Secure Cloud Computing : The future of Information Technology Management

Date:   Monday , January 03, 2011

Cloud computing delivers convenient, on-demand access to software applications, and services. The cloud computing paradigm—made possible by sophisticated automation, provisioning and virtualization technologies—differs dramatically from today’s IT model because it decouples data and software from the servers and storage systems running them and allows IT resources to be dynamically allocated and delivered as a service, either in component parts or as an integrated whole.

While the cloud provides organizations with a more efficient, flexible, convenient and cost-effective alternative to owning and operating their own infrastructure, it also makes mitigating risk more complex as it erases the traditional, physical boundaries that help define and protect an organization’s data.

However, at RSA, we believe that Cloud Computing will turn the way we deliver security inside out. And information security will enable cloud computing to take full advantage of the Internet turning current IT models inside out as well. This means we can deliver new waves of efficiency, agility and collaboration for organizations of all sizes since many of the physical operations and roles will converge with virtual machine administrators playing the roles of network, storage and server administrator simultaneously.

Moving to the Cloud
In order for organizations to move their high-value business processes and regulated data into the cloud, the following points need to be tackled appropriately and adequately by service providers and cloud developers
*Organizations have the onus of proving, on a continuous and reliable basis, that the infrastructure supporting their data and processes is secure. For this, the IT industry and cloud providers need to develop real-time monitoring solutions that provide configurable reports of actual conditions within the cloud.
*When companies outsource parts of their IT infrastructure to cloud providers, they effectively give up some control over their information infrastructure and processes, even while they are required to bear greater responsibility for data confidentiality and compliance. Many times, the consumer is carried away with the generic statements of compliance to industry standards by the cloud service provider. To satisfy requirements, a generic statement of control compliance may not be sufficient. Given that organizations have little option but to go by the word of the service providers or the service level agreements (SLAs), accountability needs to be affixed on all members to the contract to ensure there is no breach or lapse of processes
*Organizations running private clouds need to factor their cloud providers’ practices into their overall security and compliance assessments. For these assessments to be thorough and reliable, organizations need to learn as much as possible about their cloud providers’ security policies, procedures, systems and controls, some of which may be different from or incompatible with their own. Access to certain transactions, events and audit logs may be crucial for auditors. In a cloud, the accessibility of a company to audit security controls is low. In many cases, one may need to rely on the results of an audit performed by an independent third-party auditor, which are made available to all customers.
*The cloud introduces new risks resulting from co-residency, which is when different users within a cloud share the same physical equipment to run their virtual machines. The adoption of cloud-based services affects the level of control that an organization has on data security within the cloud. The shift toward cloud services is more than just a shift in technology. It fundamentally alters the way business and IT systems function. Creating secure partitions between co-resident VMs has proven challenging for many cloud providers. Challenges range from the unintentional – such as when a VM’s activities consume so much processing power and memory that it starves co-resident VMs of resources – to the deliberately malicious, such as when malware is injected into the virtualization layer, enabling hostile parties to monitor and control all the VMs residing on a system.
*Finally, cloud services are typically virtualized, which adds a hypervisor layer to the traditional IT services stack. Any new layer in the services stack introduces new opportunities for improving security and compliance, as well as new planes of exposure to risks. Organizations must evaluate the new monitoring opportunities and the evolving risks presented by the hypervisor layer and learn to account for them in policy-setting and compliance reporting.

Cloud Security and Compliance – What the future holds
The next frontier in cloud security and compliance will be to create transparency at the bottom-most layers of the cloud by developing the standards, tools and linkages to monitor and prove that the cloud’s physical and virtual machines are actually performing as they should. Verifying what’s happening at the foundational levels of the cloud is important for the simple reason that if organizations can’t trust the safety of their computing infrastructure, the security of all the data, software and services running on top of that infrastructure falls into doubt.

There’s currently no easy way for organizations to monitor actual conditions and operating states within the hardware, hypervisors and virtual machines comprising their clouds. However, cloud providers and members of the IT Industry are collaborating on a conceptual IT framework to integrate the secure measurements provided by a hardware root of trust into adjoining hypervisors and virtualization management software. The resulting infrastructure stack would be tied into data analysis tools and a governance, risk & compliance (GRC) console, which would contextualize conditions in the cloud’s hardware and virtualization layers to present a reliable assessment of an organization’s overall security and compliance posture. This type of integrated hardware-software framework would make the lowest levels of the cloud’s infrastructure as inspectable, analyzable and reportable for compliance as the cloud’s top-most application services layer.

With this unprecedented level of visibility, we believe clouds can develop the infrastructure-level policy controls and the end-to-end security attestations to handle even the most demanding security requirements for applications and data. Ultimately, this will enable organizations to take advantage of the cloud’s benefits in supporting a much broader range of business processes.

The author is Country Manager – India & SAARC, RSA