The cloud can look pretty simple, especially from the perspective of the regular end-user who basically sees a hosted application that is available whenever they want it. Indeed, this user pretty much only wants and expects two things from the cloud: perpetual up-time and seamless scalability.
Meeting those two requirements would be challenging enough, but cloud hosters and SaaS providers together need to address a number other issues that users might not consider.
For example, the economics of the cloud depend on the fact that resources are shared, so providers need to ensure that these shared resources are not only always available, but are always available to everyone.
This sharing means, additionally, that you are maintaining a multi-tenant environment which itself calls for partitioning or logically separating data so that your data and my data never mix or come into conflict. This can be an especially sensitive issue when you have two rivals - Coke and Pepsi, for example - collocated in the same cloud.
What makes the cloud inherently complex, and what the end user simply does not see, is the infrastructure doing the heavy lifting and allowing cloud providers to meet these many requirements. It is this infrastructure that represents the problem premise of the cloud and the true heart of cloud insecurity.
- Cloud infrastructure relies on a number of enabling technology sets:
- Virtualization, which is basically the pre-requisite to cloudification;
- Elastic workloads that are capable of bursting out in an intelligent and coherent manner
- Billing systems which track usage and charge for it; Monitoring, auditing, and logging systems supporting “continuous compliance”
- Data tenancy and data partitioning tools
- High availability solutions
Each of these components represents a potential point of failure and hence a threat not only to security in the narrow sense, but to the stability of the cloud overall. It is this stability that must be secured and it is the complexity of maintaining this stability that presents the greatest challenge to cloud providers.
Now, people cite concerns about security as the major obstacle to cloud adoption, but they are generally talking about data security: they don’t want their data lost or compromised. That concern is justified, but it is just as justified when applied to a data center entirely under your control. After all, the cloud is really just your datacenter without walls.
My point is that data security, while certainly a cloud problem, is not just a cloud problem nor is it the only problem of concern to cloud providers. While taking steps to ensure that data is secure - hence the emphasis on data partitioning and monitoring and so forth - cloud providers must also ensure that they are able to meet the basic expectations of their customers, that, in other words, they’re systems don’t go down.
Cloud providers, then, have to deal with threats at two levels. On the one hand, they need to defend against attacks on the data belonging to their customers for which they are accountable. On the other hand, they need to maintain the stability of their systems so that they don’t go out of business. That, in a nutshell, is the new problem premise.
Such a scenario is a delight to hackers. Not only does the cloud present them with new avenues of attack, thus encouraging them to develop new attack patterns, it also presents them with a whole new set of vulnerabilities to exploit and a new target for their malicious activities.
What are these new attack patterns that businesses on either side of the cloud must face?
I will review those in my next post.
Posted
May 28 2010, 09:21 PM
by
DiptoChakravarty