by Adam Stern
It’s no wonder businesses moving their computing operations to the cloud are feeling a bit insecure these days. There is a considerable amount of information being disseminated about cloud security, and many businesses are left to sift through this information with little or no prior experience in cloud computing. Add to that the various choices – private, hybrid, public, SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service) – and it can be a daunting change.Who’s right? And what is the best – and most secure – choice for your business? Let’s examine one choice here – IaaS – and what constitutes a first-rate, secure IaaS-based system.
IaaS is the outsourced delivery of the computing infrastructure and includes managed hosting and development environments. It offers the user flexibility and scalability without the upfront cost of investing in hardware for an enterprise IT infrastructure. IaaS makes use of virtualization to provide users the number of servers they need, when they need them.
Pricing is commensurate with use – commonly called a ‘pay-as-you-go’ model – so a business can control expenditures, paying for exactly how much infrastructure they need. Entrepreneurial businesses, really any business on a growth curve, can benefit from the flexibility of IaaS, by being able to scale on demand, control costs and access state-of-the-art cloud computing resources – a competitive advantage in the era of ‘big data.’
Once you have made the decision to go to an IaaS model, you can carefully evaluate whether your provider has a security model at the level you need to protect your critical data.
is the Objective
‘Security’ is the topic du jour in cloud computing. In evaluating whether the IaaS cloud provider you’re considering is ahead of the curve, let’s explore what ‘security’ really means and what is entailed in a secure IaaS cloud. To start with, how secure your operation is affects both the reliability and productivity of cloud computing.
When we think of reliability we tend to think of:
- Power loss/inadequate cooling
- Hardware failure (server or switch failure)
- Loss of Internet connectivity (service provider)
- Site failure (entire DC goes offline)
Common reliability strategies focus on redundancy in power, cooling, hardware and connectivity, as well as disaster recovery and with it, a plan for business continuity. What this strategy assumes is that hardware failure is the leading reason for downtime. However, you need to consider these other, frequent sources of downtime and lost productivity:
- Attacks originating from the Internet
- Malware: spyware and viruses
- Data loss
- Poor performance
- Scheduled maintenance
is the Solution
Internet attacks, malware, viruses – these are the ever-growing threats to a secure IaaS cloud system. Your IaaS provider needs to have a first-rate intrusion detection and prevention system (IDPS) to thwart these attacks. An IDPS goes far beyond a typical firewall, which, alone, offers totally inadequate protection.
Firewalls serve to limit the ‘surface area’ of a protected system. However, attackers can target known vulnerabilities in the applications such as http or the web server – thus, a poor defense against threats. The usual prescription for protecting against these types of attacks, patching OS and applications, cannot be done rapidly enough to counter attacks.
What the IDPS does is go beyond firewall protection and looks at threats outside or above the firewall layer – and at spyware and viruses beyond the perimeter. No single software blocks all malware effectively. Your service provider needs to be screening out malware at the perimeter before it can reach your virtual infrastructure. These threats can include DoS, brute force attacks, Botnet, code execution, SQL injection and phishing.
As further protection against threats, your IaaS provider should be placing your servers in isolated Virtual Local Area Networks (VLANs) – situated beyond a firewall – to prevent any cross-traffic contamination between your servers and other customers’ servers in the service provider’s system.
For customers looking to manage their security without having to engage the service provider, solutions based on VMware vCloud Director are offered by vCloud Powered providers. With vCloud Director, your IT department can rapidly adjust firewall rules, establish site-to-site IPSec VPNs and manage network load balancers.
Loss Does Occur
Even with the best IaaS system available, planning for a scenario in which data loss occurs is a necessary step. It’s best to avoid a ‘crash-consistent’ backup method that can miss data, result in file corruption, and take hours, even days, to restore. The preferred method is ‘application-consistent’ backup, which flushes the database and file system transactions prior to taking a point-in-time snapshot. This ensures that the file systems will be clean, databases consistent, and restoration will be quick, without requiring any post-restore cleanup. Whether or not restoration is instant depends on the storage area network (SAN) employed.
So, you have vetted your potential IaaS cloud provider and believe they are ahead of the curve in perimeter security, VLAN segregation and backup and restoration capability. The last element is the human factor. Are the IaaS provider’s personnel fully committed to helping you achieve the highest level of reliability and productivity?
Moving critical data to the cloud can feel insecure, even if the best technology is in place. One quality control step to take is to inquire if the provider has completed the Standards for Attestation Engagements (SSAE) No. 16 Type II audit, which confirms what level of service and reliability is being provided. As part of the audit, background checks are required on technical employees. You need to feel certain any personnel managing your cloud-based data are 100 percent trustworthy. It’s also a good idea to inquire about training and technical support to ensure you are being served at the optimum level, 24/7.
Outsourcing your cloud computing infrastructure to a provider offers tremendous advantages in cost savings (no costly hardware investment), scalability and productivity. With a secure IDPS and backup system, and performance standards in place, an enterprise can fully realize the benefits of moving to the cloud.
Adam Stern is the founder and CEO of Infinitely Virtual (Encinitas, CA). www.infinitelyvirtual.com