Virtualization Security is NOT Cloud Security!

I and others look at Virtualization Security constructs with an eye towards Cloud Security, but they are not necessarily the same. Granted for some clouds, virtualization security can lead to cloud security but this really depends on how the cloud’s architecture. Even so, what we know from Virtualization Security WILL apply to Cloud Security and will be the basis for best practices. But you say, my cloud does not use Virtualizaiton? Ah ha, I say, but it is still a cloud? And that implies there are similar security concerns. This was the discussion on the 1/26 Virtualization Security Podcast.

Those concerns are Visibility and Assurance as well as the standard Confidentiality, Integrity, and Availability. There was Physical Security, and if you did not have all your ducks in a row when you virtualized, you ended up with a large security and auditing hole in your defense in depth approaches. There was a certain level of education required of security folks to manage the security of the virtual environment. This educational process improved once products were available that could gain visibility into the virtual environment. As of now, most major security vendors have virtualization products that complement their own physical security products so that things are managed the same. Tools such as Juniper vGW, HP Tipping Point which implements Reflex’s vTrust, and Fortinet. Then there are the standalone and addon products that take visibility even further such as those from HyTrust, Reflex Systems, Catbird, Trend Micro Deep Security, and Vyatta. We also need to include those that are tied to a single hypervisor such as the VMware vShield family of products. All these products can integrate with other devices as well as be integrated into using various APIs.

These tools have given us visibility into nearly all aspects of the virtual environment from what is happening on disk, in memory, on the network, and even within the virtual CPUs. We have never before had such grand visibility into computer processing. However, now we are faced with a new era, the era of the cloud, and we are once more at the educational phase of cloud security.

Cloud Type Tenant Best Practice
SaaS Secure the data as it enters the cloud
PaaS Use Secure Coding PrinciplesUse Tokenized Data for Testing
PrivateIaaS Follow all Physical and Virtual Best PracticesSecure the management networks
 PublicIaaS Use Secure mechanisms to transfer data into the CloudUse Data at rest EncryptionUse Secure Management Access mechanisms

However, even so, we can use what we learned from virtualization to enhance our understanding of cloud security. When we went from physical to virtual we had to better plan our security implementations as there were some basic requirements (such as protect your management networks). Now that we are moving slowly from Physical or Virtual to Cloud there are other basic requirements (such as placing bastions around our data). These requirements will drive the tools we need for Cloud Security. Even so, there is a need for further tools and best practices to be developed regarding cloud security. Many vendors speak of Cloud as if it was an extension of a virtual environment, and in some cases this is so, but not all cases. It really depends on the type of cloud we are discussing. The security best practices change as well with the type of cloud we are discussing as well as to whom those practices apply.

To the right we list the most important Tenant Best Practices, which truly differ from those for the cloud provider.

  • For SaaS Clouds there are a myriad of tools that will allow you to secure the data as it enters the cloud, such as using an encrypting gateway such as CipherCloud and others of that ilk. You may also use other mechanisms to ensure data is encrypted before it enters the cloud such as desktop tools that will encrypt files and data before placing the data within a SaaS Cloud.
  • For PaaS Clouds however the security model is completely different and related to the developers of the software for future SaaS Clouds. PaaS as a platform to build future SaaS environments is a development platform and as such needs to be secured in quite a different way. The Developers must practice good Secure Programming techniques and only use tokenized data for testing. They should never use LIVE Production data to test their code. In addition, if they do have to use LIVE Production data as that is the only way to reproduce a problem, developers should consider other security measures.
  • For private IaaS Clouds however, we can fall back onto everything we have learned from Virtualization Security, as it is usually a full blown instance of a virtual environment in a cloud format. Granted the front end could be much different but the security issues still remain the same.  You need to follow all physical and virtual best practices for your IaaS cloud as if it was in your own datacenter.
  • For public IaaS Clouds we are faced with a different set of problems. Since we may not have access to the underlying layers we need to think how our data will be protected in those environments and use secure mechanisms to transfer our data into the cloud, as well as ensure there is data at rest encryption on all shared resources. Lastly, we need to ensure when anyone accesses a management console, that access is secured appropriately, perhaps by limiting from where such access can take place.

Public IaaS and Private IaaS clouds are well understood and tools such as those from AFORE and others address data at rest encryption and secure transfers. Eventually, it boils down to how well you implement and use your security policies and procedures. Have those bee updated to fit the new cloud model?

In short, we understand IaaS quite well but the security mechanisms that tenants need to employ is still an area of development. PaaS is really geared towards developers, but could be a feeding ground for Bad Actors unless secure coding and data is properly secured. For SaaS we rely on the SaaS provider for most security, but it behooves us to secure our data before it is placed within the SaaS Cloud.

Granted, these methods and mechanisms depend entirely on your level of Trust in Cloud Providers, Security requirements, and Regulatory Compliance. Not everyone needs the highest levels of confidentiality, when integrity is sufficient.  So where do we go from here? Tenants and vendors still need to learn more about how each cloud is being used, and from there develop practices and solutions. We are close, but not quite there yet for some aspects of the Cloud when viewed as a tenant.