At the moment, there is a lot of talk about sharing IT resources as a way to reduce costs. In theory, the economies of scale employed by large data centres should allow for lower-cost IT service delivery through the use of virtualisation technologies. Whether you want to call it cloud, hosted or software as a service, in essence, it means that much of the responsibility for creating, delivering and managing IT is outsourced.
A good analogy is the utility industry. You can buy a generator, fill it with oil, service it and provide electricity. Or you can buy electricity from a power company that has massive generators that are far more efficient than one can achieve at home. There are very few people who run their own generators for any reason other than service continuity.
All the indicators suggest that cloud computing is growing, but one fly in the ointment is security. Unlike electricity from the grid, IT is not a true utility. The value of the applications and data that it carries is both unique and sensitive.
Having IT that is delivered from multiple sources – including internal users, external clouds or even third-party partners – can make the enforcement of good security policies a complex process. The plethora of IT security devices are still needed whether or not resources are shared. Simple perimeter devices such as firewalls are now joined by IDS, IPS, NAC, gateway spam protection, malware and anti-virus, all spewing out information that causes overload for IT managers. Shared data centre environments compound this problem, where staff often don’t have a complete picture of what tenants are running within each rack.
With hosted or cloud security, one must make some assumptions yet still follow some well-established security principles.
We put our money in banks because we trust that banks have the internal safeguards to protect our assets. But we still make sure we don’t give away PIN codes for our cash card or leave chequebooks out in the open. We assume that banks are not stealing from us, but we still check our statements to make sure. We have to assume and then verify a certain level of basic security at our service provider. This process, however, is not a one-off – it needs to be verifiable across the lifetime of the service.
As organisations start to use shared resources, the same security policies that apply to internal IT need to encompass shared resources. Cloud service providers or multi-tenancy data centres are unlikely to allow access to full firewall logs or IDS data. However, data that are unique to the customer, such as user auditing, connection attempts, configuration changes or data anomalies, should be available, and the information should be used as part of security management.
If a hosted service provider cannot handle a security policy such as two-factor authentication, then instead of dropping the requirement, customers should look for a provider that does offer the solution. If there is enough demand, it will surely appear in the market.
The goal of reducing IT costs through sharing should not be at the expense of security. Having a clear understanding of your security policies, risks and processes ought to be in place internally, well before any attempt is made to simply drop the problem into somebody else’s lap.
Security information and event management (SIEM) tools can help in the understanding of an organisation’s current security posture and allow it to spot issues. However, just having a SIEM is not enough to secure shared or cloud services. Other technologies, including encryption and privileged user management tools, may have to come into play.
Part of the discussion around security needs to focus on audit and control. Even in a shared environment, a service provider must be able to provide the access and log information that is specific to the individual customer. These questions need to be asked up front, with clear processes to deliver this data to the client’s SIEM to ensure that threats are not going unnoticed within an environment that is outside of its control but still houses critical data.
The second generation of cloud providers are eager for business, and many recognise that offering a deeper level of security information is a potential differentiator in a market with lots of capacity but still-reluctant customers. The message is clear, demand security information from providers, and you will get it. However, be ready to deal with the information provided and be able to understand it as part of a mature set of security policies.
Steve Jenkins, VP, EMEA for Q1 Labs, came to Q1 from Isilon Systems, a provider of scale-out NAS, where as VP of EMEA he guided the successful creation, growth and expansion of a robust European market presence. Jenkins has over 20 years of experience within the industry at leading technology companies, including F5 Networks, Nortel Networks, Bay Networks and Wellfleet.