While many enterprises around the world rightfully remain cautious about moving their data to the cloud, EMC Corp.’s security division (RSA) is arguing that cloud security has to potential to surpass the typical level of in-house data security available today.
The idea comes out of a new RSA security briefing (which was written by security experts from EMC and VMware Inc.) that outlines best practices for protecting enterprise data and user identities in the cloud.
The whitepaper advocates measures such as carefully drafting a service level agreement (SLA), requiring cloud providers to ensure multi-tenancy and data isolation, and ensuring your in-house system administrators can still access and configure the environment.
There are a few other great tips in the security brief, the rest of which can be found here, but there’s also a very troubling claim made in the paper that I must highlight.
RSA argues that because physical servers are being replaced by virtual ones, this will apparently give the technology industry a “once-in-a-career opportunity” to make IT security faster and more efficient.
“Cloud security has vast potential to surpass the levels of information security that are possible today,” the report indicates.
RSA added that security will not be tied to OSs, networks, and applications as an afterthought anymore, as security protocols can be built into the virtualization layer. This will embed security policies deep into the technology stack and spread them throughout the cloud, the security firm argued.
While all these points might be true, I still don’t see how this demonstrates the cloud’s great potential to surpass our current levels of data centre security.
In fact, I think most enterprise IT shops are smart enough to see through this. Cloud security will never be any more secure than the security measures you develop in-house. It would be quite illogical to ever think otherwise.
If this was the case, why wouldn’t we see the same principles that RSA is outlining transferred to the physical world?
David Senf, the director of IDC Canada Ltd.’s infrastructure solutions group, agreed with me, saying that just because security is enhanced in the new virtual layer, it does not mean security will be enhanced overall.
“There are a number of new steps towards better security that firms need to consider as cloud adoption builds,” he said. “One of those is security of the VM and between VMs, agreed. But issues such as network segmentation, firewalls/IDP, data classification, access rights, good change management practices and so on are still very much present in the cloud — and at all layers of the stack.”
Good points, Senf!
When I asked Eric Baize, a senior director at RSA’s secure infrastructure group, why cloud and virtual environments could potentially be more secure than its physical world counterparts, he told me that the there’s a unique opportunity to embed “specific security controls” that can be taken away from the application layer and put directly in the infrastructure.
“So the security enforcement of the policy becomes handled by the virtual infrastructure instead of being handled by the application,” he said. “This is a very important technological shift.”
Baize added that security has historically been handled as an afterthought in the evolution of technological infrastructure over the last 20 years, referring to the development of the virtual private network (VPN) to bring encryption to the Internet
But for me, all of this misses the point and certainly doesn’t prove cloud security will be any more effective than what you can bring into your data centre.
Sure, cloud vendors will tout things like “the ability to isolate and compartmentalize your computing and applications will make things more secure,” but to me, all they are really describing is a best practice on how to operate in the cloud.
You can isolate your workloads in your own data centres can’t you? This feature is obviously crucially important to cloud providers, so they can establish multi-tenancy and data isolation.
This isn’t a security feature, so much as it is a basic rule that cloud providers are going to need to follow to ensure their customers can share the same physical computing, storage and network infrastructure.
The RSA reports advises that the best way to ensure secure data isolation and multi-tenancy is for enterprise customers to require maximum transparency into their cloud providers’ operations.
“Cloud vendors should furnish log files and reports of user activities,” the report advices. “Some cloud vendors are able to provide an even higher degree of visibility through applications that allow enterprise IT administrators to monitor the data traversing their virtual networks and to view events within the cloud in near-real-time.”
Wouldn’t we be doing all this stuff in our own data centres as well? I would hope so.
When we move key elements of our IT infrastructure to the cloud, we certainly give up some of the control we have over it. We can’t see it or touch it. Plus, we’ve added a third-party into the mix.
All of this applies to both private clouds and public clouds.
Of course, moving to the cloud isn’t a huge danger to your organization like many enterprises out there might believe (and really that’s why RSA is making these bold claims in the first place).
You just have to choose your provider wisely and actually develop a strong business case for making the switch.
That principle applies to every single IT project since the beginning of time.
Some of the other best practices RSA lays out are actually pretty valuable in helping you determine whether your vendor or systems integrator is up to the challenge.
And this is the type of information that we need it to be releasing more often, as opposed to delusions that our security will be eventually be enhanced by moving off-site.