Who Will Secure the Clouds of Tomorrow?

Guest blog: Virtualization and Security Expert Alessandro Perilli discusses the future of cloud computing and its security implications.

By Alessandro Perilli, CISSP
Founder and Chief Editor, virtualization.info

The data centers of tomorrow will be computing clouds - massive aggregations of resources that are served inside geographically dispersed computers. A new server is plugged in and the cloud grows, stacking up new resources on top of the existing ones.

As vendors put their applications into these clouds, they don't have to figure out where the actual hardware is or what happens if a machine has a failure at a point. They can offer reliability out-of-the-box, without even thinking about developing fail-over or clustering components.

As customers put their data into these clouds, they don't have to buy the software to manipulate and process their data anymore. They just pay for the time the cloud is used to perform a certain task with their data. But who will secure these clouds? This piece will discuss the future of computing and its impact on security.

Cloud Architectures

There are many forms of cloud architectures. Today, the industry recognizes three of them, with a common definition for each: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS).

• In the IaaS model, the computing cloud serves empty virtual machines, which can be filled with anything a vendor or a customer wants, from the operating system to the CRM solution of choice.This model abstracts the physical hardware and so it's a computing cloud in the sense that more CPUs, memory modules, hard drives, network switches can be added to the resource pool transparently, no matter where their containers -servers and storage arrays - are in the world. 
• In the PaaS model, the computing cloud serves application frameworks that understand one or more programming languages, which can be filled with software that wasn't originally developed for the cloud and doesn't know how to scale to be cloud-ready. This model abstracts the operating system structures and so it's a computing cloud in the sense that there are no problems like OS upgrades, patches, libraries incompatibilities and related downtimes.
• In the SaaS model, the computing cloud serves applications, which can be used to perform all tasks customers perform today with on-premise software, uploading data in the storage part of the cloud and downloading it on demand. This model abstracts everything below the application level. There's no hardware to maintain, no operating system to patch, no software conflicts to avoid. It is the computer over the web. 

Looking at current trends, we can see a future world where the SaaS model will prevail and web applications are the norm, not the exceptions that we have to refer to with special names like "Web 2.0."

Virtualization vendors are spending a huge amount of effort to abstract the hardware layer and decouple the applications from the operating systems. This makes sense because software vendors that want to deliver their products to the largest possible audience simply cannot develop for the overwhelming amount of server, desktop and mobile platforms we have today. But what's the need for virtualization (which requires that customers adopt yet another product, which is ultimately a massive waste of money) when we already have a common, ubiquitous operating system which millions interact with every day and that can be used to deliver applications on any device, from the desktop to the smart-phone? Of course I'm talking about the web.

Until 10 years ago we failed to realize the potential of the web as an operating system. Then the plethora of startups generated what we call today the Web 2.0 momentum, demonstrating that we could solve our application delivery problems in a new way without using new tools.

Google is evangelizing a SaaS world, proving its viability with applications like Gmail or Apps. Maybe those are not yet as good as the on-premise solutions we are used to, but they are already viable and even desirable in some circumstances. The Microsoft conversion to the cloud, including the upcoming Office Online, or the just launched PaaS cloud called Windows Azure, is a confirmation that a SaaS world makes sense.

So it's not that unlikely to imagine that, over time, the existing, on-premise applications will be slowly replaced by web-based counterparts. And that the mass adoption of mobile devices like the Apple iPhone or the Google Android handsets, and the overwhelming amount of tablet PCs that will come out during 2010, will have a major role in accelerating this process.

Before the time SaaS will be ubiquitous anyway, IaaS and PaaS models will have their moments of glory.

The world will not turn to SaaS in a day. SaaS has been around for more than 10 years now, and it hasn't changed much. Such things require a lot of time and a radical change in mindset. And sometimes a new mindset requires new generations of people to become decision makers. IaaS and PaaS will lower the cost of entry for vendors that want to offer SaaS. So while tomorrow, most end users will just look at SaaS versions of the applications they use today, vendors selling those SaaS products will likely adopt IaaS and PaaS technologies behind the scene. IaaS and PaaS will also make the transition to SaaS smoother. Both will need to contain and move to the cloud, in a semi-transparent way, the legacy applications that are not developed with computing cloud in mind.

However, this transition will not last forever: over time IaaS and PaaS will become niche solutions, commoditized in a way or another, and used only when there's no SaaS alternative.

Security - the Key to Embracing the Cloud

Now, a key aspect to evaluate before embracing this vision and jumping on the cloud computing bandwagon is security. Is today's cloud computing secure enough to hold our corporate data? Is it more or less secure than on-premises data centers? It depends.

The elastic nature of the cloud makes it easier to counter things like Denial of Services (DoS) attacks while the structure of cloud computing facilities makes other things like physical breaches less likely. Additionally, because of the scale of clouds, most providers will develop automated procedures to handle some security tasks, like basic platform hardening and software patching, dramatically reducing the mistakes that manual intervention implies.

Nonetheless, achieving the same level of security of today's on-premise data centers, or even surpass it, may be extremely complex. Above all, there is the entirely new class of threats that are related to the multi-tenancy nature of the cloud: escaping the software jail and breaking into another customer application pool; accessing incomplete deleted data from shared storage facilities; intercepting and manipulating the over-the-Internet access to the cloud control panel, are just some of the problems we didn't have before.

Even those procedures that are considered normal in a traditional data center may turn into expensive extra efforts in a full resource sharing environment. For example, it's a challenging task to keep isolated audit logs and allow customers to access them on demand.

Other security issues arise simply because cloud computing is so new. Compliance, for example, is one of the hardest goals to reach because industry standards don't contemplate cloud computing yet, and regulatory requirements may be just too demanding to fit a cloud model.

When a customer owns his data center, he's accountable for its security. He can be very good or very bad, but he basically has control and can work to improve the security level.

When a customer embraces the cloud, the responsibility to secure the infrastructure is basically offloaded to the cloud provider. This doesn't mean that there are no more risks, it just means that most risks have been transferred somewhere else. The cloud provider can be very good or very bad in security, just like the customer, but if it is very bad, it may be hard to discover at the time of signing an agreement. Once the faults become evident, it may be a pain to move from the insecure cloud to something better.

In cloud computing, we lose IT governance, and we must fully trust the provider. Some of them may want to bet on security to differentiate their offering in a booming market, and clouds may be more secure than on-premise data centers.  What must be clear is that not every provider will be able to invest the money that top vendors like Google, Amazon and Microsoft can invest to secure their clouds.

To lower the cost of entry, some of them may decide to embrace open standards to build their infrastructures, and this will provide an inherited higher level of security, but it's unlikely that all the providers will be able to fulfill all the security requirements that customers may have all by themselves.

 For example: the customers' data can be spread across multiple data centers in the world, and some sensitive information may end up being stored in a country where the law prohibits its presence.
Or, just because the data is replicated to multiple, geographically dispersed repositories to maximize resiliency, when a customer asks to remove something from the cloud, he must be 100 percent sure that his information is really wiped out from every hard drive of every SAN of every cloud node in the world. 

Thus, auditing a cloud infrastructure is a complex, time consuming and very expensive operation, certainly more challenging that auditing on-premise facilities.  

Smaller cloud providers will need some external help to do so and customers may want to have this in their SLAs, as a guarantee that clouds don't turn into a giant black box where nobody knows what really happens (or can happen) to the corporate data.

Additionally, compared to what we are used to, security in the cloud era has to become a cost center, because just the idea of storing sensitive information outside your own property requires extra reassurance that the information is in capable hands.

So who's going to control the clouds? Angels?

Vendors that have embraced this computing model long time ago had to secure the infrastructures behind it by themselves. Those are the companies that have developed most experience and that may have a relevant position in the SaaS world of tomorrow.

Qualys is a security company that offers automated security audits. And it has delivered its products through a SaaS architecture for years. If there's a company that can become the cloud security auditor, Qualys has the experience and the technology to do so.

The market is not going to avoid cloud computing because of the security challenges. Simply put, cloud computing represents a fantastic opportunity to rethink security and implement it in a more efficient way. It's just a matter to find the right partners to do it in the right way.