ENHANCE YOUR IT STRATEGY TWENTY:12 137

The most common concerns for enterprises and software product companies embarking on their cloud computing journey are data security, access control and data privacy. Many organisations today have their infrastructure and applications hosted by third party data centres and have the same concerns about data security that existed at the time they moved from on-premise. Ramgopal Subramani, General Manager and Head of Cloud Computing Practice, Software Product Engineering, MindTree, asks: is security in the cloud any different from securing the data centre?

Are the security issues of moving to the cloud far greater than that of data centre hosting since you don’t know where it is running and with whom you are sharing space? Or is the security concern more of a perception due to lack of control and access? Understanding and exposure to the security issues in a hosted environment would help you appreciate the nuances of the same in a cloud environment.

The primary premise of implementing security is to ‘save data and programme’ from:

• dangers arising from loss/theft of information;

• loss of business due to disruption of services by vulnerabilities arising from hostile programmes.

In order to understand the above premise better, consider some perceived security vulnerability scenarios in the cloud infrastructure:

Availability issues

• Tenant1 A is unable to execute his programme as tenant B is hogging CPU cycle as it is running in a shared infrastructure.

• Tenant A is unable to process a request (denial of service) as tenant B has executed a malicious programme.

• Tenant A is under attack as tenant B’s environment has been taken over by another hostile programme and as there are no intra-tenant boundaries set up...

• All requests to tenants are blocked as network security of the cloud infrastructure provider is not secured.

Data loss/theft issues

• All requests to the tenants are re-routed to spurious addresses as the cloud infrastructure does not have proper security credential management in place.

• The provider does not have virtual machine (VM) isolation, so there is data theft across all tenants.

• The provider2 does not conduct a periodic cross-audit to determine if there is intra-tenancy infringement.

• As the provider has stored data in an undisclosed location, there is no guarantee of compliance to local governing laws.

• Staff of the provider have access to data and they can misuse it

The myth about security vulnerabilities in the cloudMany of the above concerns are not factually correct and they represent a lack of understanding of the various layers of the cloud.

A quick overview of the various security layers in the cloud infrastructure will reveal that many of them are the same as in on-premise or in a data centre.

To better understand this, the table maps the appropriate security layer along with other common issues and concerns.

Before we investigate the provider responsibilities across cloud models, here is a brief recap of the various cloud models:

Infrastructure as a service (IaaS): the most basic and fundamental block of cloud computing services providing

SECURITY IN THE ClOUD

Security Layers in the Cloud

Subramani.indd 137 01/03/2012 17:42

TWENTY:12 ENHANCE YOUR IT STRATEGY138

computational and storage services on-demand. Amazon EC2 pioneered and popularised this concept.

Platform as a service (PaaS): provides application infrastructure, middleware and development environment on a shared infrastructure: Microsoft Azure, Google App Engine, SalesForce’s Force.com platform are example, of PaaS.

Software as a service (SaaS): the earliest entrant in the cloud computing services, although it has had different avatars such as application service providers, on-demand services etc. Zoho, SalesForce.com, NetSuite, SuccessFactor are examples of successful SaaS platforms. The table below captures the responsibility of the provider and tenant across the six security layers for the various cloud models.

Findings:• SaaS cloud models are the most secure

in the sense ‘the tenant has no ability to influence the cloud environment’.

• PaaS cloud models are sandboxed environments that minimise available application security surface area.

• IaaS and traditional hosting providers are responsible for the least number of security layers; i.e., physical and network.

• The tenants in SaaS & PaaS cloud models have to ensure ‘contractual security’ is at the highest level to minimise data infringement business risks.

• The tenants in IaaS and traditional hosting providers have most flexibility in implementing the kind of security they require.

• Security threats to the physical and network layers are the same as those of a traditional hosting provider and there are no new concerns.

• The security vulnerabilities of the operating system hold true in cloud or on-premise model and there are no new concerns.

In addition to understanding the provider and tenant responsibilities in

securing the environment and data, here are a few additional steps to further mitigate business risks:

• Most cloud providers commit to high availability to the order of 99.9 per cent. If you require higher availability consider failover node in another geography or at another provider.

• The data stored with the cloud provider is encrypted during transmission, but not secure in storage. At the application level, implement a distributed key management strategy to achieve multi-stage security.

• Evaluate the service provider contract to determine the mechanism provided for the transfer of data ownership.

• To ensure that you have complete access to your data when you suspend or terminate services of the cloud provider, verify the terms of contract for

• mechanism to export data;• an audit mechanism to ensure

your data is purged including sanitisation of obsolete hardware.

• Evaluate the service provider contract to ensure you have complete access to your data and it complies with the local laws. Verify that

• the cloud provider has data storage by geography such as USA, Europe, APAC etc.;

• the cloud provider guarantees that recovery systems are isolated but within the same geography;

• the cloud provider complies with local laws and is audited periodically.

Rules of thumbAs you can see, many of the security challenges in the cloud are similar to those in a traditional hosted environment. These security concerns have been mitigated by the traditional provider and are now being addressed by the cloud provider. The cloud provider has to balance the fine line between security and privacy and the

Security issues across Security Layers

Provider-Tenant Responsibility Matrix

Subramani.indd 138 01/03/2012 17:42

TWENTY:12 ENHANCE YOUR IT STRATEGY140

SECURITY

cloud provider will typically monitor for malicious programs and terminate them.

The concerns about data security are genuine and need to be addressed by implementing technical and contractual solutions that eliminate business risks. It is important to understand any constraints especially with respect to local laws and compliance when selecting a cloud platform.

Finally, weigh the benefi ts that a cloud computing platform provides vis-à-vis your security implementation capability. Here are simple rules of thumb:

• If your security implementation capabilities are not very mature and you have trust in the provider go with a PaaS or SaaS cloud platform as they have higher responsibility of managing security concerns.

• If your security implementation capabilities are very mature go with a IaaS cloud platform, as you have greater control in securing the cloud platform.

About the authorRamgopal Subramani is General Manager and Head of Cloud Computing Practice, Software Product Engineering Group at MindTree. As Practice Head, he is responsible for defi ning and implementing the various cloud computing technology initiatives.

Ramgopal has more than 16 years of experience with software product development and prior to joining MindTree he worked with KODAK and Fujitsu. Ramgopal did his bachelor degree in chemistry at Delhi University and Masters in computer science at the University of Pune.

We’re online!Visit www.smeweb.com,

the online resource for practical information about running a

small business in the UK.

References1. Tenant by defi nition is any entity that

leases/rents the services.2. Provider by defi nition is the owner of

the services and they lease out their services for them to be consumed by the tenant.

Subramani.indd 140 01/03/2012 17:43