Cloud security: How to make the switch

When you move to the cloud, take your security with you rather than accept the lowest-common-denominator measures on offer, says Rik Ferguson
Written by Rik Ferguson, Contributor

Traditional security measures are inadequate in virtualised environments. So you just have to do things differently when moving to the cloud, says Rik Ferguson.

Despite the obvious commercial and technological benefits of the cloud, enterprise adoption is still in its infancy.

In survey after survey, the primary barrier at an executive level to the adoption of cloud services is security. Executives are concerned that provisioning data and servers from a third-party datacentre will mean compromising their present level of security, their control and their access to logging and audit information.

So what is really powering the cloud? Datacentre virtualisation, virtual desktop infrastructure, shared storage, and IaaS, PaaS and SaaS have changed the architectural game, possibly more than any other innovation in the past 15 years.

Architectural-level security challenges

None of the traditional security concerns disappears — although they often have to be addressed in new ways — but new security challenges arise, many of them at an architectural level, which do not have a counterpart in their physical forerunner.

Firewalls at cloud providers must operate as lowest-common-denominator security devices, configured for the least secure customer, but perhaps not for you. Cables, switches, bandwidth, virtualisation platforms and SANs must all be considered a shared resource and as such, untrusted.

Many aspects of traditional infrastructure are collapsed into the hypervisor or the abstraction layer of the virtualised SAN and much security technology and security provisioning becomes an unacceptable bottleneck and business disabler, crowbarred into an unforgiving infrastructure. This situation inevitably undermines both confidence and compliance of potential customers.

Colocation of virtual instances and data with that of strangers, competitors and possibly even malicious actors — we have already seen criminal activity being hosted in Amazon's EC2 cloud, for example — brings a host of new challenges.

How do you maintain confidence that a dormant virtual machine is free of infection or that it will not be grossly out of date and at risk when you bring it online? How do you manage traffic between virtual machines from a security standpoint?

Traffic that travels from machine to machine on the same hypervisor does not touch your physical network and as such, traditional security techniques and technologies will be blind to any risk.

How can you deal with emerging threats such as malware capable of breaking out of a virtual machine to infect the host operating system? What mitigation exists against insider attacks, and how can you ensure that...

...only you have access to your data? How do you maintain an effective patching regime in a zero-downtime environment?

For security to be effective in the cloud, it needs to be enforceable, configurable and auditable at virtual machine level. Deep packet inspection firewalls and application-level intrusion prevention are key technologies here.

Traditional security approaches for virtualised environments prove inadequate on a number of levels. Most obviously, they can place a heavy load on the host operating system, especially when it's time for a regularly scheduled scan to take place.

Typically, they are not aware of the virtual infrastructure, so simultaneous full-system scans can cause huge performance degradation.

In most cases virtual-machine security techniques are also unable to scan or update dormant machines. This failing means when the machines are brought online, they may be at risk because their virus pattern files may well be out of date.

New approach to cloud security

But the virtualisation environment gives us the chance to do things a little differently, if we just apply a little thought. The security industry needs to be an enabler in the move to the lower-cost, more agile, greener world of cloud computing.

We need to ensure that we are building technology designed for tight integration in this changed enterprise landscape — technology that transparently adapts between physical and virtual deployments under a common management infrastructure.

In the cloud you rarely get to meet your neighbours. Criminals are already finding victims there or may even be moving in themselves.

The technology also needs to be capable of enforcing the correct security policy regardless of the physical location of the server that is being protected. Otherwise, in the drive to lower operating costs and increased business agility, effective security might find itself the first casualty.

In the final analysis, security in virtualised or cloud environments is essential simply because the safety of customers, employees and the business itself should not be sacrificed in the name of economy.

In the cloud you rarely get to meet your neighbours. Criminals are already finding victims there or may even be moving in themselves.

When you move to the cloud, make sure you take your security with you instead of accepting the lowest-common-denominator security on offer from the provider. After all, it only takes a credit card to bypass the perimeter.

Rik Ferguson is director of security research and communications, EMEA, at Trend Micro. He has more than 15 years' experience in the IT industry with companies such as EDS, McAfee and Xerox.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Editorial standards