Our math teacher walked up to the class (I forget which grade) and said ‘whoever gets the correct answer first, gets a reward…’ The problem we were asked to work on was to add up the numbers from 1 to 50. It is hard for me to stay out of any competitive activity. So I backed my chances of getting to the right answer first and started adding up the numbers. I was adding away and by the time I got to the 20’s I could sense the difficulty level increasing and was aware that I could make a mistake somewhere along the long line to 50…After about 10 minutes, our teacher called off the competition and proceeded to explain the formula n(n+1)/2. I remember being stumped by this magical formula. How can this thing work no matter what the number sequence? Sure enough, I tested it out. Variations of the formula work for odd-number sequences, even-number sequences and for many other number series. How somebody could have come up with this elegant formula was simply beyond me. Intuition eluded me when it comes to mathematics.
While clearly I am no mathematician, as an engineer I do appreciate the fact that mathematical formulas work well. Consider public-key cryptography that underpins everything we do on the web. The math works and that is why we have a global $1.5 Trillion e-commerce economy. A brute-force attack to break AES-256 encryption would take…apparently forever. 128 bit encryption only takes 1 billion billion years…give or take. And of course we know it is a billion times easier for a hacker to guess a weak password, or steal a password, or get access to a lost laptop or a smartphone, or get root access to an unpatched or improperly patched system. For custodians of an enterprise’s information assets, it is hard to take comfort in the fact that the math works when the front-page news of huge IT security breaches is in our face so frequently and the liabilities are so big.
Practitioners of IT security know that a lot goes into creating robust IT security – the combination of the right architecture, processes, people, tools and governance. And even with all that – it is a lot of work, learning, adjusting. What about Cloud security? Cloud security is a top topic of discussion among clients considering Cloud (IaaS) for their enterprise. Is Cloud secure? How does security work in the Cloud? How is it different compared to the way we do security today (outside the Cloud)? What are the risks? These and many other similar questions usually lead our discussions with clients considering Cloud adoption.
Cloud (IaaS) security uses the ‘shared security model’. This means the Cloud Provider (say AWS, Azure, etc.) is responsible for part of the security and you the client is responsible for the other part.
Cloud Provider is responsible for security of the following components –
- Physical infrastructure
- Cloud-wide networking e.g. availability of Internet connectivity, etc.
- Hypervisor
- A robust feature-set that allows secure Compute, Database, and Storage provisioning
- Deployment and management feature-set that enables logging, monitoring and auditing
Client is responsible for security of the following components –
- Operating system of the VM
- Network and host-based firewall configurations
- Applications
- Identity and access management
- Data
Within this shared security model, the ‘security scope-of-focus’ – what you are responsible for – is substantially reduced compared to what you are responsible for today in your on-prem or co-lo model. This in and off of itself could lead to better security for your IT assets. You are responsible for securing fewer things and hence you have a better chance of going deeper on those.
<<Insert picture here>>
Let’s take a look at what you can expect in terms of security from the leading Cloud providers –
Physical infrastructure – globally distributed, fully-redundant and fault-tolerant physical data center topology with certifications and accreditations to meet the most stringent compliance requirements
Cloud-wide networking (e.g. availability of Internet connectivity, etc.) – hyper-scale connectivity and security of that connectivity infrastructure that has been made possible by decade+ experience with running/building the world’s largest data centers and shared services models
Hypervisor – hypervisor security that is put to test every day by 10’s of millions of VMs and the evolution and iteration of security that is possible through that level of learning and testing
A robust feature-set that allows secure Compute, Database, and Storage provisioning using automation at a scale that is unimaginable even for the largest enterprises
Deployment and management feature-set that enables logging, monitoring and auditing – again automated to the nth degree with integration options from most of the popular 3rd party security platforms and products via respective marketplaces
How do you take care of security for the components that you are responsible for –
Operating system security – same way as you do today – although likely easier in terms of actual implementation because of the standardized, templatized, automated approach to provisioning servers
Network and host-based firewall configurations – same way as you do today – although likely easier in terms of actual implementation because of the standardized, templatized, automated approach to provisioning servers and networks
Applications – same way as you do today. Cloud-native applications built from the ground-up for the Cloud take advantage of the scalability and restricted fault-domains available within the Cloud in a loosely coupled service oriented architecture model. ‘Fork-lifted’ application security works the way it does today in your on-prem or co-lo facility
Identity and access management – Cloud-based identity management for not just your Cloud-based infrastructure but also your on-prem and co-lo infrastructure. This has the potential to substantially accelerate your ‘stuck-in-the-pipeline’ enterprise SSO initiatives. Or integrate the Cloud infrastructure to use your existing enterprise identity management solution
Data – In-transit security using SSL. At-rest security using encryption. Multiple key management options to insure data protection.
And of course for many organizations the Cloud offers a chance to ‘do it right’ from the ground-up. Many CISO’s are embracing the Cloud for this very reason that it would give their organizations a chance to start fresh for their new business-critical application.
Are there legitimate security questions that apply to the Cloud? Yes –
- Will I become more of a target by being in the Cloud?
- What are the risks of a rogue insider at the provider taking out large sections of the Cloud?
- What data privacy laws apply?
- Will Government agencies be able to access my data without subpoena?
- All this is new. How will my people know how to do it right?
And quite a few more…
The Cloud can help your organization today with opportunities to reduce costs and increase agility and you can begin your Cloud adoption journey using a low-risk, step-by-step approach.
When it comes to Cloud security – the more you know, the better it might get. The ‘more-Cloud’ world that is rushing towards us requires that we learn and prepare. While I will not go so far as to say that Cloud security is the ‘n(n+1)/2’ way of doing things, it may surprise you with its elegance and simplicity.