Journey to Cloud 9 Navigating a path to secure cloud computing Alastair Broom Solutions Director, Integralis March 2012
Navigating a path to secure cloud computing 2 Living on Cloud 9 Cloud computing represents a fundamental shift in the way IT services are delivered. Cloud promises true utility computing where IT services can be dynamically provisioned, scaled according to demand and priced are clear: reduction in capital IT costs, reduced operational management costs, and improved agility. computing models including scalability, reduced infrastructure and operational management costs, increased agility and improved service automation. There are certain security risks associated with cloud computing. Embracing the cloud moves data and computing resources outside the corporate perimeter into a network provided by a third party. Workloads move dynamically based on resource utilization, load and performance requirements, requiring security policies to move with them. Virtualization, a key traditional, physical security devices so that certain customer and the cloud provider. Being able to answer the following questions is fundamental to achieving this trust: How can I securely export and store data in the cloud? How can I manage access to my cloud data? How do I retain digital ownership and control in a virtual environment? How do I maintain compliance? Over 60 % of enterprises, both large and small, plan to evaluate or pilot some type of cloud-enabled offerings within the next 18 months Gartner Hype Cycle for Cloud Computing, 2010 Forrester fully expects to see the emergence of highly secure and trusted cloud services cloud security will grow into a $1.5 billion market and will shift from being an inhibitor to an enabler of cloud services adoption Forrester Research The ability to scale resources up as well as down virtually instantaneously will put an end to the expensive practice of provisioning for peak demand Dr Radu Calinescu, Aston University How do you plan your journey into the cloud? What
Navigating a path to secure cloud computing 3 Terminology There are several variations on the cloud theme: Software as a Service (SaaS) party application service provider. Salesforce.com built its business on the SaaS model, but there are a growing number of providers who are beginning to offer applications as a service rather than as a license sale. For example, Microsoft now offers the Oracle On-Demand delivers applications such as Siebel and JD Edwards as a service. This enables organizations to pay for these enterprise applications as an operational expenditure rather than as a capital investment in hardware, operating system and application licenses, storage and data center costs. Platform as a Service (PaaS) platform delivered as a subscription service. It enables companies to develop their own applications using the resources of a third-party cloud provider, thereby reducing the cost of application development and enabling development costs to be more easily Infrastructure as a service (IaaS) IaaS provides a complete IT Infrastructure delivered as a service. Users pay for the computing power consumed over time and the service includes applications, hardware, and storage. IaaS provides a computing model that is relatively easy and cost effective to set up and that can expand across all areas of IT in response to business demands. Private Cloud A private cloud refers to a utility computing model that is either delivered from an organization s own data center or is delivered by a third-party provider using dedicated infrastructure. Public Cloud A cloud service delivered via a third-party service provider using shared resources. The service delivery model is as in SaaS, but may include infrastructure and storage in addition to the application. Hybrid Cloud A computing model that bridges public and private workloads may move from private, corporate data centers to a public cloud provider s network based on requiring unusual computing demands.
Navigating a path to secure cloud computing 4 Journey to the Cloud Many corporate networks continue to work around a physical infrastructure. Applications exist on individual, physical servers sitting in one or more data centers. Servers are sized to manage peak load, as is the infrastructure for switching, security and storage. New applications require new hardware, which in turn requires additional rack space, power and cooling. This traditional data center model lacks scalability and rates for enterprise servers are estimated at just data center environment is built to meet a peak load. maximum number of connected users;; maximum expected hits on a web site;; peak bandwidth. Most of the time, the infrastructure is delivering far below peak load, and capacity is sitting idle. physical servers to one virtual server, savings of up with reduced power consumption, and cooling demands. Finally, the cost of maintaining a piece times more costly than the original purchase price, so impact on the total cost of ownership. Cloud Security Checklist: Getting Started Baseline your network. Understand what you have and where, before virtualizing 2. Investigate and audit any existing cloud projects. These may be SaaS deployments, outsourced applications or test and development activities. Identify your cloud IT team and clearly define roles and responsibilities Be rigorous with your requirements definition, don t skip the evaluation stage just because this is a service and not expensive equipment 4. Do a thorough risk assessment Classify your data and determine what can be moved to the cloud and what must remain inside the corporate perimeter Carefully analyse SLAs and determine: What are your data privacy policies? What are your data retention policies? Where is your information stored? If you terminate your service, how long will it take to get your data back, and in what form will you What is your disaster recovery plan? A global study has found that unused data center servers are wasting an estimated $25 billion every year Kelton Research, in association with the Alliance to Save Energy
Navigating a path to secure cloud computing 5 Step 1: Data center virtualization The journey to the cloud must begin with virtualization. Virtualization decouples applications and operating systems from the physical hardware and storage, architecture. By allowing each physical server to support multiple virtual servers, much better use is made of the underlying hardware. Applications and workloads can still be managed as discrete entities but the hardware provisioned to applications. Storage virtualization also abstracts the physical storage hardware from the logical address seen by the application. By doing so, administrators no longer have to search for disks that have free space to allocate to and logical addresses dynamically mapped to the physical location of the data. Data center virtualization creates an environment, where new applications can be added as a new virtual machine on existing hardware. This reduces the time and expense involved in setting up a new physical server. Storage capacity can be increased by adding immediately available to all applications without the need to allocate it to physical servers. While it also creates a new set of security challenges. Security challenges in the virtualised world In the virtual world however, the correlation between physical hosts and applications is much more tenuous. Virtual servers may move between physical hosts, making a security policy that is applied to a physical server irrelevant. Security policies must be aligned to the virtual server and must be able to follow the virtual Communication may take place between virtual servers on the same physical host which would bypass traditional physical security appliances. If the physical server to an external security appliance and then back again, performance will be adversely or unauthorized services running on or within the virtual network could go undetected. This constitutes a security risk. Compromising one virtual machine may lead to compromising others residing on the same host, without detection. In addition to the problems associated with lack of security issues unique to virtualized environments: It is possible for VMs to migrate (either deliberately virtualized environments cloned and the clone made to run on any part of the virtualized environment, potentially breaching trust boundaries VMs have no physical presence, leaving no trace existence. This dynamic build and destroy nature of VMs can lead to a lack of audit trail and problems with forensics following a security event The ease with which VMs can be created and copied can also lead to VM sprawl, a phenomenon whereby VMs grow uncontrollably, leading to security issues due to poor policy control and inherited policies. It is important that VM creation policies are tightly controlled and audited Addressing these security issues requires visibility into the virtual environment and the ability to apply policy at the VM level, not just the physical level. If you would like to discuss the security issues that surround data center virtualization, you may wish to talk to us about our approach.
Navigating a path to secure cloud computing 6 Step 2: Private cloud Virtualization changes the way an organzation thinks about IT. Breaking away from the concept of physical cloud. The private cloud model provides some of the total cost of ownership savings of full public cloud adoption while maintaining control of security, compliance and provisioning. More importantly, it enables IT to be delivered as a service. This leads to improved service levels and greater agility. IT can deliver a higher quality service to the business, with better service availability and performance levels. In many organizations, this has allowed the IT department to improve its image, showing how it can quickly respond to what the business needs. With IT delivered as a true service, data center staff are freed from mundane, operational tasks and can address strategic, project-based initiatives that drive the business forward rather than maintaining the status quo. Being able to move applications and data around easily also improves the options and lowers the costs of disaster recovery. Organizations no longer have to replicate facilities which remain idle for most of their In a private cloud environment with dynamic workloads, data cener failover becomes much simpler, with services simply moved from one data center to another in the event of an outage. Similarly, with virtualized storage, data replication and back-ups can be automated easily, network capacity rather than pre-determined times. Cloud: providing your business with computing power you can switch on and off cloud computing and sweating its existing data center assets. For organizations with a green IT agenda, private cloud reduces power consumption and your hardware bill. An IDC survey found 55 percent of IT executives preferred private over public cloud IDC, 2010
Navigating a path to secure cloud computing 7 Step 3: Hybrid cloud As security, compliance and availability are addressed, organizations will begin to move services into the trust in the cloud to do this in a single step. Hybrid cloud provides a migration path from private to public trust in this new service delivery model. Lessons learned with private cloud initiatives in areas such as Service definition Sizing Maintaining compliance Operational management Security are invaluable for making a secure journey into the public cloud. Moving applications around in a virtualized environment is easy to do. That means businesses can migrate low-risk services to test service levels and pricing models, while building the case to move more critical applications. Some organizations start by bursting into the cloud during periods of high demand, providing additional website capacity during promotions or peak periods. Workloads may move from private, corporate data centers to a public cloud provider s network based events requiring unusual computing demands. Other organizations may use the cloud for disaster recovery or data back-up. Customers have asked us when is the right time to migrate to the cloud? Any recent data center investment will make the business case for moving to cloud a tough one. We recommend organizations look for technology triggers opportunities to embrace the cloud while protecting investments and leveraging existing assets. New applications requiring hardware investment and natural technology refresh cycles may provide appropriate opportunities for cloud migration while ensuring maximum ROI from existing hardware investments.
Navigating a path to secure cloud computing 8 Step 4: Public cloud Full public cloud adoption may not work for every organization. Certain applications must be kept inhouse for political, commercial or technical reasons or because compliance requirements cannot be met enables the US Government to access data held by US cloud providers even if they are located outside the US and serving non-us clients. To date, security and compliance issues have been Inhibitors, Gartner found that data location risk, data is clearly a major concern, but ask yourself these questions: Does my IT department know more about security than a well established cloud provider? How does my security budget compare with theirs? How does the security of my data differ in a public cloud compared to that of a remote data centre? Organizations should seek assurances from cloud providers that data in storage is effectively destroyed when the storage is recycled to another tenant. machines must be in place to protect customer data. Data storage policies will also vary depending on the type of data and the level of trust between customer and service provider. Security in the public cloud should be built into every application, just as network security is outsourced. The public cloud promises true utility computing, a pure services model, charged on usage and bound by agreed service levels. Utility computing does easily between service providers based on price and it is typically a manual process involving service As standards mature and process automation improves, we will soon be able to switch providers instantaneously to get the best deal at any point in time, based on current business requirements. Organizations looking to engage with a cloud provider should challenge them rigorously on their security investment. Adherence to standards such as best practices are being deployed. You, rather than and approving any service that is an extension of your existing security policy, to ensure that existing levels of Security in the public cloud should be treated as a partnership model between cloud provider and customer. Corporate policy should determine which applications and data are suitable for sending to the cloud and which aren t. Certain data will need to be encrypted before it is sent to the cloud and data access policies will depend on the value and policies need to be carefully thought through to ensure, for example, that single sign-on solutions continue to work with applications running in the cloud and credentials are protected.
Navigating a path to secure cloud computing 9 Conclusion to cloud adoptio, and organizations are right to hesitate before starting the journey to the cloud. In order to help you think about cloud adoption, we have presented a set of potential steps in this paper showing not realize the full return on investment and economies of scale that can come from a strategic, coordinated approach to cloud computing. Otherwise the cloud may become a threat to IT s survival, as business units with money to spend will circumvent it and go directly to cloud providers who promise cheaper services, faster time to service, tighter SLAs and more route for new applications and services. If IT does not take control of cloud initiatives, change will happen performance, availability, security and compliance requirements of each application? How will these be Finally, in planning the journey to the cloud, businesses should be looking for compelling events that justify the next step on the path. Technology triggers such as hardware refresh cycles, major application projects, and mergers and acquisitions, will provide opportunities to make progress on the journey while protecting existing investments and maximizing overall return on investment.
Navigating a path to secure cloud computing 10 About Integralis Integralis is a global information risk management solutions provider. We deliver a complete portfolio of managed security, IT infrastructure, consulting and technology integration services that help organizations lower IT costs while achieving a greater depth of security protection, compliance and service availability. Integralis, Inc. is an independent subsidiary of NTT Communications. For more information, visit www. integralis.com. Integralis Inc. us.info@integralis.com Integralis UK uk.info@integralis.com Integralis Deutschland de.info@integralis.com Integralis Asia asia@integralis.com Integralis Middle East me.info@integralis.com