When enterprise applications and services migrate from the physical data center, organizations begin to lose visibility and control as the shared infrastructure model of the cloud forces IT to give up their traditional control over the network and system resources. As a result, many organizations and cloud providers will tell you that security continues to be a barrier to cloud adoption in 2011. Though these challenges differ depending on the delivery model – Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS) – ultimately, providers and customers must share visibility, responsibility, and accountability.
In a public IaaS deployment, customers can manage the operating systems and applications, and can implement controls and processes on that level. In these shared implementations, the providers typically implement security layers at the network and hypervisor layers that may include firewalls, encryption, IDS/IPS, VLANS and vulnerability and penetration testing. However, the details of these internal security programs and their output are not always visible to their customers.
Additionally, many times the cloud providers do not provide an O/S or application-level security solution, which of course should include vulnerability and scanning for enterprise images and applications running on their shared, multitenant infrastructure. With respect to vulnerability scanning, the customer must often rely on the claims of the provider with respect to the network and hypervisor layers. Customers must then, assuming that they are permitted, perform their own scanning to assess their O/S and application risks. As such, core security responsibilities, including vulnerability and penetration testing, are more heavily shared between the provider and the customer, which can result in some confusion and “grey areas” when attempting to implement a solid end-to-end security strategy.
Giving these IaaS challenges, many analysts and providers, such as GoGrid, indicate the trend for organizations to adopt the Private Hosted Cloud, as a way to balance security and compliance requirements with the benefits of a managed infrastructure. In a private hosted cloud, the data center is virtualized on dedicated hardware and managed by the cloud provider. Much like the public cloud, the provider manages physical, network and hypervisor security, but is often more willing to make these programs and processes more transparent to the end customer. Some private cloud vendors also allow customers to perform vulnerability and penetration testing directly against the isolated network and systems, which is a critical component in these virtualized environments.
According to Gartner’s Security Monitoring and Assessment for Cloud Environments, “for private cloud environments, organizations should ensure that a preproduction vulnerability and configuration assessment is integrated with the system provisioning process to ensure that the system is patched, does not contain critical vulnerabilities and is configured with the proper security policies. “
In SaaS and PaaS, organizations have limited visibility into the underlying infrastructure and again depend on the provider to properly secure and manage the network and systems. In these deployments, customers rely on the provider’s security claims of scanning, patching, configuration and vulnerabilities.
Regardless of the cloud model deployed, visibility and transparency of the underlying security program will likely continue to drive many cloud discussions in the years to come. eEye looks forward to working with customers, providers, and the community to help overcome these concerns and drive standardization and transparency.
In addition to helping many providers perform internal security scans on a daily basis, eEye also offers Retina Community to scan at the network, hypervisor, operating system, and application levels and to provide in-depth vulnerability scanning regardless of your deployment scenario. Just remember to verify that your provider allows you to scan your own hosted assets for vulnerabilities before you begin ;).