Many cloud computing pundits state that cloud computing introduces a new method of Infrastructure-as-a-Service; however, that is just not the case.
Cloud computing introduces automation, orchestration, service provisioning/delivery and service management either initiated or through application programmable interfaces (APIs). The ability to secure these new capabilities is necessary.
To do so, ask your cloud provider these two top questions:
How do you secure your public API interface?
- How do you segregate duties between the public interface and the automation, orchestration and service delivery of the cloud service’s individual components?
For public interfaces, it is essential you leverage a web-service-aware firewall. Your cloud provider should provide you with its security architecture, including segregation of duties and any policies that govern the access and management of its environments.
It is also important you understand the provisioning flows, security at each provisioning interface and administrative boundaries. The top security threats are still internal threats.
In addition, cloud computing models in service today come with less-than- desirable security controls and practices than the existing hosting infrastructure provides. This is because traditional hosting infrastructure security controls do not map well to the new cloud service models.
Cloud computing also introduces new threat vectors, such as:
- Virtualization architecture: Hypervisor management and architecture needs to be hardened as any OS layer requires.
- Patching of virtualization software: Patching of the cloud software introduces a new threat vector if not kept up to date.
- Immature system management tools:Segregation of duties for administrative activities and identity management.
- Inter-virtual machine visibility: The hypervisor introduces a new virtual network layer inside the firewall boundary; however there is no visibility into that network.
- Virtual machine mobility/escape: Hypervisors introduce new OS threat vectors, such as escaping into the network layer and penetrating the hypervisor.
Cloud computing service architectures must have well-defined policies and procedures to address these concerns and some compatibility with existing dedicated security controls.
Cloud security is an evolving threat landscape. The main threats we are actively tracking are the explosion of malware, hybrid cloud access control and authentication, and mobility/app marketplace advanced persistent threats.
Ask your cloud provider to provide the physical security controls, virtualization layer security controls and network layer security controls. Security controls for cloud services must be built into the service and not just an afterthought.