Like all other cutting edge technologies, cloud computing has a number of security issues that are peculiar to the medium. While none of these are insurmountable, it is still necessary that they be handled correctly. Since most of the environment is virtual in nature, the security and business continuity challenges are very different from those faced by more traditional IT centers. Today, about 40% of servers are virtualized and it is expected that in another five to six years, nearly 86% of servers will be virtual. Therefore the challenges of managing the security of virtual devices will only increase. The key areas that will have to be addressed in the future are –
- An exponential growth in data volumes and mobility – The virtual environment encourages mobility of the user. In this environment, databases, workloads and workflows are all increasingly used by mobile users. This virtual environment is regularly backed up on physical drives in the data center. In a number of cases, hourly instances of the virtual servers are maintained as snapshots. While this is very easy to do and gives the IT administrators great ease of management, sensitive data ends up being stored in different locations. This data has to be managed with care and administrators have to ensure that there is no compromise on security. This requires a well planned, structured work flow to manage backups and data.
- Is the shredder working? – With the large number of copies of data being stored on physical media, there has to be a certainty of it all getting deleted securely. Fortunately, these challenges have been well understood and handled. The following key steps are implemented routinely by all good cloud service providers to ensure that the client’s data and processes are secure –
- Data Isolation – This ensures that data and virtual instances of the servers that handle critical data are isolated from commonly used components of the system. Thus even if there is a security issue with the cloud hypervisor, the critical data continues to be isolated and is never exposed. Essentially, what data isolation implements is a philosophy and not merely a technology. Based on the structure of your application, your data isolation procedures could be different from those used by another company.
- Separation of Responsibility – Companies take steps to ensure that duties, responsibilities and privileges are distributed among administrators in such a way that no single person can abuse his privilege to impact a system.
- Using established standards – Companies that build robust applications use established standards that have been tested adequately and are in extensive corporate use. An example is the use of the PCI-DSS – the Payment Card Industry Data Security Standard. Following standards such as this also ensures that regulatory compliance issues are handled adequately.
- Ensuring multi-tenant protection – Good solutions ensure that in shared environments with multiple tenants in the data center, there are strong and effective controls over instances of virtual machines and data and there is no possibility of one user being able to gain access to data belonging to another. Once these steps are implemented, the entire VM lifecycle is managed securely starting from its provisioning, starting up the instance, using it, backup and recovery, and finally its deletion. Besides this, any product that is chosen must also comply with a number of other requirements to ensure that your business stays agile and responsive.
- Your service provider must support a flexible deployment – There could be a number of occasions when you want to use hybrid clouds or even keep some critical data in your own premises to meet regulatory or security needs. This could happen after your services have already been launched from (say) a public cloud. The solution provider must be able to support this.
- Deployment must be fast – Using predefined, encrypted server images to speed up the process. These can be modified post deployment to cater to your specific needs. This will ensure that you do not loose fleeting opportunities.
- Administration must be very intuitive, menu driven and efficient – Since the churn in IT sector manpower is a known phenomenon, you should not have to invest too much time and resources in training new staff. The solution you choose must provide administrators with efficient dashboards from where the entire set of virtual machines can be managed efficiently.
Many users also give great importance to integration with third party applications. You may not need this capability today, but at some time in the future, the need could arise. You would not want to make major changes to your application just to ensure this.
With cloud computing services becoming the backbone of many companies, selecting service providers who offer these fundamental capabilities will help you get the best from your cloud investments.
Be Part of Our Cloud Conversation
About the Guest Author:
Sanjay Srivastava has been active in computing infrastructure and has participated in major projects on cloud computing, networking, VoIP and in creation of applications running over distributed databases. Due to a military background, his focus has always been on stability and availability of infrastructure. Sanjay was the Director of Information Technology in a major enterprise and managed the transition from legacy software to fully networked operations using private cloud infrastructure. He now writes extensively on cloud computing and networking and is about to move to his farm in Central India where he plans to use cloud computing and modern technology to improve the lives of rural folk in India.