Tenant-based Cloud Security: Not a Contradiction
September 22nd, 2011 By: Industry Perspectives
Rajat Bhargava is founder, chairman & CEO of StillSecure, provider of network security software.RAJAT BHARGAVA
The current running joke in the IT industry is that everything is labeled “cloud.” Whether data center customers are leveraging the cloud or not, arguably every technology provider is claiming to either “consume” or provide services in the cloud.
Even the mainstream press has latched on and is hyping cloud computing as the “next big thing.” Of course, that means there are as many definitions of the cloud as there are people talking about it — this can be terribly confusing for IT decision-makers looking for insight and direction as they evaluate whether cloud computing is right for their business.
All of this makes me ask – if cloud computing isn’t clearly defined then how can there be some level of clarity, much less universal agreement, around cloud security? Isn’t that the real prohibitory issue with mass cloud adoption anyway?
Defining the Cloud
A very simple and broad definition of the cloud should be any solution that provides a compute (IaaS – Infrastructure as a Service), platform (PaaS – Platform as a Service), or application infrastructure (SaaS – Software as a Service) effectively based on a pay-for-what-you-use model and one that can easily expand or contract. Generally, cloud solutions are not located on a customer’s premises, but that’s not always the case. Sometimes it can simply mean an environment where the customer has no requirements for physical equipment. As a result of this definition, we believe that there are three major categories of cloud:
- Infrastructure cloud or IaaS – public or private, multi-tenant solution where you can be provided with compute and storage capabilities. Examples of IaaS providers include Amazon, Rackspace, and Softlayer.
- Platform cloud or PaaS – again, public or private, multi-tenant solution where you are provided platform capabilities such as database or Web-site / blogging. Examples of a PaaS solutions would include database.com or WordPress.
- Software as a Service (SaaS) applications – applications hosted off-site and accessed over the Internet. The most common example used here is Salesforce.com, but there are many, many others.
Having defined the cloud, let’s look at what is becoming a much larger concern for data center managers and cloud providers looking to provide a range of services in the cloud – security. In the public cloud, infrastructure providers selling compute and storage infrastructure are keenly aware that their operations must be secured. These IaaS providers spend a great deal of time ensuring that security has been embedded into their platform.
From perimeter security that does not allow traffic from the outside to ensuring that each virtual machine created is hardened to offering encryption of data stored, these providers are making their cloud implementations secure. This category of solutions cuts across all of the providers customers and is macro in nature. Individual customers of the cloud provider generally cannot customize their security to their thresholds.
Of course, the advantage with cloud computing is also its Achilles heel in security; anybody can quickly spin up the compute, storage, and bandwidth that they need for a small amount of money. Now the bad guy can be on the same physical device that you are on and the cloud providers’ overarching security may be bypassed.
Tenant-based Cloud Security
Tenant-based cloud security is critical to solving the issue of protecting your individual cloud infrastructure. As detailed above, an infrastructure provider’s goal is to secure the platform and provide security options to the tenant (or customer). Tenant-based security is that answer and is an attractive model for obvious reasons – it allows each organization to customize the security to the company’s needs, not to mention it is cost effective, much more efficient and easily scalable for organizations looking to expand.
For most organizations, a cloud service providers’ foundational security will not suffice. The tenants in the infrastructure have unique applications and differing levels of confidential data. Each tenant needs to be able to build upon the infrastructure providers’ foundation with a set of security solutions aimed at solving the concerns and problems that they have.
For instance, some cloud users may have PCI compliance concerns while others may not be overly concerned as they are using the infrastructure for just dev and test. The first organization in these examples would require services such as firewall, IDPS, log management, web application firewall, and file integrity monitoring among others. The second organization may just opt for firewall and VPN. Each cloud customer needs to have the ability to easily make those choices and turn on and off the level of service they need. This security model is critical to ensuring the success of the cloud.
We believe that there will be three implementation models for tenant-based security. We have described them below along with the various types of solutions that may be involved. It should be noted that forward thinking organizations may use more than one of these areas to build a layered approach to defending their cloud infrastructure.
- Agent-based solutions – Organizations will be able to deploy an agent to their cloud instances that will provide various security services. Among the likely services for this category will be a host-based firewall, anti-virus, VPN, and log / file monitoring. These agents may also help check configurations and settings of the operating system and perhaps applications.
- Gateway- based solutions – Another path that organizations may go down would be to place a “gateway VM” at the head of their individual cloud infrastructure. Likely an excellent path for those with more than just a few virtual instances, all traffic in this scenario would pass through the gateway security virtual instance. In this case, firewall, IDPS, WAF, and other services where traffic inspection is critical are good potential fits.
- Appliance-based solutions – A variation on the gateway theme will be solutions where traffic is routed through a separate appliance that may not be within the virtual infrastructure. Traffic to and from a cloud customer’s virtual instances would be cleansed through the security appliance. The benefits of this approach would be for situations where increased processing power is required (e.g. SSL decryption) or where the cost of placing a gateway virtual instance is too high relative to an appliance. There also may be cases where a specific solution may not be available as a virtual instance, but could be available as a multi-tenant appliance.
Tenant-based security will become an incredibly important part of a data center / cloud providers. Cloud customers will have numerous options for security from these forward thinking providers.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.
[...] Data Center Knowledge [...]
[...] Isn't that the real prohibitory issue with mass cloud adoption anyway? … Read more on Data Center Knowledge Posted in: Cloud Security Tags: "Cloud, …, Cloud, General, Jackson, [...]