Two big lies about cloud computing security

Bernard Golden, chief executive of Hyperstratus Consulting, wrote that one after another survey showed that security is the most worrying issue for potential users of public cloud computing. For example, a April 2010 survey found that more than 45% of respondents said cloud computing risks outweigh the benefits. A survey conducted by CAS and Ponemon Cato also found that users have such concerns. However, they also found that, despite the user's doubts, cloud applications were being deployed. The continued release of similar surveys and results suggests that mistrust of cloud computing security continues.

Admittedly, most concerns about cloud security are related to public cloud computing. The global IT practitioner is constantly proposing the same problem with a public cloud service provider. For example, Golden recently went to Taiwan and delivered a speech at the Taiwan Cloud SIG Conference. 250 people attended the meeting. As expected, the first question that people ask him is "is the public cloud environment safe enough for me to use a private cloud to avoid security issues?" All seem to think that public cloud providers are untrustworthy.

However, the discussion of cloud security boils down to the "public cloud is unsafe, private cloud security" formula seems too simplistic. Simply put, there are two big lies (or two basic misunderstandings) in this view. The main reason is that this new computing model forces a dramatic change in security products and methods.

The first cloud security lie: private cloud is safe

The first lie is that the private cloud is safe. This conclusion is based solely on the definition of a private cloud: The private cloud is deployed within the boundaries of the enterprise's own data center. The misconception arises from the fact that cloud computing contains two key distinctions that differ from traditional computing: Virtualization and dynamics.

The first difference is that the technology base of cloud computing is based on an application management program. The management program can isolate calculations (and their associated security threats) from traditional security tools, and check for inappropriate or malicious packets in network traffic. Because virtual machines in the same server can communicate entirely through communication in the hypervisor, packets can be sent from one virtual machine to another without having to go through a physical network. Generally installed security devices check traffic on the physical network.

Crucially, this means that if a virtual machine is compromised, it can send dangerous traffic to another virtual machine, and traditional defenses will not even be noticed. In other words, an insecure application can cause attacks on other virtual machines, and the security measures used by the user are powerless. Just because a user's application is in a private cloud does not guarantee that the application will not have security issues.

Of course, one might point out that this problem comes with virtualization and does not involve any aspect of cloud computing. This view is correct. Cloud computing represents a combination of virtualization and automation. It is the second factor that leads to another security flaw in the private cloud.

Cloud computing applications benefit from automation for flexibility and resiliency, manage changing traffic load types by rapidly migrating virtual machines and start additional virtual machines, and respond to changing applications. This means that the new instance can be online within minutes without any human intervention. This also means that any necessary software installation or configuration must also be automated. Thus, when a new instance is added to an existing application pool, it can be used immediately as a resource by other applications.

It also means that any necessary security software must be automatically installed and configured without human intervention. Unfortunately, many organizations now have to rely on security personnel or system administrators to manually install and configure the necessary security components, and this is usually the second step after the installation and configuration of other software components of the machine.

In other words, many organizations do not match the practical aspects of the security practices and cloud requirements. The idea that the private cloud itself is safe is now considered incorrect. Security vulnerabilities are sure to occur before user security and infrastructure practices are consistent with automated instances.

Moreover, it is important to make them consistent. Otherwise, this can happen: the user's application automation exceeds the ability to respond to security practices. This is not a good phenomenon. There is no doubt that people do not want to face the fact that a private cloud that seems secure ultimately has security vulnerabilities, because the automation features of cloud computing are not yet extended to all aspects of the software infrastructure.