Security Considerations for Infrastructure as a Service Cloud Computing Model
Cloud cloud cloud! That's right, it's another article on cloud computing. With Microsoft "all in," Google making bets on the Chromebook that's dependent on the Internet, and Apple getting set to launch cloud-based services, it looks as if resistance is futile. If you attended this year's TechEd in Atlanta last week, you know it was all about the cloud.
Yet many IT pros are still a bit wary of the whole thing, and many are still confused about what cloud computing is and isn't. Check out this link for more details.
To make matters worse, we have different flavors of cloud computing. First, there's the public cloud vs. the private cloud, and sometimes the two even marry and produce the hybrid cloud. Then there are the different types of cloud services: software as a service (SaaS), infrastructure as a service (IaaS) and platform as a service (PaaS). No wonder even techies are finding it hard to find their ways through the clouds.
Many of you might have already started your trek toward cloud computing, but if you haven't, let's get started with a few definitions. Cloud computing, as defined by the US National Institute of Science and Technology (NIST) includes the following features:
- On-demand self-service. A user can obtain compute, network and storage capabilities without having to go through a mediator; this can be done through a self-service portal and requisition center of some type.
- Broad network access. The information storage in the cloud infrastructure should be available from any location, and from a broad array of networked devices, such as desktops, laptops, PDAs, smart phones, and other devices that currently exist as well as those that will exist in the future.
- Resource pooling. Compute, network and storage resources are delivered from a larger pool of resources and multiple tenants (different groups or organizations) take advantage of that same pool. There may also be location independence, as each tenant may or may not be aware of the location of particular resources at any point in time.
- Rapid elasticity. Users can provision and deprovision resources quickly and easier. In addition, this provisioning and deprovisioning can be done automatically, based on policy, so that resources are assigned when required and released when they are no longer needed.
- Measured Service. Users obtain compute, network and storage assets that they need, and pay for only those services that they use.
Cloud computing models
Many people believe that cloud computing is just server virtualization, but cloud computing is much more than just server virtualization. Virtualization plays a huge role in cloud computing, and you can't have the cloud (at least not securely and cost effectively) without virtualization, but you can have virtualization without the cloud. Cloud computing is a delivery and consumption model, whereas virtualization is a technology that enables that model.
There are three service models for cloud computing:
- Software as a Services (SaaS). With SaaS (also called "finished services"), users can rent applications that are ready to use. Overhead for acquisition is typically very low and commitments can be for short or long terms.
- Platform as a Service (PaaS). PaaS, unlike SaaS, does not provide finished services to customers. Instead, PaaS provides a development platform that has built in cloud intelligence, so that developers don't need to worry about the underlying compute, network and storage infrastructure. All the developers need to do is develop the applications, using tools they already know how to use, and then deploy them to the PaaS provider. The PaaS provider's cloud engine then enables the core cloud competencies that are required for a cloud application, as noted in the first bulleted list above.
- Infrastructure as a Service (IaaS). IaaS, in contrast to SaaS and PaaS, provides neither a finished service nor a development platform. Instead, IaaS provides the core compute, network and storage infrastructure on which you can build your own PaaS or SaaS environments. Essentially, IaaS provides an easy way for you to deploy virtualized servers in the cloud by taking advantage of server virtualization and automation.
You also need to know about the cloud deployment models. While NIST identifies four deployment models in its recently released DRAFT Cloud Computing Synopsis, most of industry recognizes just three:
- Private cloud. A private cloud infrastructure is one where you control all the assets that participate in the cloud solution. The private cloud infrastructure might be located in your own datacenter, or it could be located in a hosted datacenter. However, even located in the hosted datacenter, the private cloud is under your complete control - you control inbound and outbound access, you control the networking, you control the hardware and you control all of the software (operating systems an system services.)
- Public cloud. In a public cloud, you rent services from the cloud provider. You might rent SaaS, PaaS or IaaS services, but you do not control all levels of the stack. In addition, public cloud environments are shared, multi-tenet environments, which means that your services and data can be co-located with others, including competitors.
- Hybrid cloud. Hybrid cloud is a deployment model where the organization takes advantage of both public and private cloud options. For example, the firm might want to host a large array of web servers in the public cloud to be a customer front end for shopping and order taking, but then the private cloud is used to contain the customer and financial data that drive the transactions.
The deployment models are generally defined by who controls the cloud resources. The NIST document adds the "community cloud," in which multiple organizations come together to create a "semi-private" cloud. NIST further breaks the private and community cloud models into two sub-models: on-site and outsourced. The 84 page NIST document provides a good basis for understanding the basics of cloud computing. You can download it in PDF format here.
Now that we have some basic definitions sorted out, let's focus on security in regard to Infrastructure as a Service or IaaS. Most admins will be most confortable and familiar with IaaS because it's very similar to what you're already doing now in your datacenter. Most likely, you have already deployed some kind of server consolidation plan to reduce the physical server footprint in your datacenter and save on energy costs. After server consolidation, you might then get interested in an IaaS offering, whereby you can take advantage of cloud features such as self-service and automation to help your company ramp up resources for application deployment and development faster than ever before.
But before you do that, you'll need to think about the security implications of IaaS. The security issues are a little different, depending on whether you use a public cloud or private cloud implementation of IaaS. With a private cloud, your organization will have total control over the solution from top to bottom. With IaaS in the public cloud, you control the virtual machines and the services running on the VMs you create, but you do not control the underlying compute, network and storage infrastructure. For both scenarios, you should consider the following security issues:
- Data leakage protection and usage monitoring
- Authentication and authorization
- Incident response and forensics capabilities
- Infrastructure hardening
- End to end encryption
Data leakage protection and usage monitoring
Data stored in an IaaS infrastructure in both public and private clouds needs to be closely monitored. This is especially true when you're deploying IaaS in a public cloud. You need to know who is accessing the information, how the information was accessed (from what type of device), the location from which it was accessed (source IP address), and what happened to that information after it was accessed (was it forwarded to another user or copied to another site)?
You can solve these problems by using modern Rights Management services and applying restrictions to all information that is considered business critical. Create policies for this information and then deploy those policies in a way that doesn't require user intervention (don't make it the user's responsibility to decide which information is business critical and should be rights-protected). In addition, you should create a transparent process that controls who can see that information and then create a "self-destruct" policy for sensitive information that does not need to live indefinitely outside of the confines of the corporate datacenter.
Authentication and authorization
Of course, in order to have an effective Data Loss Prevention (DLP) solution - you have to have robust authentication and authorization methods in place. We can all agree that user name and password is not the most secure authentication mechanism. Consider two factor or multi-factor authentication for all information that needs to be restricted. In addition, consider tiering your access policies based on the level of trust you have for each identity provider for your IaaS cloud solutions. The level of authorization you enable from an identity provide such as Google Mail is going be a lot lower than if the identity provider is your corporate Active Directory environment. Integrate this authorization tieringinto your DLP solution.
End to end logging and reporting
The effective deployment of IaaS, both in the private and the public cloud, demands that you have comprehensive logging and reporting in place. As virtual machines are spun up automatically and moved between servers in an array dynamically over time, you never know where your information might live at any place in time (and this becomes even more interesting when we look at the issue of storage virtualization and dynamic migration). In order to keep track of where the information is, who accesses it, which machines are handing it, and which storage arrays are responsible for it, you need robust logging and reporting solutions.
The logging and reporting solutions are important for service management and optimization, and they will become even more important in the event of a security breach. Logging is critical for incident response and forensics - and the reports and findings after the incident are going to depend heavily on your logging infrastructure. Make sure that all compute, network, memory and storage activity is logged and that the logs are stored in multiple, secure locations with extremely limited access. Ensure that the principle of least privilege drives your log creation and management activities.
You need to make sure that your "golden image" virtual machines and VM templates are hardened and clean. This can be done with initial system hardening when you create the images, and you can also take advantage of technologies that enable you to update the images offline with the latest service and security updates. Make sure that you have a process in place to test the security of these master images on a regular basis to confirm that there has been no drift from your desired configuration, either due to malicious or non-malicious changes from the original configuration.
End to end encryption
IaaS as a service, both in public and private clouds, needs to take advantage of encryption from end-to-end. Make sure that you use whole disk encryption, which ensures that all data on the disk, not just user data files, are encrypted. This also prevents offline attacks. In addition to whole disk encryption, make sure that all communications to host operating systems and virtual machines in the IaaS infrastructure are encrypted. This can be done over SSL/TLS or IPsec. This includes not only communications from management stations, but also communications between the virtual machines themselves (assuming that you allow communications between the virtual machines). Also, when available, deploy mechanisms such as homomorphic encryption to keep end-user communications safe and secure. This is a form of encryption that allows complex calculations to be performed on the data even though it is encrypted. To learn more about it, see Michael Kassner's article, Homomorphic Encryption: Can it save cloud computing?,over on the TechRepublic web site.
Cloud computing is more than just server virtualization. The NIST document has defined several requirements for a cloud computing solution. There are three service models for cloud computing: SaaS, PaaS and IaaS and there are (at least) three deployment models: public cloud, private cloud and hybrid cloud. When deploying an IaaS solution, there are a number of security issues that need to be considered for both private cloud IaaS and public cloud IaaS, which we highlighted in this article. In future articles, we'll delve into other aspects of cloud security.