When it comes to security, keep your head in the clouds

Australian enterprises may be rushing to embrace cloud computing, but those making the transition must take a proactive approach to infrastructure security that lets them provide consistent information assurance across public, private and hybrid cloud models.

This consistency will not only improve overall security, but will make it easier for companies to shift between cloud models as their changing business requirements demand. For example, a company might opt to keep its core operational systems inhouse but burst its customer-facing applications onto public-cloud infrastructure when demand peaks and it needs additional Web infrastructure to ensure a consistent user experience.

With the right security model, this move can be handled seamlessly without compromising internal security, says Dave Asprey, vice president of cloud security with Trend Micro, who will discuss cloud-security risks and strategies at the Trend Micro EVOLVE.Cloud events across Australia in May. "Whether they're using public or private clouds, enterprises are saying they want on-demand provisioning," he explains. This involves automating server provisioning and deprovisioning – and if you do that, you’ve built a private cloud.”

“Even if companies build a private cloud,” he continues, “they want to leverage the public or high-variability cloud to take advantage of service elasticity. They should realise they might as well put in functional tools that work for both private and public cloud – and set themselves up to take the step to the public cloud when they are ready. By having that one set of tools with both capabilities, they are killing two birds with one stone."

Given the significant transition involved in moving an organisation to embrace virtual servers, the benefits of such foresight are significant: introducing a robust and flexible security environment now will prevent the need for further changes later on. This is particularly important given the tendency for virtualised environments to suffer ‘virtualisation sprawl’ – a blowout in the number of virtual machines caused by wanton commissioning of new virtual machines.

Virtualisation sprawl is understandable: tantalised by the flexibility that virtualised environments provide, many companies find both business and technical staff exploring the opportunities that flexibility provides. Virtual desktop infrastructure (VDI), for example, can be a major boon for companies that have struggled to enforce consistent desktop policies on their employees.

Yet while the infrastructure may be able to handle the extra growth – sometimes with the assistance of a public-cloud burst mechanism, sometimes inhouse – many of the same companies are failing to keep their security testing in time with their server growth ambitions. The result, says Asprey, is a discrepancy in the level of growth and the security protecting that growth – and this opens up new vulnerabilities that can easily open the gates for malicious hackers.

Even where companies do think about security, many use conventional security solutions that are designed for systems with full resource availability; these security tools don’t transfer smoothly into the virtualised environment.

“So many companies build these nice virtualised environments, particularly with VDI, then don’t test their security tools,” he says. “They put on traditional security tools, and find their performance drops by a factor of 10. Antivirus scans take up an enormous amount of disk, memory and CPU simultaneously – and if you have dozens of virtual machines running on the same server, and all fight for CPU and disk time at the same time, no one gets much CPU – and scanning time gets stretched out into working hours.”

One solution is to add more physical servers to spread the load – but this goes against the whole idea of virtualisation as a mechanism for consolidation of applications. A more logical and manageable approach, Asprey warns, is to adopt a security solution that’s virtualisation-aware.

This means that it works in concert to interface with the virtualisation hypervisor, which manages all virtual application servers, to prevent security-scanning demands from increasing linearly with the number of servers. A virtualisation-aware security environment will coordinate the scanning of each virtual machine according to user-defined rules – ensuring that competing demands on limited CPU, memory and disk resources are minimised, and performance maximised.

Limited computing resources aren’t the only constraint in virtualised environments: encryption, says Asprey, has become an essential capability in virtual environments – especially as corporate environments leak out into public-cloud infrastructure. To ensure data and applications remains safe in such situations, they should use highly secure methods of encryption key exchange in which the encryption key is stored separately from the data.

This is complicated in the cloud world, however, since keys stored in a cloud environment face the same security issues as the data they’re intended to protect.

“In the past, when you had a machine that was going to connect to an encrypted volume, you would pull out a USB stick with the volume’s encryption key on it, plug it in and the server would authenticate,” Asprey explains. “But if you do that on a public-cloud provider they’d block you, because you’re not allowed to touch your virtual server – or even to know where it is.”

Ironically, lodging private virtual servers in the public cloud also creates new risks from hackers, who can easily set up their own public-cloud servers to aggregate computing power – and then use an algorithm to break the encryption of other cloud-hosted servers. In such situations, the sheer power of the public cloud becomes a new form of attack vector – and a new security risk for users.

That’s why many security and cloud providers are working together to create usable standards for enforcing cloud security: with consistent security protections on both private and public clouds, delivering a transportable security environment becomes far easier.

Working under the auspices of banner groups like the Cloud Security Alliance, initiatives like CSA STAR – the Security Trust and Assurance Registry – aim to provide certainty and consistency for organisations exploring cloud-security best practice.

The key message for enterprises is to understand that the new security challenge isn’t the cloud’s fault; the cloud is simply a new application delivery mechanism with its own unique performance characteristics. And, just as any security infrastructure should rightly address the performance characteristics of its host environment, so too should the new infrastructure built around virtual servers.

“The cloud does not increase security risk,” says Asprey. “If your data was important to criminals before the cloud, it’s just as valuable after the cloud. But if you change your security posture to match the new threats, you can still meet the security levels that you target.”

Hear from John Sheridan, Dr Anthony Bendall, Rob Livingstone, Michael Barnes, Steve Quane and Dave Asprey amongst others on the Evolution. Trends, Solutions and the Future of Cloud Security, limited seats so register today through CSO.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.