In less than a decade, cloud computing has grown from an intriguing niche to a mainstream market segment. Future expectations are high, with Morgan Stanley projecting Amazon Web Services will hit the
The presumption that a highly virtualized, multi-tenant environment is intrinsically more susceptible to attack is a byproduct of the belief that the level of accessibility and flexibility that makes the cloud so appealing to customers also opens the door to opportunistic hackers who are ready to capitalize on the many points of entry.
These concerns about cloud computing vulnerabilities can translate into real reticence for customers deciding whether to deploy their most critical applications in the cloud. Yet there are indications that cloud security is becoming less of a barrier to entry than it was in the past. The allure of the on-demand model is strong enough that many businesses are willing to set aside some concerns around data security and privacy, at least on an experimental basis, with project-based Infrastructure as a Service (IaaS) deployments to support short-term capacity needs.
The confidence gap
The good news is this next wave of cloud deployments has been fairly successful, which has helped to bolster confidence in the model. There is, however, still a confidence gap between businesses still on the sidelines and those that have already taken the plunge. A Microsoft-commissioned survey of more than 200 small and medium-sized businesses (SMBs), conducted by research firm comScore Inc., found 42% of those organizations that aren't using the cloud find it inherently unreliable. Contrast that with the 94% of SMBs polled in the June 2013 survey that say the level of security they are getting with cloud-based applications is higher than what they had implemented in an on-premises model. These findings support the idea that many businesses actually find one of the most compelling benefits of the cloud is that providers can offer a level of expertise and integrated security superior to what many businesses can provide internally. Simply put, security can be a critical differentiator for a cloud provider.
So, what cloud-specific vulnerabilities and threats are the most dangerous, and how can providers best protect their cloud environments? The reality is that neither the general nature of security threats nor the types of controls deployed to mitigate risk are radically different from those in a traditional environment. Attackers tend to follow similar patterns and employ many of the same methods they use to breach a traditional environment: bypassing access controls, discovering valuable data, taking control of the asset where the data resides and then stealing or exposing the data. However, the nature of the cloud means providers need to adjust their approach to address issues specific to an on-demand environment.
Taking a layered approach to mitigating cloud vulnerabilities
Just as they secure a conventional IT environment, a cloud provider needs a multilayer approach that addresses security in a comprehensive manner, incorporating access management, perimeter security and threat management, encryption, distributed denial-of-service (DDoS) mitigation, privacy and compliance management. But in a shared cloud environment, elements like identity and access management become especially crucial because data from multiple clients is stored in and accessed through the same shared environment. Cloud providers need to assure customers they have an effective solution in place that not only grants access, but can also validate identity in a virtualized environment using such methods as multifactor authentication.
Providers also need to address hypervisor security by using monitoring tools that can detect suspicious behavior, including unusual traffic patterns and unusual transactions, which might signify a threat to the integrity of the environment. Providers also need to answer questions around data commingling from both a privacy and a compliance perspective by outlining how they logically partition client data.
Many hackers launch volumetric attacks on the cloud, designed to flood the environment and expose vulnerabilities. To this end, providers need the right DDoS mitigation strategies in place that can help identify traffic anomalies before they interfere with progress.
Also, in a multi-tenant cloud environment, providers need to make sure that businesses migrating application workloads from a traditional environment have correctly configured communication settings for some elements --including encrypted or unencrypted data channels, IP addresses and host names -- so they are transmitted over a secure channel.
Providers face a host of challenges as they work to protect cloud data, but the real test may actually come in learning how to effectively communicate the effort to customers, which will involve outlining security controls and highlighting incidents where the provider obstructed a breach.
Success in the cloud comes down to a number of factors. While issues like price and the geographic location of data are important, what really distinguishes a cloud provider is its ability to act as a trusted partner to its customer, supplying not only the appropriate infrastructure, but also delivering on its promise to be trustworthy.
About the author:
Amy Larsen DeCarlo is a principal analyst at Current Analysis, an analyst firm based in Washington, D.C.
This was first published in October 2013