Chalk Talk December

Security in a World of Many Clouds

Face it, Cloud is hot. So hot in fact, that practically every tech company on the planet has jumped on the bandwagon with brash pontification and feverish zeal about how their solutions leverage this mystical cloud thingy. If you ask five people what cloud means to them, you would probably get six different answers. Marketing folks are having a field day slapping the cloud name on everything and anything. With all of this cloud stuff fogging up the technology landscape, how is someone responsible for security supposed to protect intellectual property and keep evil hackers from backstroking through our sensitive data? The answer to this question lies in understanding the ways in which your organization will use cloud, and what architectural requirements are necessary to limit your exposure to a new set of risks brought about by its adoption.

On December 6th 2011 Cisco announced CloudVerse, which paints a vision of the future of IT as a "world of many clouds" that organizations will stitch together into a cohesive services catalog that saves money, makes the business more agile, and offers more productivity enhancing technologies at the same time. The IT services catalog will consist of private applications and technologies that the business owns and manages, but will also include various cloud applications like Cisco TelePresence and Hosted Collaboration Solution. The goal of the CloudVerse concept is to simplify the complexity of offering these technologies without having to add the additional burden of supporting and managing the underlying "stuff that makes it happen" on an already overworked IT staff.

To this end, CloudVerse is broken into three main categories Cloud Applications, Unified Datacenter, and the Cloud Intelligent Network. Cloud Applications represents the services that IT will be offering to the business like Telepresence, HCS, or storage. The Unified Datacenter consists of the datacenter stack as a whole with all of the underlying technologies like Flexpod and VBlock managed and orchestrated through a Unified Management platform. Last but not least is the Cloud Intelligent Network, which enables the interconnection of cloud services in a secure manner by automating the deployment and provisioning of network resources. Security functions are baked into each of these categories with the deployment model dictating how much control and responsibility you have over the operational aspects of security for the service you are utilizing.

The Cloud computing paradigm focuses on the service itself as opposed to the mechanics of the technology. It generally includes technology automation, pooling of resources, and is often metered in a manner similar to how you are charged for electricity for your home. You don't care how the power is acquired, and transmitted, but you do expect that it will be there when you need it. Cisco's CloudVerse focuses on three main types of clouds, Private, Public, and Hybrid.

Private: This is a cloud you own and control. Many businesses have started here on their cloud journey. It's way more than just running virtualization software on your servers and having a big data center. The private cloud ultimately represents a shift in how IT delivers its services back to the business and fully leverages automation and orchestration to abstract bits, bytes, and flashing lights by enabling the provisioning of new services through web portals and simple tools that enforce business logic and policy. The key aspect of the private cloud from a security perspective is that your data stays internal to the organization and you control security policy and governance.

Public: This is a cloud that you contract with a third party for. These services are often based on user counts and usage, like hosted email or Cisco Webex. With a Public cloud your data is stored with others by the provider in their data centers and on their equipment. The only controls you have are those that are outlined in the Service Level Agreement, and what is put in place by your cloud service provider. The biggest problem from a security standpoint is one of transparency into the security operations of the provider. You must rely on someone else to do their job in order to protect your data. This is one of the main reasons why cloud providers seek SAS70 certification. In doing so they provide a level of assurance to their customers that they have the appropriate controls in place. While this is no guarantee against bad things happening, it should be something you look for in a potential provider.

Hybrid: The Hybrid cloud is one that enables the private and public clouds to operate together sharing data and allowing an organization to expand resources on demand to handle peak usage cycles without having to build out excess capacity locally. The economics of a hybrid cloud can be very attractive to the business. Hybrid clouds require more co-ordination between "your stuff" and "their stuff" but afford a greater degree of visibility and control into the exchange of data between the business and provider. As with public clouds Service Level Agreements are key to outlining expectations and responsibilities for the protection of business assets.

Security in CloudVerse has a few key security architectural requirements that should be addressed, regardless of the cloud model your organization decides to utilize. They are as follows:

Logical Separation

One of the most essential aspects of security is the concept of building walls around data to protect it from unauthorized access. Segmentation separates the protected from the unprotected and can occur in both physical hardware and virtual software. The challenge comes with the co-ordination and interaction between the two worlds as your data moves back and forth. In the virtual world, separation of protected assets occurs in logical zones, which are accomplished with technologies like Cisco's Virtual Security Gateway and ASA 1000v. While physical separation can occur with traditional firewall technology like the ASA 5585X. The multi-tenancy aspect of cloud requires that strong controls are in place to ensure that Customer A and Customer B can not interact with each other's data. Which can be enforced through Network Zoning and access control. Keeping it all separated is a crucial part of protecting cloud services.

Automation

A defining characteristic of any cloud service is automation and orchestration of virtual and physical resources. The CloudVerse announcement brings to light a number of Cisco acquisitions over the last year designed to address this very subject. Cisco Intelligent Automation for Cloud (CIAC) provides a services catalog portal system for requesting services and orchestration software that turns those requests into scripts and API calls that make all of the magic happen in the background. CIAC is as extremely flexible solutions that is infinitely extendable through automation packs, that are preconfigured for common tasks like spinning up new virtual servers, provisioning storage, configuring the network, and interacting with billing systems. Given the right amount of motivation, you could configure CIAC to order pizza through the web, which would be a gross misuse of advanced technology but could score you some serious geek street cred.


Policy Consistency

A security policy is written by taking the goals of the business, applying a healthy dose of risk management to come up with policies and procedures that accomplish what the business wants to do, without landing the CEO on the front page of the Wall Street Journal as the next big security fail. In Cloud policy enforcement can actually be easier through the use of automation technologies like Cisco Intelligent Automation for Cloud. Security can be built into the service provisioning process, where it is applied automatically and consistently across the company. Here again is where having a discussion with your provider is so crucial to make sure that your policies and their policies are compatible for your level of risk.

Authentication and Access Control

Many companies have standardized on Active Directory for access control, but if your services are being consumed from the cloud then you may have to deal with the fact that your users are going to have to login with separate credentials to someone else's servers. This can dramatically increase the level of support and co-ordination required, just to reset someone's password. Luckily, Cloud providers have been able to address these problems by allowing for federated access control through technologies like SAML and WS-Federation. These are two of the most popular techniques used to allow authentication and access control to pass between two Clouds. Cisco supports SAML in the Ironport Web Security Appliance natively for a number of web based cloud services, but if a more complete single sign on and cloud federated identity solution is needed, then you should look to companies like PING Identity to address your needs.

So there you have it, Cisco is serious about the cloud and has shown a strong vision of the future of how cloud will be consumed and adaptable to various business needs. It's a world of many clouds connected through technology that embraces a flexible and efficient model where you pay for what you use, when you use it. Security in the cloud requires more co-ordination about who is responsible for what, but all of the fundamental security controls that you are accustomed to still apply.

Chris Jackson is a Technical Solutions Architect for Cloud and VXI who works in the Cisco Partner Organization and has focused for the past 10 years on developing security practices with the Cisco partner community. He has built secure networks that map to strong security policies for organizations, including UPS, GE, and Sprint and is the author of the Cisco Press book, Network Security Auditing. Chris is an active speaker and blogger on security and cloud through CiscoLive, TechwiseTV, webcasts, and Networkworld . He has authored a number of white papers and is the lead maintainer and author for the Center for Internet Security auditing benchmarks for Cisco technologies. He holds dual CCIEs in security and routing and switching, CISA, CISSP, ITIL, seven SANS certifications, and a bachelor's degree in business administration.