budgets available to develop, build,
and support ongoing use of these resources, can now be provided to small
to medium organizations. In addition,
these resources can be added, changed,
or removed much more rapidly, potentially allowing for exponential advances in operational efficiency. These
sorts of changes to major IT services
environments that previously (and for
the most part currently) took months if
not years to plan and execute might be
done in a matter of minutes or hours
if elasticity holds up to its promise. In
other words, elasticity could bring to
the IT infrastructure what Henry Ford
brought to the automotive industry
with assembly lines and mass production: affordability and substantial improvements on time to market.
Enlightening as this realization has
been, it has also become clear that several monumental security challenges
(not to mention many monumental
nonsecurity-related challenges, not
least of which are full functionality
availability and how well an organization’s environment is prepared to
operate in a distributed model) now
come into play and will need to be addressed in order for the elasticity element of cloud computing to reach its
full potential. Most of the dialogue
I am engaged in with customers today and that I see in publicized form,
however, is simplistically centered
on security challenges with IT outsourcing in general. These are challenges have existed for some time in
the predecessor models mentioned
earlier: who within an outsourcer is
able to access a customer’s data, perimeter security considerations when
outsourcing, DOS/DDOS (denial of
service/distributed denial of service),
resource starvation, and compliance
challenges with where data is stored
or backed up. These are all challenges
that I have provided counsel on for
many years and are nothing new or insurmountable. Don’t misunderstand
me. These challenges are indeed very
real and still need to be addressed, but
I strongly believe most should be fairly
well known by now and can be readily met through existing procedural or
technological solutions.
The challenges I am more concerned about are those introduced by
adding elasticity and on-demand self-
elasticity, in my
very humble
opinion, is the true
golden nugget of
cloud computing
and what makes
the entire concept
extraordinarily
evolutionary,
if not revolutionary.
elasticity could
bring to the it
infrastructure what
henry ford brought
to the automotive
industry with
assembly lines and
mass production:
affordability
and substantial
improvements on
time to market.
service to form the full extent of cloud
computing—those elements that in
my opinion make a particular service
something more than a just an outsourced service with a prettier marketing face.
elasticity security challenges
Enabling elasticity in the cloud strongly implies the use of virtualization.
Though the inherent security challenges in virtualization are certainly
not new, how it is likely to be used by
cloud-computing providers to achieve
elastic IT environments on a grand
scale poses some interesting security
challenges worth exploring in more
detail. In addition, as virtualization
technology continues to evolve and
gain popularity, so does the discovery of new vulnerabilities; witness
the recently announced vulnerability ( http://web.nvd.nist.gov/view/vuln/
detail?vulnId=CVE-2009-3733) whereby one is able to traverse from one virtual machine (VM) client environment
to other client environments being
managed by the same hypervisor.
These new vulnerabilities could
have significantly greater impacts
in the cloud-computing arena than
within an organization’s corporate environment, especially if not dealt with
expeditiously. Case in point: imagine
that many customers are being managed by a single hypervisor within
a cloud provider. The vulnerability
shared above might allow a customer
to access the virtual instances of other customers’ applications if not addressed. Consider the impact if your
bank or particularly sensitive federal
government or national defense information happen to be managed in this
sort of environment, and the cloud
provider does not immediately deal
with, or even know about, a vulnerability of this nature.
With this bit of background, it is
clear that providing adequate administrative separation between virtual
customer environments will be a significant security challenge with elasticity. Cloud providers will need to be
prepared to account for and show how
their particular services are able to
control vulnerabilities such as the earlier example and keep similar yet-to-be
discovered vulnerabilities from having
devastating impacts on their custom-
