Advertisment

Cloud computing spl: Peeping in the holes in cloud

author-image
CIOL Bureau
Updated On
New Update

BANGALORË, INDIA: So far, there was only one way to be on the fly. Having your own IT wings and investing in them arduously so that no feather is clipped enough to disrupt the flight. But as a new disruptive technology started breathing aloud, there springs another possibility for enterprises.

Advertisment

Chuck the worry of all the capex, opex and maintenance or management hassles of those wings, and instead plop yourself comfy on a cloud. Float free and let the cloud take care of your everyday IT flight. The question, however, is, what if the cloud starts leaking someday? And that's exactly what enterprises are asking before they buy in the oh-so-promising Cloud-9 scenario that vendors swamp them with.

To rephrase it in our routine lingo, Cloud Computing is a pool of abstracted, highly scalable, and managed compute infrastructure capable of hosting end-customer applications and billed by consumption, as Forrester defines it.

Be it your internal IT infrastructure, or your need of additional resources, thanks to cloud technology, an enterprise can now go on an internal or external cloud and let a cloud specialist invest in all the brick-and-mortar of IT while the enterprise can consume its needs over an Internet enabled platform.

Advertisment

The question is, how much security-proof and plug-in-scalability can it promise?

Security Eh!

When a server is virtualized, it is layered upon an operating system called the hypervisor. This is the master supervisor of the inputs and outputs for the server, as experts explain. When another virtual machine (VM) is added to the server, the hypervisor manages all the network linkages and any connections between the two VMs. Of course, this nulls off the need of physical cables, but the downside is that any security gateways that may have existed between the original servers are now absent.

Advertisment

Time and again, flaws have been discovered in components of virtual machine software that has called attention to some of the security risks associated with the practice of running virtual computers on a single system. Recently too, researchers pointed out bugs in platforms of biggies like VM Ware and other noise is being made out time and again.

So how can one assess the security alarms on virtualization in general? And how big and realistic is this CIO concern area?

These incidents really do not undermine virtualization, answers Andi Mann, vice president of research, systems and storage management, Enterprise Management Associates, an IT management research, industry analysis and consulting entity.

Advertisment

"They do, however, highlight a fundamental question,” he adds. "Is the cost of effective virtualization risk management more than offset by the business benefits of secure virtualization? This, in turn, really emphasizes just how much Virtual Systems Management (VSM) including configuration management, compliance reporting, patch distribution, etc is likely to be the key differentiator of virtualization success in any respect. A disciplined approach to IT management reduces risk while yielding business benefits across multiple interests."

Advertisment
 

Another virtualization player, Nivio echoes the same assurance.

Sachin Duggal, CEO Nivio, that claims the world’s first online Windows Desktop, says that each part of data grid is encrypted and the company spends crores on firewall technologies to take care of security.

Advertisment

While they may sound reassuring, CIOs still have their questions on security claims made by V-world vendors. V Subramanian, chief information security officer of IDBI Bank feels that though the claims could be feasible, they raise the tight-rope balance question again. "Specially for BFSI, transactions, for example like those of ATMs, should be quick enough. Encryption gives security, but encrypting and decrypting a transaction slows down the process too, thus impacting the performance." He admits that there is progress happening both in terms of technology and POCs (Proofs of Concept). "Still, in a shared environment, no matter with how many firewalls, there is always a worry for either security of your own bank's data or slackness in functions.

What should CIOs do?

Gartner advised that the process of securing virtual machines must start before they are deployed, and ideally before vendors and products are selected so that security and "securability" can be factored into the evaluation and selection process.

Advertisment

Here's a small check-list from Andi Mann. CIOs can use this as their consideration filter before deciding on or type of virtualization.

Every enterprise is going to be different, and there is a very long list of essential criteria for selecting a cloud vendor. Some of the most important considerations, as he outlines, will include:

Is the cloud provider going to provide a secure environment?

Are they going to guarantee and meet service levels, with some significant penalties for SLA breaches?

Do they have adequate reporting and controls for compliance and audit purposes?

Ask these, and then decide if the cloud is worth the flight.

 

Gartner, among others, had warned back in 2007 that a virtualized privileged layer of software that becomes compromised places all consolidated workloads at risk. Like any emerging hot technology, virtualization will be the target of new security threats. Its experts pointed out that because of the rush to adopt virtualization for server consolidation, many security issues are overlooked and best practices are not applied.

As a result, 60 per cent of production virtual machines will be less secure than their physical counterparts through to 2009, Gartner predicted in 2007.

In fact, as shared in a media report at the RSA security conference last year, Simon Crosby, chief technology officer for XenSource, said security policies could be broken by misconfiguration. He warned that throwing random data at the interface between the guest software and the controlling hypervisor could result in successful attacks.

For Tushar Mehendale, IT decision maker atElectromech, SaaS potential comes with some baggage around security issues. "Data security is a basic concern as we are letting go of our information to someone else's server in a SaaS model. But I believe a lot of companies are waking up to the concern and encryption technologies are being leveraged."

However, in all fairness, any server is as secure or otherwise, as an enterprise's own server, as Mehendale points out. "At the end of the day, information residing outside is as vulnerable as it residing inside. Ensuring security of data is as much a mindset issue too. If you are comfortable putting your emails online, without privacy or security concerns, the same mindset would work in case of putting your stuff on cloud too.”

As expected, vendors try to iron out as many worry wrinkles as possible, both vocally and in development action.

Addressing security alarms, BS Nagarajan, senior technology consultant, VMware India, says that VMware vSphere offers Security services that allow IT to provide applications with the appropriate level of enforcement of security policies no matter where they run.

As to the good-old security alarm bells that have been ringing in general for virtualization, he says that no issues exist with customers as of now, but as a vendor, they are still being cautious. "We are proactively working on that. Because, as virtualization keeps becoming popular, it is definitely possible to be an attractive target for hackers."

He adds that the company is taking the worry seriously and working on towards security related patches. It has started sharing APIs with security specialists and solutions would be coming out of that in 2009.

Nagarajan feels that with the value of virtualization becoming so evident in people's minds, there is an ever-increasing amount being written about it, some of which is misleading or just plain wrong.

“All virtualization platforms are not the same. As customers move to adopt virtual infrastructure solutions to reduce costs and improve IT operations, they must understand the security implications of virtualization technology and the platform they choose. Independence from a parent partition or console based on a general-purpose OS means far fewer interfaces to exploit and less malware threats, especially important given the path of device drivers from the VM to the physical hardware VMsafe is another attempt that results in an open approach to security that provides customers with the most secure platform on which they can virtualize their business-critical applications.”