Cloud Security: Peeling the Onion

Discussions around cloud security tend to be framed in terms of lonely ships sailing into uncharted waters: “You don’t know what you’re getting into,” we’re routinely warned.

Actually, we do.

The fact is, the fundamental security challenges confronting a company seeking to source IT infrastructure services in the cloud are essentially the same as those faced in traditional outsourcing.  Various potential risks – data center vulnerability, network intrusion, unauthorized system access, data privacy, natural disasters, etc. – must be assessed and addressed to provide an acceptable level of security for data centers, operating systems, storage environments, and networks.

What’s different in a cloud setting?  It’s that the infrastructure “layers” involved may be more decentralized, are most likely shared with other customers, and have more complex IT operational processes, whereby processing may be moved among the provider’s data centers to load-balance.

Due diligence therefore comprises focusing on exactly the same traditional security concerns, asking the same “first round” questions about each infrastructure layer, and following up with more questions as complexities emerge. Ultimately, what’s needed to solve the mystery of cloud security is to “peel back the onion” – to systematically evaluate the security of each infrastructure layer, and to then assess additional risks inherent in the provider’s cloud architecture and operational environment.

Consider, for example, a virtual private cloud (VPC), where some, but not all, infrastructure components are dedicated to each customer.  In other words, CPUs and storage may be dedicated, while server racks and physical network segments are shared.  From a high-level perspective, assessing security may seem daunting as the environment is “new” and complex. But by systematically addressing the security concerns at each layer of the infrastructure “onion,” and then at the overarching cloud level, a viable approach readily emerges.

The first and foremost assessment question for a VPC is: What’s dedicated and what’s shared?  While this has to be understood at a very deep technical level in order to perform a security assessment, providers have this information readily available.  If the provider’s cloud solution has dedicated storage and servers, then the “first round” of due diligence is to use the customer’s “conventional” security criteria to assess the dedicated servers and storage security.  Specifically, the servers’ virtual and operating systems’ security is assessed as it would be in a traditional hosted server environment.

As for public clouds, in a VPC the shared infrastructure components and cloud operating processes create security risks above and beyond those in a traditional hosted server environment.  If server racks are shared, their architecture’s compliance with the customer’s security policies must be evaluated.  If the provider’s processes include moving data between data centers to balance loads, compliance with the client’s data privacy and security requirements must be addressed.

As a client, the key to evaluating cloud security is understanding the cloud implementation details and “peeling back the onion.” This approach leads to a series of tractable security assessments that can be addressed using conventional evaluation processes.  While the issues involved are complex, the complexity can be systematically addressed – layer by layer.