Discussions on cloud computing are everywhere. This latest industry buzzword has captured the imagination of application developers and service providers in all business categories as though there’s some secret sauce that will save the world, or at a minimum, provide us with a magical alternative to traditional platform options. It’s funny how we’ve all enjoyed virtualization on mainframe platforms for a long time, thanks to parallel sysplex, VM, and the now “ancient” distributed processing model. What was once old is now new again as we’ve come full circle, and the dinosaur is still alive, again!
The term “cloud computing” evokes visions of puffy white clouds, all soft, wispy and cuddly, so placid, so serene, that seemingly infer safety and security. If you think you will be safe in the cloud, think again. The same security requirements that existed before the cloud remain in the cloud; nothing is mitigated merely by moving applications into some amorphous environment.
Trying to describe cloud computing in general terms is difficult. It isn’t a single type of system, but can span a large group of underlying technologies, configuration options, and usage patterns. It has multiple deployment models, service models, and financial considerations. The real attraction to cloud-based services is in the potential for cost savings because it represents a rental of resources vs. owning them; paying for what you use without the large upfront cost to build a complete infrastructure. Users can quickly request, use, and release resources as necessary, avoiding over-provisioning and cost differences between peak and off-peak periods.
Operationally, all clouds favor applications that can be broken into small, independent parts such as transactions. Clouds depend heavily on networking, and any limitations in the network infrastructure will directly affect the application. If your application can’t tolerate disruptions, then the cloud isn’t the place to be.
Share Security Responsibility
Unless you build your own cloud and use it only for the enterprise, you’re in an outsourcing situation. Even if it’s a shared cloud, operated by a large commercial service provider or a federal agency, you’re outsourcing and must deal with it as such. Absolutely everything you had to worry about before, you still must worry about in the cloud. Security is everyone’s concern and considering all the potential vulnerabilities, it would make sense to always negotiate the terms and conditions to any cloud services agreement. It’s best to always be prepared and these steps will help you focus on some of the most important factors in your decision process and, ultimately, the agreement you sign.
Don’t for a minute think that security issues are trivial or that responsibility for them can be relinquished to the provider. It’s a shared responsibility. The cloud provider will have its own security provisions, but they may not be sufficient for all uses. Accepting the defaults may leave holes in your system security plan and create vulnerabilities that may not become evident until it’s too late.
Your Access and Users
While your applications and data are residing in the cloud, your user community will need access to these facilities. The method you use to connect is critical to your overall safety. Establishing a security perimeter in a cloud is no easy feat; meeting acceptable standards will require significant effort between you and the provider. You should use, at a minimum, two-factor authentication and secure Virtual Private Network (VPN) connections for every user. You need to take steps in the VPN configuration to prevent split tunneling as this could allow LAN subnet hopping, creating a huge vulnerability and risk. But be prepared for complaints when VPN-connected workstations are cut off from simultaneous access to other LAN or Internet resources. The price of true security can be a corresponding increase in user frustration.