Cloud Security Demystified: Experiences From Within the CSC Cloud
Author:André van Cleeff, Niels Lagerweij and Susie Allwood
Since the rise of cloud computing there has been a continuous debate about its security. This debate has been complicated by the fact that few cloud providers have offered detailed insights into their operations, and the technology used in clouds is not well known to the general public, making it difficult for IT outsiders to get an understanding of cloud security. This paper gives insights into the operations of an actual cloud by sharing the expertise of several CSC cloud security professionals who have detailed insights into the CSC cloud, as they work with it on a daily basis. Four myths of cloud computing are examined and debunked. These myths are: (i) customers can attack each other easily in a cloud, (ii) cloud users are protected by standard security, (iii) clouds are volatile and vulnerable and (iv) clouds cannot be transparent.
About 15 years ago, when information security issues became known to the general public, the security problems concerned software that was in direct use by end-users: for example email was affected by viruses that spread through email attachments, and spam created an earlier form of denial of service by overloading users' mailboxes. Vulnerabilities in these end-user systems are still present today, but in addition to that, a large part of the IT infrastructure has shifted away from the end user.
Enterprises replaced email workflows with their own information systems and Excel spreadsheets were transformed into actual database-driven applications, maintained by a professional staff and running inside the corporate data center. The culmination of these developments is cloud computing, which in turn allows enterprises to shift away from managing their own infrastructure, instead relying on the services provided by cloud providers.
Apart from the business drivers and effects of this trend – the replacement of upfront investments in IT by a pay-per-use model – this trend also reduced the possibility for the general public and corporate user to understand information security issues, as they were no longer visible through personal experience. A database can be understood as an Excel sheet, but a database security problem such as a transaction log running full does not have any equivalent in Excel that is meaningful to a user in the same way.
Likewise, a denial of service attack on a financial institution causes unavailability of the user's banking app on her iPad, but she has no mental representation of the vast infrastructure that is running in connection to the app which is affected by the attack. The damage done to the institute is, however, far more sophisticated depending on the way the back end allows connectivity to the outside world. Global transactions and broker information could also be victim to the attack as well as various internal systems, all outside the view of the end user.
Clouds, which are not directly managed or maintained by their enterprise users or the general public, face the same issue: How can security risks be really understood if the technology is fairly new and there is no direct experience of what cloud is? One way to gain an understanding of the cloud and cloud security is to actually start using the cloud – simply paying with one's credit card and starting up compute resources in a cloud like Amazon's EC2.
However, even though this can be an enlightening experience for users, it does not provide insights into the infrastructure that supports this process and the corporate business processes running behind clouds. As such, there is the need for more insight into the nature of cloud security. Obtaining this information is difficult, however, because cloud vendors are not willing or are unable to give much insight into their operations. Important reasons for this are intellectual property protection, the need to protect the security of customers, and also technical issues associated with creating detailed reports of the cloud's operations.
Still, first-hand information about cloud security is crucial in understanding what information security is about today, and to make informed decisions about whether to adopt clouds. It is the objective of this paper to share some insights into an actual cloud, through the experiences of three professionals working for a cloud provider, in this case CSC. These three professionals work as account security manager, IT architect and program manager respectively. In this paper they (from now on "we") will shed light onto the CSC cloud as it is currently in use by enterprises all over the world.
The method to do this is by discussing several commonly held beliefs about clouds:
1. Customers can attack each other easily in a cloud.
2. Clouds provide standard security.
3. Clouds are volatile.
4. Clouds are not transparent.
Before we discuss these myths in detail, we will explain a little bit about the CSC cloud (and especially the IaaS cloud) to set the stage. We conclude the paper with a summary of our results.
Download the entire Paper, Cloud Security Demystified: Experiences From Within the CSC Cloud (PDF) to continue reading.