Cloud Security: The Essential Question
The control figure here became a hit. So far as I know it’s the first of its kind, but I’ve seen it reproduced or imitated by others. As recently as this June 2013 I found an article incorporating it with attribution and a nice comment from the author. The way my figure just keeps reappearing suggests that indeed, “who is in control” remains the essential question – but it just getting more complex, just as real clouds in the sky take many forms: stratus, cirrus, cumulous, etc.
Both my classic diagram and some variants I’ve seen all use my original color scheme, so that “as we move from left to right in the diagram and put more and more control in the hands of [public cloud] service providers, the outlook shifts from fair weather green to ominous red.”
In a sign of these times a new administration came to Washington in 2008 with visions of consolidating more than 2,000 Federal data centers; its Office of Management and Budget (OMB) proclaimed a strong mandate that new Federal projects most consider cloud computing. Hundreds or thousands of VMware, Citrix, Sun or Microsoft (HyperV) installations in private data centers were rebranded to suit as “private clouds” even if they really weren’t deserving of that name.
You can legitimately call something a “private cloud” if it offers push button self-service VM deployment (perhaps with workflow authorization) to business users. It is then a highly dynamic little replica of Amazon Web Services (AWS) within the constraints of its Service Catalog. But from the security perspective internal private clouds have more in common with dedicated IT than the likes of AWS because they remain under an organizations’ direct control.
IT security never really could keep all their sensitive data out of the public cloud. The question for security pros evolved from “IF” to ‘HOW MUCH” and may eventually just become “HOW?” And the diagram with its red, yellow and green colors looks increasingly simplistic – a typical big application today typically runs on a stack that’s more complex than SaaS, PaaS and IaaS and has multiple components and critical dependencies off to the side. Service providers leverage each other too. Think of a large travel reservations service with a devops team of 10 running on EngineYard (PaaS) hosted on AWS (IaaS) but also using other service providers for source code vaulting, credit card processing, service monitoring, service instrumentation and content delivery network. That’s the real world now. Who is in control of that?
That begs the question: is it time to change the color scheme? Perhaps we can look to the original post for answers.
“I paint the functions these services control an alarming red. To see why, we must ask: Do they [the CSPs] provide assurances? No. The major public cloud computing providers generally offer no SLAs at all. They accept little or no liability even for the security measures their own advertising claims to provide. Can we trust them? The short answer is no. Their actual security measures are obscure, vulnerabilities undisclosed, and audits unimpressive.”
- How secure are the CSPs for your use case?
- How secure are these CSPs’ supply chains in your use case?
- How do you secure your use of the service with compensating controls?
- How well do you manage and coordinate operations with the CSPs?
- How will you monitor all CSPs on an ongoing basis?
- What is your business continuity plan?
Imagine asking that for each service you use and you’ll quickly see you need to develop an enterprise cloud security strategy and architecture to provide some repeatable methodologies and leveragable capabilities. I have been recommending that enterprises take this step for years and have advised or consulted with many customers on how to embrace cloud computing within their enterprise security program and enterprise architecture. If you have access to Gartner for Technical Professionals content, you should read
- Developing a Cloud Computing Security Strategy
- Determining Criteria for Cloud Security Assessment: It’s More Than a Checklist
In an upcoming post on this blog I’ll provide a summary of some of the key points from those documents and then go beyond their 2010 through 2012 thinking to focus on my second bullet which gets to the difficult question of how to assess security in “hybrid IT” use cases.