Subscribe

Singing in the clouds

Establishing best practices for global cloud security is central to successful cloud orchestration.

Martin May
By Martin May, Regional director (Africa) of Extreme Networks.
Johannesburg, 03 Jul 2014

In their journeys towards cloud computing adoption, a common route followed by many companies has been the implementation of infrastructure as a service (IaaS) embracing virtualisation technologies. Success with this first step - which usually delivers significant cost savings through consolidation - leads to the exploration of the benefits of private, public or perhaps hybrid cloud computing.

Along the way, they have often had to pioneer changes to operational processes, experiment with new management tools, design and redesign new-generation technology IT architectures, and revise funding models.

Unfortunately, when it comes to crossing the bridge between virtualisation and the cloud, many companies deal with the challenges, changes and problems they face differently. Many switch to 'react mode', tackling problems only after they arise, and thus lag behind the curve when it comes to the formulation of successful development strategies.

Ideally, strategic planning should be based on a clear understanding of the road ahead to maximise return on investment. The key is 'cloud orchestration'.

Cloud orchestration begins with the purchase of a cloud procurement service compatible with the corporate value chain, and preparing enterprise applications to be 'cloud ready' well before implementation. It continues with the establishment of a governance framework capable of keeping abreast of the latest trends, ensuring management goals are reached.

Cloud security should be seen as central to an overarching cloud orchestration strategy, encompassing a broad set of policies, technologies and controls deployed to protect data, applications and corporate infrastructures.

Identifying vulnerabilities

It's important to begin with the premise that cloud infrastructures, even private clouds situated behind a corporate firewall, are not inherently secure. It takes just one out-of-tune violinist to spoil the melody - a single department, rogue user or compromised application that is not performing according to policy or is operating outside the parameters of the agreed security framework.

To meet this challenge, detection capabilities need to be cutting-edge, with sensors monitoring inside the cloud, not simply at its perimeter. In this light, operational capabilities such as patch management must be carefully orchestrated, controlled and monitored.

Moreover, detailed information regarding applications should be logged and systems established to generate alerts when signs of malicious use are identified - when files are modified, records changed more frequently than usual, or resource usage is abnormally high, for example.

It takes just one out-of-tune violinist to spoil the melody.

Secondly, when planning a move to the cloud, companies need to recognise their fallibilities and take steps to rectify them. They may well lack the skills needed to balance the competing factors of control, visibility and cost when it comes to cloud security. And they may not have the spatial awareness needed to fully understand their exposure to risk.

Marching to a different beat

Data storage is one of the more thorny issues when it comes to cloud security. There is no doubt that sensitive information needs safer storage. One often-proffered solution is to encrypt data that's stored in a cloud-based repository. However, in the commonly shared environments that constitute these repositories, there is as yet no virtual machine solution on the market able to guarantee the integrity of the environment.

It's a drum that's been beaten often enough by cloud security advocates: applications deployed in a cloud environment are not necessarily secure, particularly existing applications that are deployed to a cloud without first addressing and ascertaining what new attack vectors are opened by this move.

Therefore, applications destined for the cloud should be re-architected, allowing elements of the application to scale independently and thus become more distributed and resilient.

Finally, any corporate administrative functions should be run through a separate application, so if a malicious user does compromise an account, the most data that can be lost is that of a single user; the person with mal-intent will not obtain administrative access.

The ongoing paradigm shift in cloud computing, particularly against the backdrop of the bring your own device movement, is making the use of traditional risk management approaches difficult to orchestrate.

Today, control over data is often transferred to the cloud service provider while risk management and compliance issues are generally split between the service provider, Internet service provider and the end-user.

In South Africa, regulatory and legislative compliance in the cloud is problematic as it lacks adequate definition. Nevertheless, these challenges present industry specialists - distributors and resellers - with many opportunities to devise unique solutions for corporate decision-makers primed to embrace new ideas and technologies.

Many are ready to help orchestrate the harmonious delivery of cloud services, with their promise of faster speeds to market and increased profitability based on new functionality around processes such as merchandising, business intelligence and workforce management.

Share