Security

Cloud Computing Tools: Improving Security Through Visibility and Automation

Many enterprises are reluctant to move critical cloud applications out of their own data centers and into the public cloud due to security concerns. Yet the same automated, consistent provisioning that is essential to managing either public or private clouds (as well as to the process of thinking through a cloud deployment) can also offer the fringe benefit of improving security.

Of course, not all cloud management tools work equally well with all cloud providers, nor do they all allow customers to manage their internal and external clouds as a single unit. Infrastructure-as-a-service (IaaS) providers such as Amazon, for example, typically don't allow customers to tweak the network and storage infrastructure beneath the operating system, forcing customers to trust that level of security to the vendor.

And while some customers will trust outside certifications, such as Amazon Web Services' Level 1 compliance with PCI DSS, others will choose to stick with a private cloud within their own firewalls, or create cloud environments at an external site using their own networks and keeping storage under their control.

[Also read SaaS, PaaS and IaaS: A security checklist for clouds]

Furthermore, compared to internal IT infrastructures, the public cloud requires more attention to components such as network firewalls, load balancers and network address translation to hide the public IP addresses most cloud providers assign to servers. But whatever the model, the automated, consistent processes required for large-scale cloud deployments not only increase the efficiency, reliability and performance of these environments, but also improve security.

Benefits of Thinking It Through

With physical servers, staging and setup is a manual, one-off job; however, with virtual machines (VMs), creating templates or policies for various types of servers forces organizations to "think about it more and plan for it," says Matt Conway, CTO of online backup vendor Backupify. "If you need to recreate [a type of server] quickly, you must script it and automate it."

And while conventional servers often run multiple types of software to provide different services, organizations often give VMs in cloud environments much more specialized personalities to perform specific tasks, says Patrick Kerpan, president and CTO of cloud management vendor CohesiveFT.

Standardizing these templates, he says, "is a security bonus because, to the average enterprise, anything that causes a change control ticket is a security risk."

Going through the process of deciding whether to host a particular application or service in the cloud and, if so, in what type of cloud, forces organizations to assess the value of an application or service. The resulting deployment decisions can improve those systems' reliability, uptime and efficiency, as well as their security, says Lilac Schoenbeck, a senior manager in cloud computing marketing at management software vendor BMC.

Much More on Cloud Security

• Cloud Security Alliance launches innovation program

• Reliability questions to ask your cloud provider

• 5 cloud security trends

• Hybrid clouds and security: Real-life tales

However, "security [staff are] often not invited to the cloud architecture discussion soon enough," she says, out of fear that their caution will block cloud adoption.

Organizations that use internal service catalogs or identity-management systems to control which users can access which applications can reuse much of that work to secure the cloud, says Andi Mann, vice president of strategy at software vendor CA. Enabling an end user to access cloud services, he says, requires some level of understanding of who they are and what they are allowed to do. Without a service catalog, "you're doing a lot of manual processing" to understand which cloud applications employees are using.

Automated Provisioning

Because so many security vulnerabilities are caused by human error, automating proper server configuration also automatically improves security. With cloud environments containing dozens, hundreds or even thousands of VMs, manual configuration would be outrageously expensive and time-consuming. Automated server provisioning tools reduce costs, increase business agility, and help prevent variations that could create vulnerabilities.

While not all automated server provisioning tools integrate well with every cloud provider, such tools can help organizations standardize on the right operating system, the right patch level, and the right configuration of middleware, databases, load balancers and management agents, says Mann.

They also enable administrators to easily control common security-sensitive settings, such as which ports are open and which services are running.

HyTrust's virtual management appliance, for example, provides server configuration templates, assesses security configuration of VMware vSphere hosts against industry frameworks, and automatically replicates policies and templates across multiple appliances.

Similarly, CohesiveFT sells the VPN-Cubed virtual firewall and router, as well as management tools for building VM templates and for automating common management tasks.

The particular needs of the cloud have led some service providers to develop their own tools. Internap, an IaaS provider, offers software that automates and audits the configuration of network switches in its cloud to create virtual LANs. This allows companies to more securely link their cloud-based virtual servers with the physical, dedicated servers within Internap's cloud that run demanding applications such as databases, says Paul Carmody, senior vice president of product management and business development.

Security administrators must also pass increasingly strict audits for compliance with either internal or industrywide security standards. Some cloud provisioning tools automatically produce such an audit trail, sometimes as a byproduct of the automated, policy-driven creation of servers that helps customers adapt more quickly to business needs or equipment breakdowns. Many automated provisioning tools provide reports on which users or administrators created and configured which servers.

Next Page: Embedded Security and Limitations...

Subscribe to the Security Watch Newsletter

Comments