/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsBANGALORE, INDIA: Cloud and its variants - private, public, hybrid, and managed - are no strangers to an enterprise today. Enterprises, especially large enterprises, are more inclined to the private form of cloud computing so that while on one hand they get the advantage of cloud, on the other, they do not lose control of their resources when in cloud because security issues still bother them a lot.
Private cloud and its issues
So what are these issues that need to be taken care of while implementing private cloud?
As said, security of data is the main issue in a private cloud. Apart from security, there are other issues such as reliability, performance etc.
Chenxi Wang, vice president & principal analyst, Forrester Research, says: "In the private cloud, there are security concerns on data protection, proper segregation of data (consider data accessible by contractors vs. internal BUs), proper logging and auditing. However, there are new security issues arise due to the use of virtualization technologies. Issues such as network segmentation, firewalling, hypervisor integrity are all net new compared to traditional data centers. "
Ovum research director Steve Hodgkinson points out that there are two typs of private cloud - - in-house private cloud computing and externally hosted private cloud services. And, both the varieties have their own inherent issues to deal with.
"In-house private cloud computing is the implementation of cloud computing technologies such as virtualization, automation, self-service portals, multi-tenant architectures, usage-based billing etc. to create an in-house ‘cloud-like service'. This is really just an evolution of traditional in-house ICT services using the latest technology toolkit. Same people, same processes, same funding, new technology. Security concerns are really just an extrapolation of the existing security concerns created by in-house ICT operations - which usually revolve around under-investment, sub-scale operations and poor process discipline," he adds.
"In-house private cloud computing implementations are often a triumph of hope over experience unless the in-house team truly has the funding and skills to implement a world-class quality of service offering. Few, for example, can ever hope to have the economies of scale and investments in technology, process and people excellence of a market leading enterprise-grade cloud services provider."
And coming to externally hosted private cloud services, which are provided by a cloud services organisation the security concerns differ.
"Usually ‘private' denotes that the service is operated on physically or virtually dedicated servers and delivered over a physical or virtual dedicated network connection - as distinct from a fully multi-tenant shared public cloud service delivered over the Internet. If we assume we are talking about mature enterprise-grade cloud service providers then the new security concerns usually revolve around the creation of new counterparty risks and the transition of applications and data into a multi-tenant shared service operating environment. For example, the service provider my fail or underperform vs. SLA obligations and data be hosted in another state or country creating potential compliance issues vs. local regulatory or legal obligations," Hodgkinson adds.
Often, enterprises take it for granted that their existing security infrastructure will be enough for cloud as well.
T Srinivasan, MD, VMware India, "Today more and more organizations are leveraging the benefits of private clouds to increase flexibility and reduce costs. Yet many have not changed their traditional approach of using physical security infrastructures to secure virtual data centre and networks. Physical security appliances severely limit flexibility and the ability to scale. They are not virtualization aware, making it all too easy to become non-compliant as changes occur in a dynamic infrastructure. Also, a heavy reliance on hardware-based solutions leaves organizations with multiple special purpose appliances, each with its own interface. The lack of a common management interface adds to the cost and complexity of maintaining the security of virtual datacenters. The challenge is to ensure security and compliance while still maintaining flexibility and the ability to scale rapidly. "
How to tackle them
In a cloud environment a lot of virtualized resources are used. So in order to secure such resources, physical security infrastructure is not enough.
"Organizations should virtualize their security infrastructures and manage them with the same interface used to provision the private cloud itself. In a virtual environment, organizations need to have visibility of traffic between virtual workloads. They need their critical applications and databases protected from threats from less secure or unpatched systems. And they need to implement audit and compliance controls on in-scope hosts," adds Srinivasan.
"Some of the issues can be solved with better policies and processes. Others would need new tools and technologies," adds Wang.
Hodgkinson suggests seven ways to securing resources on a private cloud.
Who is responsible of security on cloud
While, the executive responsible for procuring the cloud service is responsible for ensuring that it meets enterprise requirements in all areas, including security, as per Hodgkinson, it is also true that cloud is an ecosystem that involves cloud service providers and its partners, and enterprises. So the onus of security has to be a collective one, opines Srinivasan.
"Depending on how the private cloud is hosted - some private cloud is dedicated to a single user organization but is hosted by someone else. In these cases, the security issues are a shared responsibility between the hosting provider and the user. The user organization should set policies, vet deployed mechanisms at the guest VM level, but the hosting provider will handle everything that is hypervisor or lower as well as the network security part. If it's an on prem private cloud, it's typically the responsiblity of the IT operations/security team," adds Wang.
"Security and compliance are complex, dynamic areas. Basically, the onus is not on any one company or person. In any cloud implementation there are several components, hardware, virtualization, (server, storage and networking). And of course the security product vendors (whom we partner with) are also having roles to play in ensuring the security of cloud implementations," Sinivasan adds.