Secure Enough?
Concerns about sharing servers, storage and networks with other organizations outside the corporate firewall scare many users away from IaaS. But most observers agree that, with proper care, IaaS can meet even strict security requirements, and the security picture is likely to improve as IaaS providers gain experience. For example, Sonian, a Newton Mass.-based provider of email and document services, recently completed a Federal Information Security Management Act (FISMA) audit of more than 300 controls analyzing how Sonian software operates on the Amazon cloud. "We met the highest standards out there," says CTO Greg Arnette.
As with in-house data centers, most security problems in the cloud are caused by users who ignore the rules or operational snafus such as misconfigured networks, says Pepple. IT services providers such as India's HCL Technologies offer multicloud governance frameworks that can provide granular access controls and configurable roles and privileges for users across multiple clouds, said Sadagopan Singam, HCL's global vice president of cloud computing.
Before moving to the cloud, customers should decide how to organize their security groups, change default server configurations to restrict access to authorized users, and map their internal security and access control models to the cloud with tools such as federated identity management, advises Shriram Natarajan, senior director of the cloud technology practice at Indian software development firm Persistent Systems.
They should answer questions such as, "Which ports should be open; which IP addresses can come in and communicate? How is it going to tie in with your existing identity management system?" he says.
"Some people treat the cloud as something separate -- they have a separate hierarchy of users [that] doesn't really map to the hierarchy they have in-house," he says. "Once they do it, they have two different control structures and then try to reconcile it," which is harder than doing this work up front.
Verifying security can be difficult when IaaS providers don't let customers know exactly where their data is stored. Meeting privacy or security rules also requires a virtual private network that ensures that encrypted data "moves only to certain dedicated servers" and can't be sent anywhere except the appropriate specific servers in the customer's cloud, says Natarajan.
Such secure communication requires the ability to assign IP addresses to the network interface on a particular server and specific virtual LAN, he says, and for virtual machines to have one interface to outsiders such as customers and another to sensitive data within the customer's site. "Amazon has the most robust offerings in this area," says Natarajan. "The others are all catching up."
Security is just one of the factors customers must consider as they move systems among public and private IaaS implementations.