Cloud Conversations: How and Where Do You Secure the Cloud

Heading to the Cloud Hotel? Consider your security issues.

Here is an analogy for looking at security in the cloud: a multi-tenant hotel. I’m sure the analogy will break down at some point, but it seems to work at this point.

When you’re moving applications into a cloud environment, it’s a bit like renting a hotel room from a distance, sight unseen. You want to be sure you select a safe building, in a safe neighborhood, and with building management you can trust. To that end, you have certain security expectations for the hotel owner and onsite management.

Let’s look at these expectations.

Building security [Security policies]. Like the hotel owner, the cloud provider is responsible for basic security, such as protection of the perimeter of the site and controlling access to the building. The hotel owner can be held liable if he fails to meet these obligations. We are only just beginning to see contractual terms from cloud providers along these lines. As the cloud tenant, you are responsible for the applications and data kept in your rented room. You set the policies dictating who can go into the room and under what circumstances, and what they can do while they are in the room.

Hotel design and maintenance [Trusted configurations]. The hotel is responsible for designing a secure facility and maintaining it in such a way as to maintain that level of security (or better). The cloud provider is responsible for maintaining IT configurations in accordance with trusted, verifiable policies that are defined in advance.

Safe hotel environment [Hardware root of trust]. The hotel owner must ensure that the hotel is operated in a safe and secure manner. Renting a room in a hotel, I really want to be certain that I am getting the room I expect in the location I expect. Likewise, the cloud owner must provide proof that he is maintaining a safe, secure IT environment. This responsibility includes hardware-level protections that attest to the configuration of the hypervisors and enable the isolation and safe migration of virtual machines.

Hotel key cards [Data encryption]. When you rent a hotel room, you take responsibility for the valuables left in your room. The same holds true with the cloud. As the cloud renter, you are responsible for maintaining the security of your data while it is at rest in your room or moving to or from the room. These days, the only data I leave in my hotel room is encrypted.

Hotel access logs [Auditing]. To make the bean counters happy, hotel owners get audited to ensure they are meeting required safety and security guidelines. Similarly, users of cloud servers need to be able to audit their configurations to confirm that they are built according to the guidelines. The cloud owner gets audited for compliance with various requirements, such as ISO 27002 for information security and SAS 70 for maintenance of internal controls. As the cloud tenant, you get audited for compliance with the standards of your industry, such PCI-DSS for credit card transactions and HIPAA (Health Insurance Portability and Accountability Act) for medical records.

Those are all just some of the security concerns based on this analogy. There are, of course, many other things to consider when you rent a room at the Cloud Hotel, such as power, cooling, and access to high-speed networking, to name just a few areas of concern.