|
Many enterprises are reluctant to move critical cloud applicationsout of their own data centers and into the public cloud due tosecurity concerns. Yet the same automated, consistent provisioningthat is essential to managing either public or private clouds (aswell as to the process of thinking through a cloud deployment) canalso offer the fringe benefit of improving security. Of course, not all cloud management tools work equally well withall cloud providers, nor do they all allow customers to managetheir internal and external clouds as a single unit.Infrastructure-as-a-service (IaaS) providers such as Amazon, forexample, typically don't allow customers to tweak the network andstorage infrastructure beneath the operating system, forcingcustomers to trust that level of security to the vendor. And while some customers will trust outside certifications, such asAmazon Web Services' Level 1 compliance with PCI DSS, others willchoose to stick with a private cloud within their own firewalls, orcreate cloud environments at an external site using their ownnetworks and keeping storage under their control. [Also read SaaS, PaaS and IaaS: A security checklist for clouds ] Furthermore, compared to internal IT infrastructures, the publiccloud requires more attention to components such as networkfirewalls, load balancers and network address translation to hidethe public IP addresses most cloud providers assign to servers. Butwhatever the model, the automated, consistent processes requiredfor large-scale cloud deployments not only increase the efficiency,reliability and performance of these environments, but also improvesecurity. Benefits of Thinking It Through With physical servers, staging and setup is a manual, one-off job;however, with virtual machines (VMs), creating templates or policies for various types of serversforces organizations to "think about it more and plan for it," saysMatt Conway, CTO of online backup vendor Backupify. "If you need torecreate [a type of server] quickly, you must script it andautomate it." And while conventional servers often run multiple types of softwareto provide different services, organizations often give VMs incloud environments much more specialized personalities to performspecific tasks, says Patrick Kerpan, president and CTO of cloudmanagement vendor CohesiveFT. Standardizing these templates, he says, "is a security bonusbecause, to the average enterprise, anything that causes a changecontrol ticket is a security risk." Going through the process of deciding whether to host a particularapplication or service in the cloud and, if so, in what type ofcloud, forces organizations to assess the value of an applicationor service. The resulting deployment decisions can improve thosesystems' reliability, uptime and efficiency, as well as theirsecurity, says Lilac Schoenbeck, a senior manager in cloudcomputing marketing at management software vendor BMC. Much More on Cloud Security Cloud Security Alliance launches innovation program Reliability questions to ask your cloud provider 5 cloud security trends Hybrid clouds and security: Real-life tales However, "security [staff are] often not invited to the cloudarchitecture discussion soon enough," she says, out of fear thattheir caution will block cloud adoption. Organizations that use internal service catalogs oridentity-management systems to control which users can access whichapplications can reuse much of that work to secure the cloud, saysAndi Mann, vice president of strategy at software vendor CA.Enabling an end user to access cloud services, he says, requiressome level of understanding of who they are and what they areallowed to do. Without a service catalog, "you're doing a lot ofmanual processing" to understand which cloud applications employeesare using. Automated Provisioning Because so many security vulnerabilities are caused by human error, automating proper server configurationalso automatically improves security. With cloud environmentscontaining dozens, hundreds or even thousands of VMs, manualconfiguration would be outrageously expensive and time-consuming.Automated server provisioning tools reduce costs, increase businessagility, and help prevent variations that could createvulnerabilities. While not all automated server provisioning tools integrate wellwith every cloud provider, such tools can help organizationsstandardize on the right operating system, the right patch level,and the right configuration of middleware, databases, loadbalancers and management agents, says Mann. They also enable administrators to easily control commonsecurity-sensitive settings, such as which ports are open and whichservices are running. HyTrust's virtual management appliance, for example, providesserver configuration templates, assesses security configuration ofVMware vSphere hosts against industry frameworks, and automaticallyreplicates policies and templates across multiple appliances. Similarly, CohesiveFT sells the VPN-Cubed virtual firewall androuter, as well as management tools for building VM templates andfor automating common management tasks. The particular needs of the cloud have led some service providersto develop their own tools. Internap, an IaaS provider, offerssoftware that automates and audits the configuration of networkswitches in its cloud to create virtual LANs. This allows companiesto more securely link their cloud-based virtual servers with thephysical, dedicated servers within Internap's cloud that rundemanding applications such as databases, says Paul Carmody, seniorvice president of product management and business development. Security administrators must also pass increasingly strict auditsfor compliance with either internal or industrywide securitystandards. Some cloud provisioning tools automatically produce suchan audit trail, sometimes as a byproduct of the automated,policy-driven creation of servers that helps customers adapt morequickly to business needs or equipment breakdowns. Many automatedprovisioning tools provide reports on which users or administratorscreated and configured which servers. Embedded Security The very structure of a VM can also help boost security because itsdisk files include not only the required operating system,middleware and applications, but also the configuration settingsthat help ensure its security, says Michael Crandell, CEO of cloudmanagement vendor RightScale. When Jason Axne, systems administrator at conveyer beltmanufacturer Wirebelt Company of America, backs up VM files, heknows that "all the security measures you have at the virtualserver level are replicated, because it is a copy of that virtualserver." As organizations expand their use of the cloud, they often developmany different machine images for different workloads, saysCrandell. If the images are managed properly, this encapsulatedsecurity information can help ensure that proper settings areautomatically applied as new VMs are created. Done poorly, it cancreate a chaotic sprawl of server images, especially as new imageswith new names are created as patches and updates are applied tothe original images, he says. RightScale works to avoid this by creating a small number of baseimage templates that retain the same file name over time and aresupplemented with the definitions required to provide specificservices. Another source of embedded configuration and security informationthat can be reused in the cloud is Microsoft Active Directory,which many customers already use for their internal repository ofinformation about the characteristics of users and IT components. Using Active Directory, customers can set policies to automaticallyconfigure servers based on which Active Directory OrganizationalUnit (OU) they are in, says Shahin Pirooz, executive vicepresident, CSO and CTO at cloud services provider Centerbeam. With Centerbeam, he says, a user can drag and drop a VM into theright OU within Centerbeam's cloud to ensure it is configuredcorrectly. Other cloud providers allow similar capabilities toreuse the Active Directory's configuration and security settings byusing APIs to set up federated access control. Genomic Health, a molecular diagnostics company, had to try severalaccess-management vendors before finding Okta's identity- andaccess-management service. Okta's support of the security assertionmarkup language standard allowed Genomic Health to use its internalActive Directory to provide single sign-on services for more than20 software-as-a-service applications, says Ken Stineman, seniordirector of computing and IT. Egenera's PAN Manager uses virtualization to ease administrationduties and help secure multitenant architectures, where differentcustomers share the same hardware. PAN Manager virtualizes thenetwork that connects VMs in the cloud, storing all server-specificand application-specific information on a storage area networkrather than on individual servers. Because no application-specificinformation sits on the server, customers can share single ormultiple platforms while ensuring their applications, data andnetwork traffic never touch and thus don't pose a security risk,says Scott Geng, senior vice president of engineering. Virtualization also makes it easier to set up test servers beforedeployment, which in turn makes it easier to test security andperformance before putting servers into production, says Conway ofBackupify. The tools (often open-source) that are used to monitorloads on systems can also uncover attacks, he adds. If, for example, the tool detects a cluster-wide resource leakcaused by one user, that could signal a distributeddenial-of-service attack or some other attempted breach. Limitations There is, unfortunately, no magic pill no one everyday cloudmanagement technique that addresses all of an organization'ssecurity needs. For one thing, the more that an organization needscomplete and fine-grained security, the less it can piggyback oncloud management tools. This is because determining whichapplications can run on a server, or even which users can accessthat server, does not control which specific actions a user can orcannot take on that server. That level of role-based control is often required to ensure security or compliance withregulations governing data protection. Tools such as Aveksa can control such finer-grained entitlementsbased on information from identity repositories such as ActiveDirectory, says Vick Viren Vaishnavi, president and CEO of Aveksa. The cost of conventional management tools is another hurdle, saysNand Mulchandani, co-founder and CEO of cloud management vendorScaleXtreme. While a virtual machine might cost nine cents an hour,for instance, a system to manage it such as the BMC BladeLogicmanagement automation suite "costs $1,500 per server," he says. Such high costs force organizations with thousands of servers to gowithout automated patch or configuration management or auditcompliance, he says, relying instead on scripts or manualprocesses. Schoenbeck counters that BMC's tools "enable you to gaincontrol of [cloud servers], particularly in a world where they'reso easy to get" to ensure they're being used appropriately,securely and cost-effectively. Even the provisioning management tools now available for the clouddo not support every cloud provider, says Ken Owens, vice presidentof security and virtualization technologies at IaaS providerSavvis. That can drive up cost and complexity by requiring the useof multiple systems to manage servers in private and public clouds.Owens expects integration will become easier in the next severalyears as standard interfaces evolve. Many infrastructure management tools fall down in the way theysegregate cloud management, or even just virtualization management,from the rest of IT management, says Mann. "A good infrastructuremanagement stack will manage the cloud through the same processesand capabilities as it manages internal IT." Mulchandani also warns that some internal server managementproducts were not built to run in the public cloud. Most patchmanagement tools designed for internal corporate environments, hesays, require an open inbound port to accept patch updates,something "you'd never be crazy enough" to allow on a public cloudserver with a public IP address. ScaleXtreme offers a patchmanagement tool that uses a one-way outbound HTTPS port. Fringe Benefits Good cloud management practices aimed at reducing spending can alsoimprove security. Take, for example, asset discovery tools, whichuncover how many applications and other systems are in use in anorganization and compare those findings with the list ofapplications that are officially on the books. Thesepractices often used when estimating how much capacity anorganization will need in the cloud allow a company to cut costsby eliminating unneeded or duplicate applications and bundling whathad been one-off licenses into volume purchase agreements. Thesesame tools also give security administrators a more complete listof the cloud applications and services they must secure. Sometimes, the side benefits flow the other way from securitytools to other business processes. While the main benefit of singlesign-on for Genomic Health, for instance, is improved security, italso makes it easier to track which employees have taken theirrequired on-line training, Stineman says. The real upside, he hopes, will be the ability to eventually speedthe process of removing users' application access when they leavethe company, eliminating the three to four hours of work it nowrequires to prove employees have been properly deprovisioned from all of the company's SaaS systems. Learning Curve As more organizations move more applications to the cloud, manyobservers predict vendors will provide better integration betweenin-house and cloud management tools, and with premium services thatgive customers better control over and visibility into their cloudenvironments. Using management tools to improve security can also boost thecareer of an IT manager, says Mann, by helping him or her movebeyond being seen as an internal supplier of services to beingtreated as "a trusted adviser [with] the experience to providethese cloud services to the business," bringing IT's provenexpertise with managing secure internal environments to the cloud. The e-commerce company in China offers quality products such as Magnesium Die Casting , Aluminum Die Castings Manufacturer, and more. For more , please visit CNC Precision Machining today!
Related Articles -
Magnesium Die Casting, Aluminum Die Castings Manufacturer,
|
