When we talk about Cloud Security, the main concept is to separate, as an example, Coke from Pepsi. This implies that Tenant’s cannot impact the availability of each others data, the integrity of that data, and the confidentiality of that data. But what does this actually mean? Does this apply to all types of clouds in the same way?
There are three types of cloud families: Private, Hybrid, Public. There are at least 3 types of clouds: SaaS, PaaS, and IaaS. Do the same rules for one cloud family work for all cloud families? as well as for the types of clouds?
I believe the answer is yes.
There are at least four major security layers to any cloud amoungst many other layers as depicted in the Cloud Layers and Attack Vectors diagram following.
- The front-end portal access (Tenant Layer) from any tenant to their data (red line).
- The isolation between tenants (red dotted line).
- The underlying administration of the cloud (orange line).
- Physical Access to the cloud components (black line).
The only real difference between cloud security and virtualization security is that the cloud has multiple tenants and generally much more automation. Multiple tenants imply the need for tenant isolation. Or does it? It definitely implies the need for good Authentication and Authorization (A&A) controls for access to the tenant data, but is there a need for more than just this? I think the answer depends mostly on the type of cloud in use and WHERE it resides.
Within a Public cloud the Tenant Layer and Isolation Layer security needs to be rock solid to prevent tenants from seeing, manipulating, or stealing another tenant’s data. For most model’s this implies strict A&A controls, encryption of the data within the cloud, and controlled access points. For example, SalesForce,com which is a SaaS based cloud encrypt their tenant’s data within their database, but still make it so that the data can be restored as needed. This is achievable because the cloud administrators have certain levels of access.
The soft underbelly of any cloud is the Administrative layer. This layer is often poorly protected. The current thought is that if you can reach this layer you have more to worry about than Secure Multi-Tenancy. I do not agree with this thought. In many cases, you do not need to escalate privileges within the non-virtualized cloud environment to attack the administrative level. Yes, you may have other problems but they may not be the target of the attack. In a Public Cloud this layer must be separated, segregated, and lockdown like it was Fort Knox.
In many ways, the Public cloud needs MORE security than any Private Cloud I have seen as there is more at risk in most cases. The Public Cloud current ‘TRUSTS’ administrators and the administrative networks and tools to not have issues. While this Trust is currently warranted, there needs to be a mechanism to verify this level of Trust. CloudAudit.org is one step in that direction for Compliance Audit data but there needs to be more audit data available. I should be able to track an administrators exact commands upon any aspect of the Cloud that touches my data such as when Storage maintenance was done on the LUN on which my data resides. Or perhaps database maintenance, for the database in which my data resides, etc.
At anytime I should be able to see who did what, when, where, how, and why of anything that touches my data. At the moment, this seems to be a tall order.
Hybrid Clouds are what was demoed at VMworld 2010 by the VMworld labs. A Cloud that is made up of local and remote resources perhaps using more than one cloud provider. In essence, this makes your Cloud a Public Cloud as it is now be hosted outside your premises and being managed by people who are not your administrators. In this case you are once more within the Public Cloud with all its Secure Multi-Tenancy issues.
Private Clouds can be hosted locally (within an organizations datacenter) or hosted remotely within a cloud provider’s data center. These two locations become the major stumbling block for the need for Secure Multi-Tenancy. If the ‘Private’ Cloud is hosted within a Cloud provider’s datacenter, it in effect has the same security concerns as a public cloud. If it is hosted within your Organization, many of these concerns drift away based on the law of the land.
The law of the land will govern how your Organization can handle Private Clouds. If we take a company with 20 subsidiaries and set up a Cloud to serve these subsidiaries, how does the law of the land affect this? In Europe, for example, these 20 subsidiaries are actually considered separate companies. Each must adhere separately to the privacy laws of the land. This impacts private clouds, as you are once more in the realm of hosting a Public Cloud, where each subsidiary is its own entity and you must enforce once more A&A across the cloud.
While if the Cloud is for one organization, your definition of Tenant may change to only handle differences in data classification (clearance) which requires that the administrators have been vetted for the highest level of data classification within the organization/cloud.
There is a difference between public and private cloud security, but it is very easy for a private cloud to in essence become a public cloud with all the Secure Multi-Tenancy issues that entails. This means that all clouds are alike and the security of any cloud could be handled by a single set of controls and security policies. There are still weaknesses as the security policies may not include everything. The soft underbelly of the cloud is still the administrative layer. We need a way to ensure that our data is safe from Cloud and other Administrators.