Forrester, in a recent report entitled ‘Top 15 Trends S&R Pros Should Watch: Q2 2014’, discusses up and coming security products and services on the horizon and highlights vendor solutions. In the next two posts we’ll take this analysis one step further by focusing on the security trends that are most relevant to Infrastructure-as-a-Service (IaaS). For each such trend we will elaborate on IaaS-specific challenges facing IT managers. We will also discuss possible guidelines for coping with the challenge, and when relevant, explain how the 40Cloud solution addresses them.
In our posts, we have kept the original numbering of the trends in order to ease the reference back to the original Forrester report.
Trend 1: Regional Datacenters and Localization Issues
The exposure of the NSA’s surveillance program (a.k.a. PRISM) has served as a wake-up call for many organizations to revisit the security and privacy policies of their infrastructure providers with questions like:
- Which providers are likely to be more susceptible to government surveillance?
- Which providers are more likely to surrender my organization’s private data to the authorities (and to which authorities)?
- And, which privacy laws govern my cloud provider (as privacy laws may change from country to country)?
The concerns arising from the above-mentioned issues have led many organizations to consider cloud providers that are local to their country of origin (and are governed by ‘familiar’ privacy laws). Moreover, we now see many new local cloud providers that can offer an alternative to the big global (US-based) cloud providers. This is prevalent in the European Union, where in some cases, the local cloud providers are also supported by government funding.
What can be done?
In order to protect your network’s security and privacy, there are a few recommendations that should be implemented in a timely manner. First, it is advisable to encrypt all data headed for the cloud, while in motion or at rest. 40Cloud’s solution can help here by providing encryption for all in-transit data. This is done by building a VPN network for your organization in the cloud, in which all communication is encrypted.
Second, when it comes to privacy and government regulations, make sure that you understand how your cloud provider addresses subpoenas from various government offices. It’s important to know your rights and responsibilities if the authorities question your provider.
Finally, make sure you have an infrastructure-agnostic security solution that will enable you to use any infrastructure provider, local or otherwise. 40Cloud, for example, provides the same high level of security regardless of infrastructure, giving your organization the flexibility to deploy on any (or multiple) cloud(s) without compromising IT security.
Trend 5: Automation of Security Configuration
With the advent of cloud computing and the dynamic nature of IaaS environments, it must be understood that security needs in the cloud differ from the security measures required to protect and maintain information within the customer premises. First, due to the nature of the risks facing IaaS deployments, a dedicated security configuration is frequently required for each and every server. For example, host-based firewall rules and encryption keys need to be defined per node. Second, in the cloud, workloads can change quickly, and hence the number of active servers is far from being stable. Trying to configure security manually in dynamic IaaS deployments will probably lead to either compromising security or compromising business agility (because of the limited pace at which security configurations can be performed manually).
The answer to this problem is the automation of all cloud security configurations.
What can be done?
The first question is – what needs to be automated? The answer to this question is ‘whatever is dynamic in nature or server-related’. Furthermore, security automation is required for newly-launched virtual instances, as well as for the modification of security settings of existing virtual instances in real time.
The 40Cloud solution lets a system administrator automate the entire security configuration using a policy-based system. The administrator defines groups of cloud resources that share similar security characteristics. For each such group, a dedicated security policy (e.g. firewall rules) is specified. A new server will be associated with an automatically-enforced security policy. A change in a specific policy will be automatically propagated and enforced in real time on all affected virtual servers. 40Cloud automation also covers access rights for remote employees (we will expand on this issue in the next section).
Read our second part of the post that covers Authentication & Access Control trends.