEO and longtime RSA Security veteran Carson Sweet, is taking a leadership role in this area. Sweet describes CloudPassage’s Halo Netsec service, launched Jan. 31, as the industry’s "first and only server and compliance service that specifically provides multiple-level security for elastic cloud servers."

Halo Netsec features a firewall, two-factor authentication and intrusion-detection capabilities through a cloud service. Literally, this is a "secured security" service.

At this early point, Halo Netsec stands alone in securing cloud services because it enables administrators to build a perimeter defense without having to worry about the physical network. It secures everything from the endpoint to the virtual server, even if some or all of that traffic is passing over a public Internet—or from cloud to cloud.

This is of huge importance to IT administrators, especially when managing cloud services, because those administrators have no control or management capabilities for the public portion of cloud communications.

Once installed and configured, administrators are able to apply firewall rules and policies to any connection accessing public, private or hybrid cloud services. A small (3MB) security daemon works with CloudPassage’s computing grid to enforce rules, policy and monitor for intrusions.

CloudPassage also has added a physical aspect to cloud security: a USB key that creates a one-time password for each session. This also may become a trend as time goes on. 

"What we’ve done is create a cloud-ready platform that handles automatically all management and policy controls with a combination of a lightweight host-based agent and software as a service grid," Rand Wacker, vice president of products at CloudPassage, told eWEEK.

Tighter security like this is becoming mandatory, with all the system break-ins that seem to be happening more frequently around the world.

“When people look at adding security to a cloud system, they generally think they’re buying a slice of something," CloudPassage founder and CEO Carson Sweet told eWEEK.  "So now we’re doing full-blown dynamic firewall management, multi-cloud. We’re going to cross-cloud [systems] now, so we can have servers in EC2 [Amazon’s Elastic Compute Cloud], in Rackspace and in Terremark with one policy over all of them. The most interesting aspect of all of this continues to be that it all just works in the cloud."

Security doesn’t work the same way in public and private cloud environments as it does in on-site data centers.

"When individual servers, especially in a cloud system, become vulnerable, you can clone those things so fast. And when you clone one of those servers, you’re also cloning every vulnerability," Sweet said. "Pretty soon, a big cloud server farm can begin to look like a chunk of Swiss cheese. You replicate the problems along with the actual server."

As an example, Sweet told of one legendary cloud server he knew about "that was just plopped out there. We called it Typhoid Mary because when that started to get replicated, it was really bad news." He wasn’t at liberty to tell exactly which system was affected, but it was a large one—and it became a huge mess, he said.

"The interesting thing is that we have gotten away with this in the data center for years, because of the firewalls and other security on the hardware devices," Sweet said. "But you can’t do that in the cloud.”

A reliable cloud security service is becoming a viable option for smaller enterprises. Eric Maass, CTO of Rhode Island-based Lighthouse Security Group, which makes a cloud security gateway, designed and deployed the cloud-based identity-access management system used by the U.S. Air Force.

“Because of compliance issues that are kind of raining down, we’re seeing midrange and SMBs trying to become PCI- or SOX- [Sarbanes-Oxley Act-] compliant. And they’re being asked to step up their security to do business with Fortune 500 companies,” Maass told eWEEK. “They’re trying to figure out cloud security internally for the first time, and the approach of throwing lots of bodies, time and money at the problem to see what sticks is not amenable to organizations of that size. Large companies can do it, but smaller ones don’t have the budget or expertise.”

The obvious answer: a cloud-delivered security service of some kind that is flexible enough to work within a firewall and with public cloud services.

Forrester Research projects that the cloud security market will grow to $1.5 billion by 2015—a shift that will disrupt what Forrester calls the "security solution ecosystem."

In a report entitled "Security and the Cloud," Forrester analyst Jonathan Penn predicted that rather than reallocating portions of existing security budgets to cloud computing, organizations will allocate money to security within cloud projects—creating "a whole new category of revenue for the security market."

"I’d still say that there’s a lot more activity on SaaS [software as a service]-enabling security solutions—security in the cloud—than solutions that secure cloud," Penn told eWEEK.

"Concerns about cloud security have grown in the past few years," he added. "In 2009, the fear was abstract: a general concern, as there is with all new technologies when they’re introduced. … Today, however, concerns are both more specific and more weighty. We see organizations placing a lot more scrutiny on cloud providers as to their controls and security processes, and they are more likely to defer adoption because of security inadequacies than to go ahead despite them."

In the report, Penn wrote that the areas most likely to provide opportunities in the cloud for vendors are data security, identity and access management, cloud governance, application security and operational security.

Harold Moss, CTO of Cloud Security Strategy at IBM, gave eWEEK a list of key points that must be addressed by an enterprise when it deploys its own cloud system security. They are as follows:

1. Conduct a thorough security evaluation: Clouds are complex. Prior to migrating to cloud technologies, organizations should first evaluate applications and infrastructure for vulnerabilities and ensure that all security controls are in place and operating properly. Ethical hacking is a secondary activity that organizations should use to check their cloud applications for common vulnerabilities.

2. Identify the foundational controls: Foundational controls are core to an organization’s security philosophy. They represent maybe 60 security controls (or less) that protect the assets your organization values most. Focusing on them will ensure that as your business embraces cloud technologies, your approach is consistent with the security controls.

3. Cloud security should be workload-driven: Each workload has unique considerations, such as regulatory factors and user dependencies. By focusing on the workload and not solely the cloud IT, you can implement a focused security program with the potential to offer more security than traditional implementations.

4. Implement a risk-mitigation plan: Cloud adoption often involves a number of parties, both internal and external. Organizations should adopt a documented risk-mitigation plan to allow administrators and staff to rapidly deal with issues in the cloud. This plan should include not only documentation of risk and responses to those risks, but also education and training.

5. Actively monitor performance: Failing to properly monitor cloud implementations can result in performance, satisfaction and security issues. Implement an active monitoring program that identifies threats to the success of the cloud implementation.