Cloud Computing Tools: Improving Security Through Visibility and Automation
Many enterprises are reluctant to move critical cloud applications out of their own data centers and into the public cloud due to security concerns. Yet the same automated, consistent provisioning that is essential to managing either public or private clouds (as well as to the process of thinking through a cloud deployment) can also offer the fringe benefit of improving security.
Of course, not all cloud management tools work equally well with all cloud providers, nor do they all allow customers to manage their internal and external clouds as a single unit. Infrastructure-as-a-service (IaaS) providers such as Amazon, for example, typically don't allow customers to tweak the network and storage infrastructure beneath the operating system, forcing customers to trust that level of security to the vendor.
And while some customers will trust outside certifications, such as Amazon Web Services' Level 1 compliance with PCI DSS, others will choose to stick with a private cloud within their own firewalls, or create cloud environments at an external site using their own networks and keeping storage under their control.
Furthermore, compared to internal IT infrastructures, the public cloud requires more attention to components such as network firewalls, load balancers and network address translation to hide the public IP addresses most cloud providers assign to servers. But whatever the model, the automated, consistent processes required for large-scale cloud deployments not only increase the efficiency, reliability and performance of these environments, but also improve security.
Benefits of Thinking It Through
With physical servers, staging and setup is a manual, one-off job; however, with virtual machines (VMs), creating templates or policies for various types of servers forces organizations to "think about it more and plan for it," says Matt Conway, CTO of online backup vendor Backupify. "If you need to recreate [a type of server] quickly, you must script it and automate it."
And while conventional servers often run multiple types of software to provide different services, organizations often give VMs in cloud environments much more specialized personalities to perform specific tasks, says Patrick Kerpan, president and CTO of cloud management vendor CohesiveFT.
Standardizing these templates, he says, "is a security bonus because, to the average enterprise, anything that causes a change control ticket is a security risk."
Going through the process of deciding whether to host a particular application or service in the cloud and, if so, in what type of cloud, forces organizations to assess the value of an application or service. The resulting deployment decisions can improve those systems' reliability, uptime and efficiency, as well as their security, says Lilac Schoenbeck, a senior manager in cloud computing marketing at management software vendor BMC.
Much More on Cloud Security
However, "security [staff are] often not invited to the cloud architecture discussion soon enough," she says, out of fear that their caution will block cloud adoption.
Organizations that use internal service catalogs or identity-management systems to control which users can access which applications can reuse much of that work to secure the cloud, says Andi Mann, vice president of strategy at software vendor CA. Enabling an end user to access cloud services, he says, requires some level of understanding of who they are and what they are allowed to do. Without a service catalog, "you're doing a lot of manual processing" to understand which cloud applications employees are using.
Because so many security vulnerabilities are caused by human error, automating proper server configuration also automatically improves security. With cloud environments containing dozens, hundreds or even thousands of VMs, manual configuration would be outrageously expensive and time-consuming. Automated server provisioning tools reduce costs, increase business agility, and help prevent variations that could create vulnerabilities.
While not all automated server provisioning tools integrate well with every cloud provider, such tools can help organizations standardize on the right operating system, the right patch level, and the right configuration of middleware, databases, load balancers and management agents, says Mann.
They also enable administrators to easily control common security-sensitive settings, such as which ports are open and which services are running.
HyTrust's virtual management appliance, for example, provides server configuration templates, assesses security configuration of VMware vSphere hosts against industry frameworks, and automatically replicates policies and templates across multiple appliances.
Similarly, CohesiveFT sells the VPN-Cubed virtual firewall and router, as well as management tools for building VM templates and for automating common management tasks.
The particular needs of the cloud have led some service providers to develop their own tools. Internap, an IaaS provider, offers software that automates and audits the configuration of network switches in its cloud to create virtual LANs. This allows companies to more securely link their cloud-based virtual servers with the physical, dedicated servers within Internap's cloud that run demanding applications such as databases, says Paul Carmody, senior vice president of product management and business development.
Security administrators must also pass increasingly strict audits for compliance with either internal or industrywide security standards. Some cloud provisioning tools automatically produce such an audit trail, sometimes as a byproduct of the automated, policy-driven creation of servers that helps customers adapt more quickly to business needs or equipment breakdowns. Many automated provisioning tools provide reports on which users or administrators created and configured which servers.
Next Page: Embedded Security and Limitations...
The very structure of a VM can also help boost security because its disk files include not only the required operating system, middleware and applications, but also the configuration settings that help ensure its security, says Michael Crandell, CEO of cloud management vendor RightScale.
When Jason Axne, systems administrator at conveyer belt manufacturer Wirebelt Company of America, backs up VM files, he knows that "all the security measures you have at the virtual server level are replicated, because it is a copy of that virtual server."
As organizations expand their use of the cloud, they often develop many different machine images for different workloads, says Crandell. If the images are managed properly, this encapsulated security information can help ensure that proper settings are automatically applied as new VMs are created. Done poorly, it can create a chaotic sprawl of server images, especially as new images with new names are created as patches and updates are applied to the original images, he says.
RightScale works to avoid this by creating a small number of base image templates that retain the same file name over time and are supplemented with the definitions required to provide specific services.
Another source of embedded configuration and security information that can be reused in the cloud is Microsoft Active Directory, which many customers already use for their internal repository of information about the characteristics of users and IT components.
Using Active Directory, customers can set policies to automatically configure servers based on which Active Directory Organizational Unit (OU) they are in, says Shahin Pirooz, executive vice president, CSO and CTO at cloud services provider Centerbeam.
With Centerbeam, he says, a user can drag and drop a VM into the right OU within Centerbeam's cloud to ensure it is configured correctly. Other cloud providers allow similar capabilities to reuse the Active Directory's configuration and security settings by using APIs to set up federated access control.
Genomic Health, a molecular diagnostics company, had to try several access-management vendors before finding Okta's identity- and access-management service. Okta's support of the security assertion markup language standard allowed Genomic Health to use its internal Active Directory to provide single sign-on services for more than 20 software-as-a-service applications, says Ken Stineman, senior director of computing and IT.
Egenera's PAN Manager uses virtualization to ease administration duties and help secure multitenant architectures, where different customers share the same hardware. PAN Manager virtualizes the network that connects VMs in the cloud, storing all server-specific and application-specific information on a storage area network rather than on individual servers. Because no application-specific information sits on the server, customers can share single or multiple platforms while ensuring their applications, data and network traffic never touch and thus don't pose a security risk, says Scott Geng, senior vice president of engineering.
Virtualization also makes it easier to set up test servers before deployment, which in turn makes it easier to test security and performance before putting servers into production, says Conway of Backupify. The tools (often open-source) that are used to monitor loads on systems can also uncover attacks, he adds.
If, for example, the tool detects a cluster-wide resource leak caused by one user, that could signal a distributed denial-of-service attack or some other attempted breach.
There is, unfortunately, no magic pill-no one everyday cloud management technique that addresses all of an organization's security needs. For one thing, the more that an organization needs complete and fine-grained security, the less it can piggyback on cloud management tools. This is because determining which applications can run on a server, or even which users can access that server, does not control which specific actions a user can or cannot take on that server. That level of role-based control is often required to ensure security or compliance with regulations governing data protection.
Tools such as Aveksa can control such finer-grained entitlements based on information from identity repositories such as Active Directory, says Vick Viren Vaishnavi, president and CEO of Aveksa.
The cost of conventional management tools is another hurdle, says Nand Mulchandani, co-founder and CEO of cloud management vendor ScaleXtreme. While a virtual machine might cost nine cents an hour, for instance, a system to manage it-such as the BMC BladeLogic management automation suite-"costs $1,500 per server," he says.
Such high costs force organizations with thousands of servers to go without automated patch or configuration management or audit compliance, he says, relying instead on scripts or manual processes. Schoenbeck counters that BMC's tools "enable you to gain control of [cloud servers], particularly in a world where they're so easy to get" to ensure they're being used appropriately, securely and cost-effectively.
Even the provisioning management tools now available for the cloud do not support every cloud provider, says Ken Owens, vice president of security and virtualization technologies at IaaS provider Savvis. That can drive up cost and complexity by requiring the use of multiple systems to manage servers in private and public clouds. Owens expects integration will become easier in the next several years as standard interfaces evolve.
Many infrastructure management tools fall down in the way they segregate cloud management, or even just virtualization management, from the rest of IT management, says Mann. "A good infrastructure management stack will manage the cloud through the same processes and capabilities as it manages internal IT."
Mulchandani also warns that some internal server management products were not built to run in the public cloud. Most patch management tools designed for internal corporate environments, he says, require an open inbound port to accept patch updates, something "you'd never be crazy enough" to allow on a public cloud server with a public IP address. ScaleXtreme offers a patch management tool that uses a one-way outbound HTTPS port.
Good cloud management practices aimed at reducing spending can also improve security. Take, for example, asset discovery tools, which uncover how many applications and other systems are in use in an organization and compare those findings with the list of applications that are officially on the books. These practices-often used when estimating how much capacity an organization will need in the cloud-allow a company to cut costs by eliminating unneeded or duplicate applications and bundling what had been one-off licenses into volume purchase agreements. These same tools also give security administrators a more complete list of the cloud applications and services they must secure.
Sometimes, the side benefits flow the other way-from security tools to other business processes. While the main benefit of single sign-on for Genomic Health, for instance, is improved security, it also makes it easier to track which employees have taken their required on-line training, Stineman says.
The real upside, he hopes, will be the ability to eventually speed the process of removing users' application access when they leave the company, eliminating the three to four hours of work it now requires to prove employees have been properly deprovisioned from all of the company's SaaS systems.
As more organizations move more applications to the cloud, many observers predict vendors will provide better integration between in-house and cloud management tools, and with premium services that give customers better control over and visibility into their cloud environments.
Using management tools to improve security can also boost the career of an IT manager, says Mann, by helping him or her move beyond being seen as an internal supplier of services to being treated as "a trusted adviser [with] the experience to provide these cloud services to the business," bringing IT's proven expertise with managing secure internal environments to the cloud.