The missing piece of cloud security?
- — 22 September, 2010 08:14
Cloud computing, especially public cloud infrastructure-as-a-service is not yet a reality for the vast majority of companies. Recent announcements however, from VMware, Citrix and Oracle clearly show that enterprise cloud computing is gaining momentum.
In 2010, 9% of companies are currently using or evaluating IaaS, with many more planning deployments for 2011 and 2012. Even though 62% of companies trust IaaS mostly for development and testing applications for now, only 14% trust it for customer-facing Web applications. What's standing in the way of IaaS adoption? Security is the biggest challenge, by a factor of two over all other reasons cited in our research.
Security professionals say that the lack of visibility and control over public cloud infrastructure makes it hard to apply security controls, monitoring, audit and assurance. One of the key services missing from public cloud is centralized, secure and reliable logging. IaaS computing is in many ways a DIY model: you have to design, build, secure and operate each operating system image yourself. Over time, IaaS providers have gradually built more and more platform services that extend the basic CPU-and-storage-on-demand offering. Unfortunately, no one, to my knowledge, is yet offering a logging-as-a-service to complement an IaaS solution.
Log management is hard enough in your own data center. Doing it in a public cloud poses additional unique difficulties. First, there's the issue of ephemeral virtual machines: as virtual machines are turned up and down, their logs need to persist long after the machines disappear. The second problem is deciding where to put the log collection server or servers. If the log collector servers are themselves in the cloud then there is a risk that a failure or outage affecting the production servers will also compromise the log servers leaving no logs to troubleshoot. Conversely, if you backhaul all the logs out of the public cloud and back in to your own data center, you have to consider bandwidth capacity and costs.
A possible solution to log management in the cloud is to try a hybrid public/private log architecture. In this architecture, all virtual machines in the cloud will log to a collection server also running in the cloud. The logs themselves can be saved to cloud storage, which, if correctly configured, will replicate to multiple cloud data centers for availability and disaster recovery. In parallel, you can forward the entire stream of logs, or perhaps a subset of the most important log events, to your own data center. This way you have a full copy in the cloud and another copy in your own environment as a backup.
Cloud logging considerations are very important because they form the basis of security information management, which is a critical component of any security governance program. Logs are necessary for regulatory compliance, incident response and post-incident forensics. A robust and reliable logging architecture will give you the best combination of control, visibility and resilience, while preserving your "chain of custody" for audit purposes, independently of the cloud service provider.
Read more about data center in Network World's Data Center section.