cloud security – Dimitri McKay [dot] com

Evaluating Cloud Computing Solutions – Public vs. Private Clouds? Hybrid Clouds? Which is Right for Your Business?

The first known reference to the “Cloud” as it related to computing was in Douglas Parkhill’s 1966 book The Challenge of Computer Utility. Parkhill explained his conception of a “Private Computer Utility.” He compared computing with the electrical industry and its extensive use of hybrid supply models. When the electricity grid was built, private on-site power generators were quickly cycled out. No longer did local businesses have to build, buy and maintain the hardware to create electricity, which was expensive both from a hardware as well as a human resource perspective. While it did carry some risk, electricity as a utility made sense in terms of finance and risk management. In the world of Cloud Computing, there are three different types of “clouds” – public clouds, private clouds and hybrid clouds. Depending on what type of service or data you’re dealing with, you’ll want to compare the different options of what private, public and hybrid can offer. In most cases, the most important variable is the degree of security and management the hardware or application requires.

While we as an industry like to think that Cloud Computing is new, it’s not. The concept was coined forty years earlier.

With that said, it’s time to figure out which cloud architecture is right for you.

Private Cloud

A private cloud is one in which the services and infrastructure are maintained on a private network—generally a local datacenter within an organization. These clouds offer the greatest level of security and control, but they still require the company to purchase and maintain all the software and infrastructure, which can significantly reduce cost savings. A private cloud is the obvious choice when:

· Data is your business, so security and control are paramount on your list of requirements.

· Your company is large enough to run a hyper-scalable cloud datacenter efficiently and effectively on its own. This generally implies large enterprises.

· Your business is bound and gagged to conform to strict security and data privacy issues as well as compliance mandates like PCI-DSS and SOX.

Some vendors use the term “Private Cloud” to describe products and services as “cloud-like”, or that are described in their market-ecture as the ability to “emulate cloud computing on private networks.” These products are often virtualized solutions that have the ability to host applications and Virtual Machines in a company datacenter. Frankly, I see little value in “Private Clouds” as they’re more focused on virtualization than cloud computing.

Don’t get me wrong, I think virtualization has its place as well. It’s certainly used in cloud computing, but that doesn’t make cloud computing what it is. Virtual technologies are valuable to businesses but often tend to obscure the full capabilities of cloud computing. The term “private cloud” borders on deceptive advertising; it fails to deliver on the potential of cloud computing and those who attempt to use it are hanging onto the coattails of the cloud.

Depending on your industry, though, private clouds do offer some benefits including shared hardware costs, quick recovery from failure and upscaling/downscaling depending on demand. And that’s fantastic. But the organization still has to buy, build, support and manage the infrastructure. This solution doesn’t benefit from up-front capital costs and it lacks the economic model that makes cloud computing so compelling in the first place.

Public Cloud

A public cloud is one in which the services and infrastructure are provided off-site over the internet. At its essence, “Cloud Computing” refers to the public cloud. These clouds offer the greatest level of efficiency in shared resources as well as efficiency in cutting spending. However, they are also more vulnerable than private clouds. A public cloud is the obvious choice when:

· You need incremental capacity, or, the ability to add computer capacity for peak times. When the proverbial crap hits the fan, you’ll have capacity available to handle that, but those resources can be used by other VMs for their own tasks when not in peak capacity mode.

· Your standardized tools and applications are used by many employees. Examples include e-mail, contact management systems or a company intranet site.

· You need a sandbox to develop applications across geographic locations. Development and testing are a great use case for Cloud, especially when collaboration is needed.

· You have a SAAS (Software as a Service) application which is offered from a vendor who takes a hard line approach to security.

Public Cloud as a computing concept offers cheap, commoditized computing resources which outweigh the benefits of in-house resources that have limited added value (no capex, access to resources everywhere at any time, minimal support costs and employees for maintaining the resource, shared overall costs and no peak load concerns).

But one of the concerns associated with public clouds is security and reliability. Make sure you have your security and compliance/governance strategies well planned as the short term cost savings could become a long term nightmare.

Hybrid Cloud

A hybrid cloud offers a variety of public and private options with multiple providers. By using a hybrid approach, you’re able to spread things out over a number of providers to keep each aspect of your business in the most efficient possible environment. The major downside here is having to keep track of multiple security platforms and make sure all aspects of your business can communicate with each other. So, if the following situations describe your environment, then the hybrid cloud may be the best option for you:

· Your company uses a SaaS application, but has security concerns. Private clouds are often used with VPNs (Virtual Private Networks) for additional security.

· When your market is multiple verticals, you may be in a situation where you want to use private clouds for client interaction, but their sensitive data is kept in a Private cloud. This is an optimal use case for Hybrid Clouds.

When managing private, public and traditional datacenter models all at the same time, management can become complex. Maintaining a tool which will federate these separate pieces for the sake of SLAs and troubleshooting becomes the challenge.

Most of what people are calling “private clouds” share a number of qualities with public clouds and can thus be classed as a “hybrid cloud” architecture. Most large enterprises will be looking to run a hybrid architecture for several years to come (though many early adopters have already taken the plunge). The waters are tepid in different clouds for different reasons.

In summary, Public, Private and Hybrid cloud environments can all viable solutions based on your use case. Public clouds offer the greatest cost savings, but the least amount of security and control. Private clouds offer just the opposite, with costs being much higher due to hardware/software and maintenance costs; however, security and control are supreme. Hybrid is the best of both words, but can often be very complex to manage.

Take a step back, identify your use cases and requirements and then take the plunge. Cloud is not just the future. It’s today.

One of the most common questions about cloud security is around privacy and regulatory compliance. Questions around government mandates and industry requirements abound from IT managers considering a shift to the cloud—most of which relate to multi-tenancy.

Since there’s been so much discussion about multi-tenancy in the cloud lately, I thought I’d explain what it means for both cloud providers and cloud customers.

But first, a tangent:

Cloud Computing Tenancy

I live in an apartment. I have a small apartment that has everything I need. I enjoy living in an apartment because I don’t have to maintain the plumbing or electrical. I don’t have to rake the yard or clean the gutters. I don’t have to clean the pool or fix broken equipment in the gym. I don’t have to worry about security; it’s provided as part of my rent. I only have to worry about my belongings in my apartment. As a result, I get to enjoy the cost savings of a shared environment, and the robust amenities of my building. My apartment building has lots of other residents. Some work different jobs, some work at different companies. But we all share the same building, with the same resources and amenities.

My apartment building is a multi-tenant cloud. More on that later.

Cloud providers (landlords) love multi-tenancy clouds (apartment buildings) because they rent the same resources to a large number of renters, and the renters get to enjoy all the financial savings of those shared resources. The cost savings is good news to all parties involved. The cloud, as you know, can provide amazing cost savings, fantastic up-times and someone else to blame or sue when there is a mistake, when there has been an accident or if problems go unfixed.

Today we’ll talk about security, reliability, auditability, quality of service and regulatory compliance in multi-tenant solutions vs. single-tenant solutions.

Reliability:

In my apartment building, there is a bank of washers and dryers. Everyone can use them—10 washers and 10 dryers for 300 families. But if the power goes out in the laundry room, we’re all wearing dirty underwear. This is a multi-tenant problem.

In the cloud, when a multi-tenant app goes down, it takes everyone with it. Take WordPress. They went down a few months back. One app down, everyone went with it. Imagine other Web apps out there. What if Salesforce went down? What if Gmail went down? One App. Life stops. Now what if that’s an industry specific app everyone is using. You see where this is going.

The upside? One application upgrade, one application maintenance: one application across the board saves time and money for the customer.

But what about single tenancy?

Let’s talk again about washing machines. If we go single tenant on a washing machine, then each apartment that wants to pay for a washing machine can have one. It’s their washing machine, they don’t share it. It’s a single tenant solution. If their washing machine goes down, it doesn’t affect the other washing machines in the building. In this case, the cost savings obviously isn’t as pronounced as in a multi-tenant setting. Because in a building of 300 families, if even half of them want their own washer/dryer, we’re looking at 150 washers and 150 dryers, all of which need to be maintained, all of which can fail, all of which need to be supported individually and all of which carry their own price tag.

Security

How about security in a multi-tenant vs. single-tenant situation?

Securing a building is one thing, but what about securing each apartment from other tenants? That also needs to be considered. Firewalls at the front of the network keep external threats out, much like a doorman. But what’s to stop your neighbor from breaking into your apartment? There’s no doorman to stop someone on the inside.

So, because of shared resources, security needs to be handled at a much lower level: segmentation of resources. You have to segment your apartment from your neighbor’s apartment. On the network side that would be segmenting those shared resources using Mac Address Control address pools, VLAN tagging (Virtual Local Area Networks) with more advanced security controls such as tag zoned segments, private VLANS and ACLs (access control lists) to define a secure environment, enforce the policies of the secure environment and maintain that secure environment.

For storing your business data, your critical data and your customer data, you’ll want to make sure that the architecture users LUN (Logical Unit Number) masking, at rest encryption, zoning and VSANs (Virtual Storage Area Networks) to keep cloud insiders and cloud outsiders out. Ultimately, there needs to be as much security between you and your neighbor as there is from an outsider trying to break into the building.

Auditability

If you enter the lobby of my apartment building, the doorman will either allow you in, or he’ll turn you away. In other buildings, you need to authenticate yourself by using a key fob for entry. And make no mistake: there is always an audit trail:

“Dimitri McKay entered the building at 3:05am”

“Ms. Jameson came to visit Dimitri McKay at 4:15am”

If your business is governed by industry mandates or government regulatory compliance, you need to make sure you have data such as raw logs to keep your auditors (and upper management) happy. Local or in the cloud, it’s your responsibility to practice due diligence. There are providers that offer security and accountability. You can have your Kate and Edith too.

Quality of Service

My neighbor complains constantly about noise from my apartment. And he should. My subwoofer at volume level 10 shakes the apartment, his apartment, the people upstairs, the mail room, the garage and three blocks away at the local watering hole. I tend to use it at 3am when I have insomnia. You don’t want your cloud to have the “Dimitri McKay subwoofer” problem. In other words, I’m a tenant who is affecting the processes of another tenant—in this case, their sleep. By putting some quality of service in place, that segregation of work keeps my noise from impacting his sleep. It’s the same situation in the cloud: your workload shouldn’t be affected by your annoying neighbor.

The cloud is a shared environment, much like my apartment building. Where I’ve used a simple example of multi tenancy would be an apartment building. In an apartment building you have a “shared environment” where multiple “renters” share a common infrastructure (the plumbing, the electrical grid, hallways, etc.) but still have segregated areas where the users keep their stuff (host their applications and/or data).

Multi-tenancy is highly desirable to cloud providers because they can provide a platform or service (applications, infrastructure, etc.) and rent it to a large number of customers without having to make massive customizations, tons of labor-intensive upgrades, troubleshooting sessions and associated costs. Single tenancy has merit in situations where sharing the same app among a broad scope isn’t a viable option.

On a large scale such as the infrastructure side, the cloud provider will always opt for multi-tenant, but the customers themselves will likely seek single tenant in the following situations: custom apps, customers who are bound by specific regulatory compliance mandates, or those who care more about security than price.

One example of this is anyone who needs to have raw log data from all of their IT infrastructure, OS and apps in one place. They could have a single tenant log management tool in the cloud that only collects data from their specific cloud network devices, cloud applications and server operating systems. In this situation, segregation makes more dollars and sense.

Just as is the case with public, private and hybrid clouds, there’s no be-all, end-all situation when it comes to choosing between single- and multi-tenant deployments. It depends on what your goals are, as well as your budget.