Despite its positive attributes, public cloud computing forces subscribers to make a choice between the level of security in their private data centers and the level of security attainable in the cloud. The
As shown in the following illustration, securing workloads in the cloud spans multiple parties: the data center owner/operator, the cloud services provider and the cloud subscribers. Further, the subscriber’s security ownership, by design, varies by the type of cloud computing service -- including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and with the least amount of subscriber ownership, Software as a Service (SaaS).
Shared security ownership in the cloud
Source: Stratecast/Frost & Sullivan
Attaining uniformity in security and compliance when multiple parties are involved is a non-trivial challenge all by itself. But when the enterprise is a subscriber of multiple cloud providers, the challenge is exacerbated. Furthermore, it is not uncommon for cloud subscribers to maintain private, on-premises data centers, too. In this hybrid setting, cloud subscribers use one administrative interface to manage security in their private data centers and another for their cloud instances, resulting in greater administrative complexity and vulnerability to security inconsistencies than if there were a single administrative interface.
Security industry options for cloud security solutions
For its part, the security industry has already introduced some cloud security solutions and will be introducing more options that help cloud subscribers mitigate the tradeoff between the security and compliance they need and the cloud computing benefits they want.
The approaches to the solution fall into three categories.
- On-premises security extension. In this approach, espoused recently by SafeNet with its Trusted Cloud Fabric, the enterprise extends the capabilities of on-premises security products into providers’ public cloud environments. This approach has several positive attributes, including centralized administration and reporting, the ability to reuse product knowledge by the enterprise’s security personnel, and extensibility into hybrid and multicloud provider environments.
The primary limitations or dependencies of this approach, however, are that the enterprise must use the specific vendor’s security products, and those products must be sufficiently comprehensive and scalable to address the security risks and compliance requirements posed by the public cloud. Without a sufficient range of capabilities, security solutions from multiple providers will be required, and with that comes multiple administrative and reporting interfaces.
- Cloud-embedded security services. In this solution, rather than securing the enterprise’s public cloud instances by extending on-premises product capabilities, security is designed into the provider’s cloud offerings. An example of this approach is the Savvis Symphony Virtual Private Data Center (VPDC). With Symphony VPDC, Savvis subscribers can choose from three service tiers -- Essential, Balanced and Enterprise -- each pre-defined with service capabilities in compute, bandwidth, storage and security optimized for the subscriber’s intended use.
For Web hosting applications, Savvis recommends the Balanced service tier. If the client use is for mission-critical/enterprise applications, the Enterprise service tier is the optimal choice. For enterprises with a clear understanding of how they intend to use the cloud and have trust in Savvis’ assembly of services, this approach has intrinsic appeal.
The drawback is that this approach is not conducive for enterprises that subscribe to cloud services from multiple providers.
- Cloud security bridge. In this approach, security capabilities are delivered as cloud services that cross over into the enterprise’s public cloud instances. Assuming broad interoperability between the cloud security bridge and public cloud providers, enterprise subscribers can centrally define security policies and have their policies adaptively applied to each of their public cloud instances. RSA, the Security Division of EMC, is pursuing this approach with the RSA Cloud Trust Authority.
Though they are not yet commercially available, three security modules will be available: identity security, infrastructure security and information security. Among the favorable attributes of this approach are provider independence, breadth of security capabilities, and centralized administration and reporting.
Several aspects of this approach are unknown, however, including the credibility of each security module relative to comparable solutions and the broadness of cloud provider interoperability. Weakness in either lessens the overall value of this approach.
Cloud security solutions vary by SaaS and IaaS service options
From the mile-high view, securing cloud workloads is improving, and these three approaches provide a taste of how the cloud security solutions are unfolding. Each approach has its limitations, but by the same token, cloud subscribers are not homogeneous in what they need. For example, will an enterprise subscribe to the cloud services of multiple providers or consolidate on a favorite? Stratecast believes it will be a mix -- using multiple providers for SaaS applications and a favorite provider for Infrastructure as a Service.
For SaaS, several vendors have market-tested premises-based appliances and/or cloud-delivered services that address a glaring concern -- uniform identity and access management when using multiprovider SaaS. Notable vendors in this realm include: CA Technologies, Okta, Ping Identity, SecureAuth, Symplified and TriCipher (part of VMware).
In terms of IaaS, embedding security into vendors’ IaaS offerings -- the approach being pursued by Savvis and several of its competitors -- is both prudent and consistent with how IT organizations operate in their private data centers.
We recommend that IaaS providers continue down the path of mirroring private data center attributes into their IaaS offerings and make it seamless, allowing IT personnel to administer all of their private and public workloads from a single interface.
About the author: Michael Suby is the vice president of research at Stratecast, a division of Frost & Sullivan. He has more than 25 years of experience in the information and communication technologies industry, and more than 10 years as an industry analyst and consultant. He previously worked in the telecom industry at both AT&T and Qwest.
This was first published in March 2011