Eric Vanderburg

Public clouds have been greatly promoted as an approach for organizations to reduce information technology (IT) costs and increase technology flexibility and scalability.  Cloud computing allows smaller organizations to employ IT services that would previously have been too expensive to implement due to high up-front infrastructure costs.  Companies can implement IT solutions faster in a public cloud because they do not have to spend time creating and configuring the technology environment.   Larger organizations, already familiar with remote computing operations, gain flexibility and scalability by utilizing cloud services or implementing private clouds to consolidate IT resources.

A public cloud, sometimes known as Infrastructure as a Service (IaaS), provides computing resources such as processing power, memory and storage to clients in the form of a virtual machine.  The details on the infrastructure hosting this virtual machine may be a “black box” to the customer similar to the Internet.  When you sign up for Internet access, you are provided with a line and bandwidth but you do not know how that service is provided to you, what route your data may take, and so forth.  Similarly, when renting public cloud space, you are provided with a virtual machine but you do not know the specifics of what is involved in providing it to you.

It may be difficult and somewhat unsettling to provide one organization with control over data and systems that are critical to another organization’s success.  Nonetheless, there is constant pressure to reduce IT costs by moving to public cloud services while still exercising due diligence in selecting a secure and reliable cloud provider. With the emergence of large companies like Microsoft and Amazon entering the public cloud marketplace, many major companies have felt more comfortable moving to the cloud.

However, the security of the public cloud is still passionately debated.  Recently, concerns of public cloud security arose with the release of findings from an investigation into four cloud service providers, Amazon, Gigenet, Rackspace and VPS.  Revelations of the above findings have focused on the following issues.

Intra-server security and vulnerabilities

Cloud computing offers customers computing resources generally in the form of virtual machines for rent at generally lower costs than the organization would incur by hosting the servers in-house.  Companies can achieve considerable savings through economies of scale.  The rented computing resources are just a portion of the available resources hosted by the provider as much of the infrastructure is shared between clients of the provider.  This model presents potential security risks to cloud computing clients if the rented space is not adequately separated from other customers.  Inadequate separation could give an attacker, who has compromised one client in the cloud, access to other clients.  Attackers could also rent space in the cloud and then use that space as a base of attack on neighboring clients.

Location concerns

Another risk of sharing cloud space is that the actions of shared clients on a public cloud could indirectly impact fellow users if servers that host multiple clients are blacklisted, thus, causing unavailability to multiple clients due to the actions of one in the cloud. In addition to this potential problem are the concerns about where the servers are actually located geographically.  The laws in one country may differ greatly and the cloud network may be subject to international laws.   There may be limitations on whether data can or should cross international boundaries and contract terms may be less enforceable in another country.

Data backups, restoration, and portability

Backup protocols may also present challenges to businesses moving their IT structure to a public cloud.  Backup sets, rotations and off-site storage are all managed by the cloud provider. Thus it becomes important to understand how the backups work, how reliable the service is, and how long restores are expected to take.  Recovery time is extremely important when essential data is missing from a production system.  It is also important to understand whether backup sets can be moved to another provider or to in-house operations if the contract with the cloud provider is terminated.  Backup operations are often conducted across many clients at once so it may not be possible to extract historical backup data for a specific client from the cloud.

The report found intra-server vulnerabilities – that data on other clients’ storage was accessible through shared disks and networks. The study was able to access other clients’ virtual disk drives which should have been inaccessible as well as access data from other client systems on the network.  These providers did not adequately secure the storage of data and networking resources offered to their clients, thus, leaving them open to a data breach or attack.   The virtual machines were housed on systems running outdated hypervisor software that was vulnerable to attack.

Evaluating a Public Cloud Provider

When evaluating a public cloud provider, consideration of the following security concerns may be utilized to determine if a potential vendor has the essential cloud security measures in place.

  • How soon are patches applied to hypervisors after they are released?
  • How often are vulnerability scans initiated on cloud equipment?  What is the average vulnerability remediation time frame?
  • Are systems periodically audited?  What were the results of the last audit report?
  • Is an intrusion prevention system in place?
  • Has an incident response plan been created and are response team members familiar with incident response procedures?
  • Are access requests to resources logged and monitored?
  • How are viruses and malware prevented?
  • Is server hardening performed on virtual servers before being issued to customers?
  • Are firewalls implemented between customers?
  • Is hard drive encryption available?
  • With which security standards such as ISO27000, PCI or HIPAA does the potential client comply?
  • What data recovery procedures are in place for client systems and what is the recovery time objective?
  • What method is provided for client management of servers?  How is access to the management interface authenticated and controlled?

In addition to the above questions, consider running a security audit on the virtual node prior to using it to verify that the above questions are sufficiently answered.  The selection of a cloud provider should be based on the security parameters that are provided and the implementation of necessary security controls.  The recent study demonstrated that security cannot be assumed even when large, reputable companies are involved.  Therefore, it is important to ensure that a cloud provider has these security controls in place by asking questions such as the ones in this article.