Welcome!

Server Monitoring Authors: Yeshim Deniz, Liz McMillan, Pat Romanski, Carmen Gonzalez, Ken Schwaber

Related Topics: Industrial IoT, IBM Cloud, Weblogic, Recurring Revenue, Artificial Intelligence, Log Management, Server Monitoring, @CloudExpo, Cloud Security, Government Cloud

Industrial IoT: Article

A Security Analysis of Cloud Computing

In a cloud environment, all security depends on the security of the cloud provider

Security Pavillion at Cloud Expo

With its ability to provide users dynamically scalable, shared resources over the Internet and avoid large upfront fixed costs, cloud computing promises to change the future of computing. However, storing a lot of data creates a situation similar to storing a lot of money, attracting more frequent assaults by increasingly skilled and highly motivated attackers. As a result, security is one - if not the - top issue that users have when considering cloud computing.

Cloud Security Concerns
Storing critical data on a cloud computing provider's servers raises several questions. Can employees/administrators at the cloud provider be trusted to not look at your data or change it? Can other customers of the cloud provider hack into your data and get access to it? Can your competitors find out what you know: who your customers are, what customer orders you are bidding on, pricing and cost information, and other critical data from your business? This information in the wrong hands would be devastating for a business. And what about privacy issues and government regulations?

In its young life, there already have been several cloud security breaches that show the threat is real. One of the more notable security incidents occurred in March 2009 with Google Docs, when a system error allowed the content of private documents to be exposed to everyone for a brief period of time. As a result of this security breakdown, a public interest group, The Electronic Privacy Information Center (EPIC), filed a detailed complaint with the Federal Trade Commission requesting an injunction against Google offering this cloud service until "safeguards are verifiably established" claiming Google's inadequate security is a deceptive business practice.

Situations like this one and other possible security problems have prompted numerous articles (for example The Twitterhack Is Cloud Computing's Wake-Up Call: Time for Security That Works) and white papers on cloud security. The Cloud Security Alliance, a non-profit organization comprised of security and technology experts, published an in-depth 83-page white paper Security Guidance for Critical Areas of Focus in Cloud Computing in April 2009. In addition to articles and white papers, research firm Gartner reports data access privileges, regulatory compliance, data location and data segregation/encryption among the top seven security concerns in cloud computing. Also, cloud computing security is one of the top ten 2009 trends identified in a survey conducted by CloudComputing.

Fortunately, there are several tools already developed for computer, network and storage security in a traditional enterprise environment that can provide security solutions for cloud computing. To establish a basis for the use of these tools, it is essential to understand one key difference between cloud computing and conventional data centers. Figure 1 shows the rather simple yet significant difference between an enterprise's data center and cloud computing. In cloud computing, several users' data is co-located and processed on shared equipment. In spite of the differences, there are similarities to enterprise concerns: access through the internet, critical storage requirements and potential for software attacks. If existing enterprise solutions are implemented and adapted to the cloud, cloud computing providers can create the security that customers require.

The difference between a conventional data center (see Figure 1a) is that it's just used by one enterprise and a cloud computing model (see Figure 1b) is that a single cloud provider hosts applications and data used by several enterprises.

A More Detailed Look at Cloud Computing Security Risks
Start-up companies, small businesses, mid-size and even large enterprises are interested in cloud computing. As a result, all of these potential users should be extremely interested in cloud computing security. A good starting point for assessing the risks in cloud computing is identifying all of the existing risks that cloud users from individuals to the largest companies and even governments encounter. Specific threats to security include:

  1. Failures in Provider Security
    In a cloud environment, all security depends on the security of the cloud provider. They control the hardware and the hypervisors on which data is stored and applications are run. Cloud provider security must be top-of-the-line.
  2. Attacks by Other Customers
    The cloud environment is shared among customers. If the barriers between customers break down, one customer can access another customer's data or interfere with their applications.
  3. Availability and Reliability Issues
    Cloud data centers are generally as reliable as enterprise data centers or more so. However, outages do occur. Also, the cloud is only usable through the Internet so Internet reliability and availability is essential.
  4. Legal and Regulatory Issues
    The virtual, international nature of cloud computing raises many legal and regulatory issues. First, export of data out of a jurisdiction may be restricted. If such export is permitted, which jurisdiction's rules apply in case of conflict? And who is liable for errors such as security breaches? These issues must be addressed for any sensitive applications of cloud computing.
  5. Perimeter Security Model Broken
    Many organizations use a perimeter security model with strong security at the perimeter of the enterprise network. This model has been weakening over the years with outsourcing and a highly mobile workforce. Cloud computing strikes its death knell. The cloud is certainly outside the perimeter of enterprise control but it will now store critical data and applications.
  6. Integrating Provider and Customer Security Systems
    Enterprises have spent decades developing a unified directory and other components of their security architecture: automated provisioning, incident detection and response, etc. Cloud providers must integrate with these systems or the bad old days of manual provisioning and uncoordinated response will return.

While there are proprietary solutions to these security problems, open solutions are easier to integrate with cloud providers and existing systems. Therefore, we must gain a better understanding of the security available through open technologies.

Countermeasures to Mitigate Risks
Addressing the six broad security threats identified previously entails a variety of countermeasures.

Threat 1 (Failures in Provider Security) encompasses most of the threats encountered in a typical enterprise. People are the greatest threat and countermeasure in security so screening, training, and monitoring of provider personnel is the most fundamental step to be taken. Physical and network security for cloud data centers are also essential.

However, cloud data centers introduce a new element that enterprise data centers have not traditionally faced: Attacks by Other Customers, threat 2 in the list above. In a cloud environment, customers are co-located in a single data center or even on a single server. These customers may be competitors. Some of them may even be hackers! Cloud providers are responsible for ensuring that one customer can't break into another customer's data and applications. The most common techniques used are virtualization (preferably via a hypervisor) and network separation (via firewalls, VLANs, and/or encryption).

The best way to ensure the reliability and availability of cloud services (addressing threat 3) is to work closely with your cloud provider and network service providers to verify and monitor their uptime. Today, uptime for most cloud providers is good but not perfect. Every major cloud provider has suffered significant downtime: Salesforce, Amazon, Google, etc. Many cloud providers don't provide Service Level Agreements (SLAs) guaranteeing uptime and the SLAs that are available provide meager recompense in case of outages. Don't forget to consider network uptime when determining cloud availability. If the network is down, who cares if the cloud is up?

Addressing legal and regulatory concerns (threat 4) generally requires calling in the lawyers and compliance experts. However, that doesn't mean that technical measures won't help. Many data breach laws include safe harbor provisions saying that if loss of encrypted data does not need to be reported. Whether this applies in your jurisdiction, using a Self Encrypting Drive (SED) is generally a no-brainer. With an SED, there's no need to worry about a hard drive or backup media being lost or stolen. Software encryption provides similar protection but with higher complexity, lower performance, and less security.

With security threat 5, the solution is as simple as eliminating the perimeter model and relying on alternate approaches. This apparently simple solution is not as easy as it sounds. It requires rethinking long-held architectural assumptions. But it also yields side benefits. By abandoning the assumption that all threats are external, we can achieve stronger protection against internal threats and greater flexibility to position trusted assets outside the traditional perimeter.

Cloud computing may seem different but in many ways it's just a simple extension of enterprise computing as we have known it for decades. As such, it should integrate with existing enterprise security systems. There's no need to reinvent the wheel. That's the essence of threat 6 and the basis for addressing it. Don't let cloud providers convince you that "it's different this time". Demand that they integrate with your existing systems such as your enterprise directory and your monitoring systems. Some cloud providers can do this and some cannot at this time. When comparing cloud vendors, be sure to factor in the cost of maintaining a new directory and monitoring system per cloud provider. If you don't consider this now, you'll soon find yourself with a mishmash of incompatible systems. Deprovisioning a user will take days or weeks. What a nightmare and security hole! Don't let it happen.

Different Security for Different Users
The attractiveness of cloud computing for a broad range of users may require differing approaches for use and security. At the one extreme, low-end users, such as start-ups, can use clouds for just about everything. The cloud provider's security and reliability generally exceeds that of a small enterprise. At the other extreme, high-end users such as large enterprises are more likely to employ a hybrid model. For legal and risk management reasons, they will keep especially sensitive data and applications in-house and may use an internal cloud. In between, mid-size enterprises can use clouds for many purposes including compute cycles for R&D projects, online collaboration, partner integration, social networking, new business tools and more.

Trust, but Verify
Cloud computing providers that can prove the trustworthiness of their resources will differentiate themselves from their competitors. To do this, they must have a way for customers to independently verify the security of the cloud service. Customers need to do more than just take the cloud provider's word for security.

To trust the security of a cloud provider, customers should be able to:

  • Verify the integrity of the machines at the cloud provider
  • Verify the identity of those machines as well as users, administrators and cloud customers
  • Verify what kind of network security measures are being used

The cloud provider that implements these types of security measures offers small and medium size enterprises improved security over what they probably have or would set up within their own organization. For many large enterprises, these steps are similar to ones that have already been or should be implemented.

Be Prepared
As computing takes a step forward to cloud computing, security should not move backward.  Users certainly should not accept moving backwards in terms of security. Going forward, computing technology and security must both advance together. Educate yourself about cloud security and you will be well prepared for the new world of the cloud.

More Stories By Steve Hanna

Steve Hanna is co-chair of the Trusted Network Connect Work Group in the Trusted Computing Group and co-chair of the Network Endpoint Assessment Working Group in the Internet Engineering Task Force. An inventor or co-inventor of 30 issued U.S. patents, he holds an A.B. in Computer Science from Harvard University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
Whenever a new technology hits the high points of hype, everyone starts talking about it like it will solve all their business problems. Blockchain is one of those technologies. According to Gartner's latest report on the hype cycle of emerging technologies, blockchain has just passed the peak of their hype cycle curve. If you read the news articles about it, one would think it has taken over the technology world. No disruptive technology is without its challenges and potential impediments t...
Nicolas Fierro is CEO of MIMIR Blockchain Solutions. He is a programmer, technologist, and operations dev who has worked with Ethereum and blockchain since 2014. His knowledge in blockchain dates to when he performed dev ops services to the Ethereum Foundation as one the privileged few developers to work with the original core team in Switzerland.
If a machine can invent, does this mean the end of the patent system as we know it? The patent system, both in the US and Europe, allows companies to protect their inventions and helps foster innovation. However, Artificial Intelligence (AI) could be set to disrupt the patent system as we know it. This talk will examine how AI may change the patent landscape in the years to come. Furthermore, ways in which companies can best protect their AI related inventions will be examined from both a US and...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Bill Schmarzo, Tech Chair of "Big Data | Analytics" of upcoming CloudEXPO | DXWorldEXPO New York (November 12-13, 2018, New York City) today announced the outline and schedule of the track. "The track has been designed in experience/degree order," said Schmarzo. "So, that folks who attend the entire track can leave the conference with some of the skills necessary to get their work done when they get back to their offices. It actually ties back to some work that I'm doing at the University of San...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the...
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science," is responsible for setting the strategy and defining the Big Data service offerings and capabilities for EMC Global Services Big Data Practice. As the CTO for the Big Data Practice, he is responsible for working with organizations to help them identify where and how to start their big data journeys. He's written several white papers, is an avid blogge...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...