/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsBANGALORE, INDIA: Cloud computing has become one of the most significant secular trends within technology, and we believe the outcomes are just beginning to be felt across the industry.
A recent Forrester report predicted that the global cloud computing market will grow from $40.7 billion in 2011 to $241 billion by 2020. All round savings including cost efficiency, asset optimization, lower upfront investment, flexibility, ease of maintenance in all aspects of IT's hard and soft costs, are driving more and more businesses to adopt the cloud.
Cloud computing allows businesses to shift large chunks of budgetary excel spreadsheet from a capex to an opex model, paying only for what they use.
While cloud computing is believed to improve business processes and increase company effectiveness, security in the cloud continues to remain a global challenge, particularly as more and more critical functions are migrated. According to an IDC ‘IT Cloud Services User Survey', 74 per cent of IT executives and CIOs have cited security as the top challenge preventÂing their adoption of the cloud services model.
Â
Gartner's report, ‘Top End User Predictions for 2012 and Beyond', cites that by 2016 the financial impact of cybercrime will be growing at a rate of 10 per cent annually and by the same year, 40 per cent of enterprises will make proof of independent security testing a prerequisite for using any type of cloud services.
Â
Cloud vendors rely significantly on their reputation, so it is important that they have consistent & dependable security procedures in place and implement the latest technology to safeguard client data. Trusted security is now the most important unique selling proposition and differentiator for cloud vendors.
Recent trends in cloud computing demonstrate that the architecture has matured and offers distinct advantages for cyber security defense. New cyber security, IT service management products & innovative security testing methods are emerging to provide real-time, deep insight of metrics collected in the cloud computing infrastructure.
Â
Cloud Security Risks and Opportunities
The security offered by a cloud service provider can be better or worse than that offered by an in-house data center. Physical security may be better implemented, but certainly involves a larger number of people.
Enterprise data centers are generally protected from outside security threats through the use of firewalls and other security appliances. There are many "doors" for applications running in the cloud. The software components of applications can run on potentially dozens of computers located in one or more data centers. They are connected through networks that are accessible from the Internet or other applications running in the cloud data centers.
Liberal use of virtual LANs (VLANs) and virtualized versions of the firewall and other security components are available to protect data in transit, but must be carefully implemented to ensure that all of the "doors" have guards.
The real security risk associated with running in the cloud is the enabling technology itself: virtualization. The economics of cloud computing derive from the inherent sharing of computer, main memory, storage, and network resources. This sharing means that multiple enterprises have Virtual Machines (VM) running side-by-side on the same host, that their data may exist on the same volume, and that their data might be sent across the same network.
The process of virtualization introduces new avenues of attack for the hacker. The process of virtualization and networking require new components that increase exposure: the hypervisor, an administration VM, a virtual switch, a virtualization server and console, a management server and console, and new system administrators.
Every new software component comes with its own vulnerabilities. Every new user interface is potentially accessible by hackers, who primarily target the applications that run in the cloud, as opposed to its infrastructure. According to Symantec's: Internet Security Threat Report 2011, 403 million unique variants of malware were reported in 2011 vs. 286 million reported in 2010. Also there was a rise of new mobile vulnerabilities from 163 in 2010 to 315 in 2011. 409 virtualization-specific vulnerabilities were reported between 1999 and 2010. Testing, Testing, Testing
{#PageBreak#}
Two important questions need to be answered:
How do we ensure the security of applications that run in the cloud?
How do we ensure the performance of applications that run in the cloud?
As the title of this section suggests, security and performance is ensured through extensive, repeated testing.
Testing Security
The data center operator must provide a secure environment for their customers. The security elements that must be considered include: Security appliances, hypervisors, virtual management & networking elements.
Security must be tested using the same attacks that are anticipated during production network operation. That is, using attacks that attempt to take advantage of known vulnerabilities. A vulnerability is a software, firmware, or hardware flaw that can be exploited to cause undesired behavior. Such behavior can include partial or complete loss of functionality, loss of data, or theft of funds.
The Testing Process
Security testing requires specialized test equipment and software. Test equipment utilizes specialized test ports, some of which are used to apply malware and DDoS attacks against a background of multiplay traffic. Other ports are used to sense whether the attacks have succeeded. Larger subsystems can be tested in a similar way, albeit with additional test ports.
A virtual firewall can be tested in much the same manner as the UTM appliance - with dedicated test ports connected through the network to the virtual firewall running on a VM. This, however, introduces additional network and computing components that can interfere with the measurements - data center switches and routers, hypervisors, and VM resource contention.
With respect to virtual security testing, there are several times when testing should occur:
Virtual security software selection. As in the case of infrastructure security components, the virtual security components should be independently tested.
Pre-deployment. The security of applications or application subsystems needs to be tested prior to services going into production.
Updates. Security needs to be rechecked as new software or database updates are pushed out.
Virtualization makes it entirely practical to perform this testing in a pre-deployment lab or as part of a production network. The latter can easily be accomplished by creating a small instance of the application where tests can be made.
Testing Performance
Cloud operators provide best-case performance numbers based on the theoretic capacity of their components, but the reality can vary with the mix of applications running in virtual hosts and across the cloud data center. Nevertheless, it is important to measure the performance and quality of virtualized applications before they go into production.
Performance testing is accomplished through the use of user emulation. Communities of users are simulated in the test ports and applied against the virtualized application. For example, to measure the performance of a web server, a community of web users accessing the server would be emulated. Using an increasing number of transactions, the performance and quality of the server can be measured.
This approach can also be used to simulate the influence of other applications running on a virtual host. Web, e-mail, FTP, and other servers can run on a virtual host. The test could then include emulation for users of these other applications.
Conclusion
Virtualization and cloud computing are compelling technologies for economic and flexibility reasons. These two reasons alone will push more applications into the cloud. Moving applications from in-house facilities to the cloud, however, can open up an enterprise to security and other risks - risks that must be addressed. Security testing should become an integral part of the IT culture.
There will always be issues, as nothing is absolutely secure, but trying to stay ahead of the curve is a worthy cause. Testing, even on a complete data center system, can be accomplished using innovative technologies and processes.