The options today for moving business functions to private clouds are staggering. Organizations adopt the cloud for various applications, from direct-to-buyer sales and content delivery, to back office functions such as supply chain management, finance operations, and human resources. The increasingly granular ways in which they can slice-and-dice cloud delivery are tremendous. Private clouds, in particular, are being adopted at a heavy rate as organizations shift business operations to ecosystems that can be shared with business partners and other stakeholders.
Private clouds offer a lot of advantages. First, unlike public cloud infrastructure, they are closed-loop systems that are only open to select organizations and individuals, either through direct connections or via advanced firewall rules. Private clouds, when done properly, are partitioned into separate and discrete compute facilities (e.g., hypervisors and their associated virtual machines) and storage facilities. The risks of commingling data—again, when done correctly—are reduced.
Another advantage is administration. One of the key things that makes a cloud a cloud (whether private or public) is offloaded administration, usually through a combination of automated, self-service, and on-demand capabilities to ensure scalability. It doesn’t matter whether the private cloud’s actual infrastructure is located on-premise or within a service provider's data center environment.
And, of course, let's not forget one of the key reasons people adopt cloud services: lower costs. When private cloud services are co-located with a service provider, there is minimal capital expenditure required to leverage the environment and service can be acquired in incremental segments of days, months, or years.
But ultimately, a cloud—even if it's a private cloud—is still a cloud, and dealing with cloud environments can prove to be a sticky mess for both security and compliance professionals. Let's first be clear what we mean when we say a "private cloud." While it is true that some private clouds are built from on-premise hardware that is managed by a third-party service provider, these types of private clouds are not particularly cost-efficient, since they require massive capital outlays to build the infrastructure. For that reason, most private clouds provisioned today are based on co-located hardware, including both computing and storage components. Unfortunately, that approach, while it provides a number of advantages from the perspective of cost, personnel, and efficiency, can leave some big security and compliance questions unanswered ... or vaguely answered, at best.
The threats to clouds are legion. Beyond the threats that affect on-premise infrastructure, perhaps one of the most painful aspects of dealing with private clouds is simply the lack of information about what's going on inside them. Particularly in the SaaS model, providers often do not provide core security monitoring services common in on-premise environments, such as log monitoring or SIEM (or even based event capture), DLP or mitigation of threats such as spam and malware ingress, or DDoS attacks. There's precious little that an organization can do about this. Perhaps a paper exercise can mitigate this partially through SLAs, compliance and audit statements, or other contractual mechanisms, but for many of us in the security space, a paper agreement is no substitute for direct, hands-on validation.
Another major threat is availability. In the PaaS model in particular, cloud vendors who manage the OS will often have arbitrary patching schedules. Without some type of failover or load balancing in place, critical business services can be interrupted.
What can organizations do to shore-up the security of their cloud environments? Fortunately, there are some answers. At RSA Conference Asia Pacific in 2013, the presentation "Ma! I I Got Me a Cloud Too!: Building and Managing a Secure Private Cloud", by Phoram Mehta and Kurt Sauer of PayPal, offered some of these common-sense recommendations:
- For organizations using private clouds for IaaS and PaaS services, there is more control over security than for those using SaaS in a private cloud delivery model. For those organizations building infrastructure and application services, ensuring that platforms are secure and hardened (through effective and consistent patch management) is a good start. Additionally, implement trust zones, encryption, security event monitoring (or at a minimum, centralized log collection), and layered authentication (such as multi-factor) where it's called for, based on the value of the data and business processes that are supported.
- Get your provider to commit to implementing as many relevant security controls as needed, and contractually ensure that you—or a third-party agent of your choosing—have the right to audit the vendor for compliance on a periodic basis. Look for private cloud vendors who can deliver relevant security self-audits or third-party certifications for their infrastructure, such as ISO 27001 and FedRAMP.
- When implementing your own IaaS and PaaS services within a cloud, rely on trusted, independent third-party guidance such as the Cloud Security Alliance and the DHS CAESARS continuous monitoring and risk assessment framework. These vendor-neutral tools provide rational, standards-based solutions to provide improved security in the cloud.
For organizations that need scalability and broad accessibility for their core business services, private clouds are a tempting solution. Done properly, they can provide a reasonably secure environment ... but the key, as always, is in the details.