A CSO’s guide to cloud security and moving to public cloud
CloudPassage provides Halo, the first platform to address the security challenges of dynamic cloud environments. Delivered as a Software-as-a-Service (SaaS), Halo includes all the security functions companies need to safely deploy servers in public, private and hybrid clouds, from dynamic firewall automation to vulnerability assessment, file integrity monitoring, event logging and alerting to two-factor authentication.
Rake Narang: What are the unique security considerations of the public cloud? Who holds responsibility for securing servers in the public cloud - is it the cloud hosting provider or the user?
Rand Wacker: While many CSOs and IT managers believe they are liberated from worrying about security simply by deploying their data on a public cloud infrastructure, this is rarely the case. The truth is that cloud security is a shared responsibly between the provider and the tenant. The responsibility for virtual server security rests squarely with the user/tenant, while the provider is responsible for securing the shared network, hardware and hypervisor environments that support the guest virtual machines
When it comes to identifying who is responsible for security at each layer, we only need to look at who has control of the layer. The amount of control varies with the type of cloud deployment. For example, in an Infrastructure-as-a-Service (IaaS) cloud, both the tenant and provider control the same number of layers. Meanwhile, in Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) clouds, a majority of the layers are controlled by the provider. Security responsibility at each layer rests with whoever has control. With the exception of SaaS, note that the tenant controls multiple layers, and thus has actionable security responsibilities within the cloud stack.
Almost all providers spell this out clearly in their SLAs and advise their customers to implement firewalls, intrusion detection and other security controls. Be aware that some providers leave their customers in the dark on this critical issue, so it is one of the first questions any potential user should ask before launching their servers in the public cloud.
About Rand Wacker
Rand Wacker is vice president of product management for CloudPassage, with a goal of enabling the adoption of disruptive cloud computing services by solving the security and compliance needs of customers moving from traditional data centers into public and private cloud infrastructures.
Rand joined CloudPassage from Cisco Systems Security Business Unit, where he led work on products in multiple security markets, including firewall, intrusion prevention, content security and compliance. Before Cisco, Rand led multiple product lines at IronPort Systems, which was acquired by Cisco for $830M. He has held engineering, marketing, and strategy roles at Sendmail, Amazon and Oracle.
Rake Narang: Is it easier for companies that start with the private or hybrid cloud to then move to the public cloud, or is that just a misconception?
Rand Wacker: Most companies begin with the private cloud because they plan to utilize traditional security controls like perimeter and hypervisor-based defenses. Unfortunately, this approach makes it almost impossible to transition workloads to public cloud infrastructures as most IaaS providers will not allow access to the network or hypervisor that a customer would expect in their own data center.
Since private cloud architectures most closely mimic traditional on-premises datacenters and virtualization infrastructures, people often think that they can deploy the same technical controls to protect them. For the most part, they’re correct. The problem, however, is that the benefits of cloud computing, namely elastic operation and dynamic state of the cloud servers, have the potential to break traditional security tools. Static firewall configurations work well in a static environment, but if the IP address is constantly changing, the organization will forever be updating firewall rules to adapt – something that may cause an unacceptable amount of downtime in a production environment. Also, if a server is only spun up to handle dynamic workloads, how likely is it that the server will comply with the organizational baseline for server deployment? Will the server be patched before performing the dynamic task?
More problematic though is that since these controls will not work in a public cloud providers infrastructure, people who develop a security architecture that starts with a private cloud deployment will often be locked into that private cloud environment, and limit their portability to other public or even different private cloud architectures.
Rake Narang: What are the primary concerns of PCI in the cloud? Is it possible for companies to truly achieve PCI compliance in the cloud?
Rand Wacker: Cloud-based environments introduce new PCI DSS compliance concerns, and many retailers incorrectly believe that their cloud hosting provider’s compliance carries over to them. This is a popular misconception. In actuality, the provider is only responsible for the portion of the infrastructure that they control.
Most cloud service providers will accept responsibility for ensuring that their infrastructure is PCI compliant from the physical equipment up to, and including, the virtualization hypervisor software. Customers are usually responsible for the security of the cloud server instance operating system, applications, data and client communications. This shared responsibility for compliance means that users and providers must work together to achieve continuous PCI compliance.
With recent guidance updates from the PCI Council on public cloud computing, it is clear that PCI compliance in public IaaS providers is indeed possible, but customers will need to re-think where a number of their controls are deployed, and what new technologies may be required in order to ensure that they can continue to use cloud resources in the dynamic and automated way that brings them the benefit of business agility.
Rake Narang: What are your predictions for what’s to come in 2013?
Rand Wacker: 2010, 2011 and 2012 saw extensive pilots of using public IaaS providers in order to extend organizational understanding of cloud computing. As companies have begun to understand that “cloud” means more than where resources are hosted, and instead represents a new way to provision, consume and pay for resources, operational delight with their public cloud pilots are causing many companies to want to re-tool their private data center resources in a more dynamic “cloud” fashion.
With the embracement of cloud architectures in both public and private environments, the tools and processes for achieving compliance mandates will need to evolve as well. While previous cloud compliance work has focused on how to pass audits in a virtualized environment, more and more compliance officers and outside auditors are becoming cloud-savvy and will expand the number of customers certifying their PCI, HIPAA, and Sarbanes-Oxley environments on IaaS platforms.
Finally, with the entry of several new and very large public cloud providers, expect a further commoditization of compute, storage, and network services, leading to further decreases in pricing that will benefit consumers and drive increased public cloud adoption.
153 Townsend St., Suite 650; San Francisco, CA 94107 U.S.A.
Founded in: 2011 CEO: Carson Sweet Public or Private: Private Head Office in Country: United States Products: Halo cloud infrastructure security platform Company's Goals: Provide a dynamic security-as-a-service solution that allows customers to achieve compliance and security goals for systems running on public and private infrastructure-as-a-service cloud computing platforms. CloudPassage Halo is the only security product on the market that enable customers to secure their cloud infrastructure, while maintaining the self-service, high automation and metered usage benefits of cloud computing.
JOIN NOW THE CYBER SECURITY WORLDWIDE COMMUNITY ON LINKEDIN