Cloud Security Challenges Include Audit Trails, Preventing Attacks
How to build an effective Security Operations Center to cope with new threats in the era of virtualization and cloud computing will be a major topic at the upcoming Connections Conference in Las Vegas in April.
(click image for larger view)
Slideshow: Top 10 Cloud Stories Of 2010
The early suppliers of cloud computing have often built service organizations conceived around single-tenant technology, but they've ended up supplying services based on multi-tenant technology, says an early proponent of security in the cloud.
That means they're ill-prepared to supply an audit trail to individual customers, who are probably running their workloads on a server with many fellow cloud users. Jim Reavis, co-founder of the Cloud Security Alliance, will speak to this and other concerns when he addresses the Connections Conference in Las Vegas April 17-21. Reavis is a keynoter for the Las Vegas event's cloud track. His talk will be on "Building the Trusted Cloud."
One problem in the multi-tenant cloud, where different businesses use the same server, is supplying a user with his own track of events in the server log. Techniques for isolating one customer's information from another's are still rudimentary. The concern is not only that a given user will not get his activity in the log, but that he might get someone else's as well by mistake. The job of isolating one user from another in one server log still needs more work, Reavis said in a recent interview.
"How do I as a cloud supplier provide a view of that logged information, scrubbed from the other customer's information?" he asked. The answer is not yet clear, leaving cloud users in an awkward position if they need to provide an audit trail from information in the hands of their cloud supplier. The problem will get sorted out, he predicted.
He thinks the dangers of security exposures in the cloud, while they exist, are overstated. As we gain maturity in cloud computing, "the cloud has so much power to make security better" for its customers, as opposed to undermining it, he said.
Reavis is the alliance's executive director as well as head of the Reavis Consulting Group in Ferndale, Wash. The alliance is made up of a mix of industry vendors and has been instrumental in establishing a common framework of terms and definitions in cloud security. It also issues periodic best practices documents. Its Governance, Risk Management and Compliance Stack, for example, is an IT manager's toolkit for assessing a cloud operation, whether public or private, against security best practices and compliance requirements.
Among the 77 corporate members of the alliance are: Lockheed Martin, IBM, Google, Microsoft, Rackspace, Dell, Intel, Cisco, Verizon Business, Oracle, CA Technologies, Rackspace, VMware, Terremark, and CSC.
Another keynoter for the cloud track at the show is Nils Puhlmann, chief security officer at Zynga, the San Francisco online game company and creator of Mafia Wars and Farmville. Puhlmann is also co-founder of the Cloud Security Alliance and serves as its chief information security officer. His talk will be on "Securing Innovation" and he will draw on his experience marshaling security practices at the world's largest online gaming company.
In an interview, Puhlmann pointed to a recent security brief issued by RSA, the security software maker now known as the RSA Security Division of EMC, as pointing to methods for establishing much stronger security practices in the enterprise data center and the cloud in the future.
Multicloud Infrastructure & Application ManagementEnterprise cloud adoption has evolved to the point where hybrid public/private cloud designs and use of multiple providers is common. Who among us has mastered provisioning resources in different clouds; allocating the right resources to each application; assigning applications to the "best" cloud provider based on performance or reliability requirements.