Hosting providers and security experts working together to create cloud computing security

Cloud-based security services are not easily accepted because both it and security managers are working to address risk factors and compliance issues.

Hard to move forward

Bill Trussell, general manager of security research firm Theinfopro, says quite a few companies are using what they consider to be cloud computing services. The research firm has just published its semi-annual survey of information security professionals in North American large and medium-sized enterprises. However, when Theinfopro asked respondents whether they were using cloud-based security services in the cloud computing environment, less than 15% per cent of respondents said they were likely to use the service.

Trussell said the respondents said the situation was not common when asked whether companies would extend the functionality of user access and configuration or dual-factor identification to cloud computing. Corporate security personnel are still nervous about things that are unfamiliar, not on their site, outside of their direct control, and even under the direct control of the cloud provider they use, because security services are controlled by Third-party vendors with expertise in security technology.

However, these new security-or-service plans will soon be applied to cloud computing.

For example, Pivotlink, which provides cloud-based, fee-based Business intelligence services, including Analysis Services for Salesforce.com-related data, has collaborated with Novell to test Novell's cloud computing security services. This service includes various identity management functions that are implemented according to the software hosted in Gogrid.

' We've got our identity from Novell's services, ' said Bob Kemper, senior vice president of Pivotlink development. Novell services are plugged into the customer's service. Currently, we use identity management and their authorization for security management. Novell integrates with the necessary enterprise systems for access to information.

If Pivotlink customers use LDAP (Lightweight Directory Access Protocol) or active target infrastructure, it will work, Kemper said. Cloud-based Services leverage authorization based on the SAML (Security Assertion Markup Language). This program, which is being tested with Novell, allows a user to automatically release a configuration of a storage administrator who is leaving, and to add a new manager, using the Pivotlink service to automatically authorize the same role.

"Our clients say we need this level of control and management as well as some form of audit," Kemper said. He added that customers said they felt more comfortable uploading sensitive data to cloud computing.

Pivotlink hopes to publicly deliver the Novell based cloud security service by the end of this summer as part of its portfolio. Kemper says the best way to launch these kinds of security controls is to work with a partner like Novell to provide a service model.

Dipto Chakravarty, general manager of the Novell Cloud computing security business, said Novell is contacting many SaaS and hosting providers to assess their interest in working with Novell on cloud-based security.

Chakravarty said our consideration is that Novell must support the technical agreement in a neutral manner, supporting SAML 1.1, SAML2, ws-fed, InfoCard and OpenID, as well as Enterprise Shibboleth. This Novell Cloud Computing Security Service is a truly multi-tenant-hosted security solution. It can be hosted by a SaaS hosting provider, or by a Novell partner.

Other players

Novell is not the only company that aspires to a cloud-based security service role.

Other security companies, including stillsecure and alert logic, will provide intrusion detection/defense (idp/ids) services to protect virtual machine based servers on behalf of customers at cloud computing services providers.

Mike Crews, the IT manager of automated Document FX (ADS), which provides medical records for hospitals and health care providers, says the company uses Host.net as a cloud provider for certain projects. When Host.net started working with Stillsecure to provide IPS services a few months ago, ads users enjoyed the benefits of 24-hour uninterrupted monitoring.

Crews said the service was an excellent opportunity to get this type of surveillance in Host.net. It's hard for ads to build this surveillance capability on its own. So far, the security service provided with Stillsecure has been working well. Stillsecure has its own network operations center, monitoring what is running on the ads virtual machine on the Host.net network. Stillsecure the cost of this service is to ensure the security of 10 virtual machines, a monthly payment of 250 dollars. This can be affordable for ads.

Justin Giardina, chief technology officer at Iland, another cloud-computing infrastructure provider in Houston, said Iland has been providing IPS surveillance services for more than a year in its data center through security company Alert logic.

In addition to the virtual LAN segmentation and Firewall-protected, VMware-based virtual machine configurations that are typically available for cloud computing customers, each company can choose to monitor these virtual machines from the security company's own network operations center by security company Alert Logic.

Alert logic monitoring leverages host-based software. These software run on behalf of the client at the level of the management program. The Alert Logic IPs service can be configured to automatically isolate a network segment. For example, if a problem is detected, the service starts the automatic response function in the Cisco ASA Firewall.

Giardina says no more than One-fourth of Iland users use this Alert logic monitoring service. Although alert logic is responsible for monitoring virtual machines 24 hours a day 7 days a week and has a direct relationship with consumers, Iland will also be involved if an accident occurs.

Not everyone understands the importance of using patches. Giardina points out that hackers and malware can cause servers to be compromised, and alert logic often notifies iland to respond to these events.

Giardina said that although Iland currently has no plans to add additional third-party security services except for the services provided by alert logic, Iland is seeking to establish its own anti-virus scanning and protection possibilities. This service will be based on the upcoming new version of Symantec Software, using the VMware Vmsafe API to implement management-level monitoring.