How Secure Is The Cloud?

Features
By David Strom
published

Application Protection

How well are Web applications protected?

Certainly, the least secure aspect of any cloud deployment is in its Web applications and how they are connected to the rest of the cloud-based infrastructure. The challenge is to virtualize as many of the protective devices/applications as are available on on-premises servers, such as load balancers, intrusion prevention appliances, and firewalls. The major cloud providers are beginning to add these tools to their list of services so that IT developers can migrate their applications to the cloud and still maintain the level of security that they have come to expect with the ones running inside their own data centers.

For example, Amazon's cloud-based servers can't send spoofed network traffic, no matter which operating system they are running. The Amazon firewalls will only allow traffic using its own source IP or MAC network address, which is a nice safeguard.

The CTO of Town and Country, Missouri-based cloud hosting provider Savvis, Bryan Doerr, talks about how automation can play a critical role in cloud security."We can automatically provision stuff quickly, but what we can't do is make decisions quickly. How long it will take me to add capacity to this app? How long to recognize a failure and respond? Now that we have all this infrastructure virtualized, and [have] automated these changes, we need to automate the decision making too. We need to close the loop from sense to decision. Virtualization has freed us from manually patching cables and setting up racks of equipment. We have to make these decisions in advance, define them in terms of policy, and then express those in terms of guides for our provisioning systems. The trick is to figure out how to help customers get down the road." Products such as Racemi's DynaCenter are just one of the many automation tools available for these sorts of tasks.

Finally, no matter what you do, don't be afraid to kick the actual tires and make a site visit to vet your vendor. "We made a personal visit to our cloud provider's location and saw what their UPS looks like and how they are managing their data center," says the USGA's Jessica Carroll. "That made us more comfortable with selecting them as our provider."

As you can see, there are a number of best practices and other steps cloud computing users can take to secure their operations. Security expert Bruce Schneier says, "You have to get smarter about negotiating your contracts for security services. We are going to see a lot more ways to connect untrusted devices to a trusted network," and cloud computing is just one of them.

David Strom
David Strom
Strom is the former editor-in-chief at Tom's Hardware and the founding editor-in-chief of Network Computing magazine. He has written thousands of articles for dozens of technical publications and websites, and written two books on computer networking.
14 Comments Comment from the forums
  • fstrthnu
    Answer: It's safe IF you play your cards right, but almost all of the time you can forget about decent security
    Reply
  • You haven't really addressed many of the security concerns IT pros have about "the cloud". Who potentially has access to my data, what controls are in place to keep that data safe (ie could a rouge employee rip backup of my DB and take it home)? How are other legal situations handled, such as warrants/requests for data from law enforcement, will the customer be notified, will the vendor simply comply, etc? What happens *IF* the cloud vendor goes out of business one day, where is my data (one would assume there would be warning signs before this happens, but stranger things have happened)? There are tons of questions with not many good answers out there.
    Reply
  • babachoo
    This article has been brought to you by domestic datamining organizations and the people they have in their pockets.
    Reply
  • gonebamboo
    Check out this cloud-based (Software as a Service) platform and its security architecture.

    http://www.otakhi.comhttp://www.otakhi.com/pages/security.html
    Reply
  • ludikraut
    This article barely scratches the surface of security issues surrounding cloud computing. It reads more like an executive summary than something I would expect to see on Tomshardware - very disappointing.
    Reply
  • Cloud computing is overrated. Your data will never be secure in someone else's hands. Any encryption can be broken with time.
    Reply
  • I didn't really see any mention of on-site encryption in this article, only transport encryption. Also, who assures us that claims made regarding security are entirely true instead of being marketing word-play which seems so popular these days. Only when a cloud service publishes results done by a third party auditor that I trust will I use them.
    Reply
  • gtaker
    If you are in the external cloud with your company your data will be compromise.. I'm 100% sure of that... we look at this cloud stuff 8 years ago and came to that conclusion if you need to do it, do it inside your company not outside...
    Reply
  • sadams04
    Security is always a concern, but my main concern with the cloud is around someone else being responsible for up-time / availability. Those priorities rarely line up across multiple companies. While you may recover lost revenue through a breach in service level agreements, you can't recover customer perceptions and experiences in the same way.
    Reply
  • perrakis
    There's an updated version of the Ponemon Cloud Security Study available from the report's sponsor, Dome9: http://www.dome9.com/resources/ponemon-cloud-security-study.

    Incidentally, Dome9 offers free cloud security for an unlimited number of servers. You can check them out at http://www.dome9.com. Essentially, their value prop is the ability to close administrative ports on a remote cloud server and make access available on demand. This is important in the cloud where your servers operate outside your traditional network, and leaving ports open exposes them to hackers, brute force attacks, and exploits.
    Reply