Communications - June 2010

services could be offered through partnerships with security vendors and manually designed and provisioned into the outsourced environment. In the new model, however, how providers are able to provide tighter integration with these services in order not to lose full elasticity may be interesting. It may require creating optional service hooks from a provider’s self-service portal to security service products or perhaps developing interesting but complex multiservice cloud models provided by multiple specialty service providers. Either way, this challenge is probably worthy of a discussion in and of itself because of the perceived number of additional issues it brings to mind. Note that some vendors do offer these capabilities today, particularly within virtual private cloud models, but of the vendors researched, none is fully addressing for every model it offers.

Encryption capabilities for data-at-rest may be an interesting challenge as well. For example, given the previous environment traversal example, use of file-based encryption within a virtual environment would be essentially worthless in offering protection from remote access. If one can readily gain access to another’s environment, this would also provide access to any front-end encryption mechanism used for file-based encryption within the virtual environment. Disk-based encryption becomes particularly challenging because of the nature of virtual storage and potential lack of user organizational control over where data may be physically stored (which disk does one encrypt for a given customer and other constraints in sharing of physical disks among multiple customers). It will certainly be necessary to explore a prospective provider’s capabilities for encrypting data-at-rest and how well it addresses the shared concerns, especially for those organizations with regulatory requirements dictating the use of file- and/or disk-based encryption.

It should be apparent by now that cloud computing is fraught with a number of security challenges. While some of the concepts and scenarios discussed here are focused on more advanced service models, the intent is to create a bit more awareness of

though the inherent
security challenges
in virtualization are
not new, how it is
likely to be used by
cloud-computing
providers to
achieve elastic it
environments on a
grand scale poses
some interesting
security challenges.

what the industry will be faced with in moving toward these new models that offer greater levels of “true” cloud computing. Depending on the type of service model being discussed and various use cases, exploring all of the challenges is all but impossible, especially not in a single discussion. In addition, some of the security challenges discussed appear to be recognized by certain cloud providers but are primarily being addressed through the use of private cloud models (Amazon and OpSource are two such vendors offering answers within a virtual private cloud offering), suggesting perhaps higher costs versus a public cloud offering and/or limited availability in addressing within other cloud-deliv-ery models.

The promise of what an elastic cloud-computing model could do for the IT world, however, is extremely invigorating and certainly worth pursuing. It can only be hoped that organizations already taking this path or seriously considering doing so will take the time to fully appreciate the security challenges facing them and whether or not adoption at this point fits into their risk appetite. Certainly, keeping these and other security challenges in mind while assessing how a prospective cloud provider can address these concerns (and at what cost and with what deployment constraints) should be a critical business objective.

Related articles on queue.acm.org

Cybercrime 2.0: When the Cloud Turns Dark

niels Provos, Moheeb Abu rajab, Panayiotis Mavrommatis

http://queue.acm.org/detail.cfm?id=1517412

Meet the Virts

Tom Killalea

http://queue.acm.org/detail.cfm?id=1348589

CTO Roundtable: Cloud Computing

Mache Creeger

http://queue.acm.org/detail.cfm?id=1536633

Dustin Owens ( dustin.owens@bt.com) is a senior principal consultant with b T Americas’ business Innovation group. He provides consulting services centered on operational risk and security management for multinational customers, specializing in applying these concepts to various areas of strategic business innovation. He has more than 14 years of practical experience in addressing information security within distributed computing environments.