Locking Down the Cloud: Leveraging the Ecosystem
by Jess Iandiorio
Ryan Scheuermann recently came up with a good metaphor to describe the difference between managing security on your own servers, and using a cloud-based service.
“When you’re working with bare metal in your own location, it’s all up to you. It’s like the wild west,” he said.
“When you’re hosted in the cloud,” he continued, “it’s like being in a gated community: the cloud service providers have many services that you can take advantage of.”
“It’s still up to you,” said Ryan, who is the chief product officer and co-founder of Ceros, a cloud-based marketing platform that is used by global corporations like Kohls, ShopBazaar, and Peugeot. “But you have a lot more help.”
Today, the top cloud service providers not only provide a high level of security, they also offer integrated tools that enable customers to go the extra mile.
The big names in cloud services -- Amazon, Microsoft, Rackspace, Google, Dell, HP -- all have extensive security resources. You can easily check them out, to be sure that they put your mind at ease re: security.
Mark Stanislav, the Security Evangelist for Duo Security, the two-factor authentication firm, told me that it’s up to customers to make sure they are getting the packages they need.
“It’s essential that organizations determine the security capabilities of each service provider, how those capabilities mesh with the overall security strategy of that organization, and whether the security technologies available will be able to scale automatically as needed,” he said.
Fred Menge, the owner of the Tulsa-based digital forensics and e-discovery firm Magnir, advises organizations that are considering a migration to the cloud, to “perform an information security risk assessment” as part of their cloud product assessment and selection process.
Menge has even created an internet security assessment questionnaire that he gives to his clients so they in turn can give them to cloud providers.
“If the cloud provider is reluctant to complete our IS risk assessment questionnaire, they are not worth entering into an agreement,” he says. “It is that simple.”
When I asked Jason Sabin, the vice president of research and development at DigiCert, which provides SSL certificates [http://en.wikipedia.org/wiki/Secure_Sockets_Layer], what customers should look for in a cloud services provider, he had a laundry list.
“For any cloud-based service, encryption, authentication, and digital signing are must-haves,” he said. “Without these, cloud security cannot be trusted. Cloud service providers need to deploy publicly trusted and properly configured SSL certificates to safeguard all inbound/outbound communication to the cloud service.”
According to Jason, the goal is simple:
“Seamless security,” he said. “Any cloud-based service must have seamless encryption and authentication built into any automation systems, or any systems running in the cloud, period.” (Jason couldn’t help adding: “SSL certificates provide the best way to do that.”)
All of these cloud providers have native interfaces and consoles. But as your needs scale up, you’re going to need more. You’ll likely need a higher level of virtualization that will allow you to manage multiple servers, even multiple cloud providers.
This kind of software is often referred to as “configuration management tools,” “cloud management platforms,” or even “cloud service orchestrators.”
Some big names are in the space: Dell, Hewlett-Packard, Cisco Systems.
Smaller companies include : Rightscale, ServiceMesh, and BMC.
And then there’s the open source automation tools, the best known of which are Puppet and Chef.
Justin Cuyler, the director of security and compliance here at Acquia, who manages the security for 6500 virtual servers for us at Amazon Web Services (have I thanked you lately, Justin?), has been impressed with how the ecosystem has developed.
“The tools are getting better and better,” he told me. “Tools like Puppet – which help handle configuration automation across large numbers of hosts – are essential for achieving consistency at large scale. Finding good tools to handle the old school gotchas like patch management is getting a bit easier as cloud providers continue to focus on maturing their marketplaces and the openness of their deployment tools. Obviously the commercial security vendors have done some nice work and their products are now mature enough where they deserve a serious look, but the open source options continue to be a compelling alternative.
Deploying security countermeasures like web application firewalls or centralized monitoring and logging becomes a lot easier when it can be done with pre-designed and tested scripts. It's an automation nirvana that IT shops have always strived for in their private data center environments, but probably never had the resourced to pull off too well. In the cloud, it becomes a lot easier when your provider is totally focused on addressing the issue of consistency at scale.”
These tools allow you to place an abstraction layer between you and your growing crop of virtual servers. By using automation software, you can stay ahead of the upgrades, and thus stay ahead of attackers on the lookout for unpatched and vulnerable software.
Both Puppet and Chef, by far the best known, now both have plug-in marketplaces that extend what they can do. Both also have grown companies around their open source cores to offer support.
The result, according to Justin: “Security automation in the cloud has gotten just too good to write off as not ready. People who looked at a cloud deployment nine months to a year ago and were not comfortable would probably be surprised at how far things have come.”