Multiple Cloud Formations Require New Security Approaches
Reliable user authentication in deployment of a cloud service is of utmost importance. Even though a cloud service to which you subscribe may have two-factor or higher levels of secure authentication, certain protocols must be observed and rules must be followed to enter each session. Frequent changing of passwords is required, and those passwords often must be long and complicated.
However, in this day of increasingly sophisticated hacking practices, conventional online authentication for access to these systems and services is often not enough--especially for systems moving highly sensitive data, such as in the government, military, financial and retail sectors.
As cloud services gain more traction at all levels of IT--and that includes high-level enterprises down to single users at home--providers are coming up with new ways to keep everything tight.
New Factor: Multiple Types of Clouds to Secure
Another factor in cloud computing security is coming to the fore as more of these service systems come online: Private clouds are now interacting with public cloud services and each other--especially in large enterprises with numerous partners, affiliates and contractors in the production chain. These multiple cloud formations require a whole new perspective on security.
CloudPassage, a 3-year-old San Francisco-based startup founded by CEO and longtime RSA Security veteran Carson Sweet, is taking a leadership role in this area. Sweet describes CloudPassage's Halo Netsec service, launched Jan. 31, as the industry's "first and only server and compliance service that specifically provides multiple-level security for elastic cloud servers."
Halo Netsec features a firewall, two-factor authentication and intrusion-detection capabilities through a cloud service. Literally, this is a "secured security" service.
At this early point, Halo Netsec stands alone in securing cloud services because it enables administrators to build a perimeter defense without having to worry about the physical network. It secures everything from the endpoint to the virtual server, even if some or all of that traffic is passing over a public Internet or from cloud to cloud.
This is of huge importance to IT administrators, especially when managing cloud services, because those administrators have no control or management capabilities for the public portion of cloud communications.
Once installed and configured, administrators are able to apply firewall rules and policies to any connection accessing public, private or hybrid cloud services. A small (3MB) security daemon works with CloudPassage's computing grid to enforce rules, policy and monitor for intrusions.
CloudPassage also has added a physical aspect to cloud security: a USB key that creates a one-time password for each session. This also may become a trend as time goes on.
"What we've done is create a cloud-ready platform that handles automatically all management and policy controls with a combination of a lightweight host-based agent and software as a service grid," Rand Wacker, vice president of products at CloudPassage, told eWEEK.
Tighter security like this is becoming mandatory, with all the system break-ins that seem to be happening more frequently around the world.
"When people look at adding security to a cloud system, they generally think they're buying a slice of something," CloudPassage founder and CEO Carson Sweet told eWEEK. "So now we're doing full-blown dynamic firewall management, multi-cloud. We're going to cross-cloud systems now, so we can have servers in EC2 Amazon's Elastic Compute Cloud , in Rackspace and in Terremark with one policy over all of them. The most interesting aspect of all of this continues to be that it all just works in the cloud."
Security doesn't work the same way in public and private cloud environments as it does in on-site data centers.
"When individual servers, especially in a cloud system, become vulnerable, you can clone those things so fast. And when you clone one of those servers, you're also cloning every vulnerability," Sweet said. "Pretty soon, a big cloud server farm can begin to look like a chunk of Swiss cheese. You replicate the problems along with the actual server."
As an example, Sweet told of one legendary cloud server he knew about "that was just plopped out there. We called it Typhoid Mary because when that started to get replicated, it was really bad news." He wasn't at liberty to tell exactly which system was affected, but it was a large one--and it became a huge mess, he said.
"The interesting thing is that we have gotten away with this in the data center for years, because of the firewalls and other security on the hardware devices," Sweet said. "But you can't do that in the cloud."