Is the public cloud secure enough for mission-critical applications? That’s the persistent question that IT departments struggle to answer.
For OpSource—not to mention Amazon Web Services (AWS), Rackspace, Terremark and others—the answer is a layer 2 virtual LAN. In OpSource’s case, customers connect to the cloud using VPN clients or site-to-site VPN terminations. This makes the public cloud an extension of the private cloud, making it a secure, hybrid cloud.
For the National Highway Traffic Safety Administration, which in 2009 had 30 days to set up and test the infrastructure for President Barack Obama’s Consumer Assistance to Recycle and Save (CARS) Act, the answer was the CloudSpan CloudConnect Gateway from Layer 7 Technologies. This service let the NHTSA put its servers in the public cloud and add appropriate security controls. As a result, the program known as cash for clunkers was able to process claims and award rebates to more than 690,000 Americans who traded in old automobiles for newer, cleaner and safer ones.
VPN-enabled public clouds and additional security layers such as CloudSpan are only two of the many ways to address public cloud security concerns. Each option comes with its own pluses and minuses, with cost, complexity and performance and latency overheads among the drawbacks.
Organizations can optimize their approach to public cloud security be deciding how mission critical an application is, as well as how secure the data for that application need to be. Here are 10 more ways to strengthen public cloud security to support enterprise use.
1. Select the Right Apps for the Public Cloud.
Some businesses, including most start-up companies, begin by using the public cloud for all applications, including mission-critical apps and their data. Palo Alto, Calif.-based Pinterest, the fast-growing social media sites with 150 AWS instances and more than 400 TB of data at last count, is one such start-up with all applications on the public cloud.
News: Amazon Cloud Set Stage for Rapid Pinterest Growth
However, public clouds are not for every organization. Within an organization, they’re not for every application, either. Generally speaking, the enterprise applications suitable for the public cloud aren’t subject to stringent security requirements. In these cases—such as Websites, application development, testing, online product catalogs and product documentation— the default security provided by most cloud service providers (CSPs) will be more than adequate for these kinds of applications.
2. Evaluate and Add Security, If Necessary.
CSPs provide significantly different levels of public cloud security. Pay attention to this while evaluating CSPs. The ISO/IEC 27000 series of standards provides guidelines for systematically examining information security risks, taking into account the threats, vulnerabilities and impacts, for designing and implementing a comprehensive suite of information security controls, and for adopting management processes to ensure that guidelines are followed.
Commentary: Why a CIO’s Cloud Strategy Must Include Public Cloud Services
Organizations considering moving sensitive applications and data to the public cloud may need to evaluate and compare different CSPs based on these standards. If necessary, security measures that are used in an organization’s internal private cloud may need to be extended to their public cloud instances. As noted, products such as CloudSpan let an organization enforce the same standard of information and application security policies on private and public instances alike.
3. Identify and Use the Right Third-Party Auditing Services.
When comes to security compliance, organizations need not simply take the CSP’s word for it. Third-party auditing services can audit the actual, and consistent, application of security standards, processes and procedures at a CSP and compare them to the ones promised to the client.
SAS 70 Type II standards specify that these kinds of audits last for a minimum period of six months but could last longer. Moving a few applications to the public cloud and performing the audit over an extended period of time can give an organization the comfort level needed to move more sensitive applications and data to the cloud confidently.
4. Add Authentication Layers.
Most CSPs provide good authentication services for public cloud instances, but a product such as Halo NetSec from SaaS security vendor CloudPassage can help add an additional layer of authentication. Here’s where you need to weigh the benefits of better public cloud security against the costs of increased network latency, possible performance degradation and additional points of failure.
5. Consider How Additional Security Will Affect Integration.
Default security with most leading CSPs is already strong. Adding public cloud security measures on top of that may affect overall application performance. It could also complicate your identity and access management efforts. These considerations are all the more crucial if you are working with mission-critical application that need to integrate with other business applications—end users will not be pleased if their applications are not available when they need them.
6. Put Security at the Forefront of Your SLA.
When you run a private cloud, you have (or should have) the tools to know when and where security breaches occur. How would a CSP customer ever come to know of these kinds of security breaches?
Survey: How Secure Is the Cloud? IT Pros Speak Up
Public cloud security guarantees with CSPs are no good unless they are written as service level agreements in your contract—and, unless transparent monitoring and reporting functions are available to the cloud customer, the contract itself may be useless.
7. Insist on Transparent Security Processes.
The need for transparent and verifiable security processes, procedures and practices within your SLA goes far beyond potential data breaches. When you rent hosted servers, there is at least a physical facility, a rack and a set of physical servers you can visit. With public clouds, on the other hand, you may not know the exact physical whereabouts of your cloud instances, so all you can rely upon is the information that the CSP is making available to you. This is why transparency is critical.
8. Streamline Logging and Monitoring.
Exploring the monitoring and logging of physical cloud instances with CSPs is another key to ensuring public cloud security. Comparing one CSP’s logging and monitoring practices with another before you sign a SLA may reveal subtle differences in the security that’s provided.
9. Add Encryption.
You may want to employ your own encryption instead of, or in addition to, the ones provided by the CSP. While the CSP will encrypt information that is sent over the public Internet and stored in the public cloud, the CSP will be providing the encryption key. This may make your organization uncomfortable, as the key could fall into the wrong hands.
A number of installable products or SaaS vendors can do this type of encryption on the fly. (VPN-enabled cloud instances fall under this category of augmented public cloud security.) When this happens, only the customer and the third party know the key; the CSP does not.
10. Spread Risk with Multiple, Redundant CSPs.
It is common practice to procure high-bandwidth Internet connections for your data center from multiple vendors, precisely because you want to spread the risk of outages among many providers. If one is down, the other has a good chance of being available. Cloud provisioning tools these days come already integrated with leading CSPs.
You can spin up additional instances of servers with multiple CSPs automatically on demand, as sites such as Pinterest (afternoons and early evenings) and Netflix (weekends) do during peak usage. Here, additional instances are turned on if average CPU utilization reaches a certain threshold and turned off once utilization drops.
When spinning up additional instances, it may make sense to use different CSPs in a round-robin fashion. For example, the first may come from AWS, the second from RackSpace, the third from OpSource and so on. That way, events such as the June 29 Amazon Web Services outage will not adversely affect your applications.
Balancing Public Cloud Security and Performance
While security is the leading concern for many organizations using the public cloud for Infrastructure as a Service, there are a number of ways to address this concern effectively. The simplest is to move to the public cloud only those applications and data that are the least sensitive.
If your organization opts to move mission-critical applications to the cloud, you can also add security measures over and above what the CSP provides you. There is always a tradeoff when adding layers of public cloud security, though, since doing so may add points of failure or cause applications to run more slowly. Finding the right balance between security and performance can be difficult, but achieving it will give your organization peace of mind.
Nari Kannan is CEO of appsparq, a Louisville, Kentucky-based cloud and mobile applications consulting company. He has more than 20 years of IT experience, starting as a senior software engineer at Digital and subsequently serving as vice president of engineering or CTO of six Silicon Valley startups. Connect with Kannan via email.
Follow everything from CIO.com on Twitter @CIOonline, on Facebook, and on Google +.