Cloud computing and it's security aspect.

[ByTeWrangler]

I have had keen interest in Virtualization for quite some time now. With cloud computing coming up virtualization is taken to the next level. My work experience with Virtualization has been rather less (my over all work experience has been 2 years all of in core security architecture development and implementation, virtualization is like few weeks now mostly at home and a server coming up next week ).
I’ve been intrigued with how virtualization, if used in the right way can solve so many of security problems (although most would say they give rise to many security concerns too and that’s true in its own way).
I didn’t want to Google this and go over 100’s of pages (not 1000’s yet) of how cloud computing is going to be a security nightmare (I think I read this on Cisco’s web page.) but I want to know it from you (members here) on what they think about how cloud computing will impact security architecture as it stands now or cloud computing and its security aspect as a general topic. You may also put your general questions / comments / opinions about cloud computing.


I will be using material in this thread towards a paper I’m writing on cloud computing. The paper will focus on “security” aspect of cloud computing.

Thank you ALL in advance.

[MrLinus]

Most of the security threats we've seen have been to the guest OS rather than the virtualization (at least at the bare metal level compared to the hosted level, which has more ties between the OS and the Hypervisor). It'll be interesting to see what new threats are developed for this environment as time goes on.

[ByTeWrangler]

True MS.. (For some reason I knew you'll be the first to reply.. )

Anyway with virtualization comes certain risks that people seem to oversee. I completely agree with the statement that in virtualization risk lies in host OS but with the way virtual servers are put up security appliances need to re-designed or you're opening up holes in your network. I am not getting a very good example to explain this but I hope you get it (sorry though) ..

I'm really excited about my paper (I hope to get it out soon) but right now.. It’s time to head home.. (Rain in Mumbai is a killer .. )

[MrLinus]

Well, some things do have to change but the principles are still the same. I know our product is EAL 4+ certified out of the box and the NSA/NIST Guide is out for ESX 3 (http://www.nsa.gov/ia/_files/support/I733-009R-2008.pdf). A lot of the consideration is how networking is configured (separate and isolated are preferred, particularly keeping the service console or other management port separate from network storage -- if any -- and the VMs/Cloud's environment). I'd be curious to read the paper after you've completed it.

[ByTeWrangler]

Lol.. MS between you and me.. (Actually since I’m saying it here its public) anyway I wanted to write a paper detailing "something" that I’ve found interesting for a long time..Trust me my first choice was how to secure Winxp or something

But then I moved to VM's and now this.. I promise by the time I’m done ill have something good to read upon.. Anyway there WILL be some delay.. I'm trying to give GCIH and PMI ..

Anyway it’s nice to know that AO isn't completely dead ..

[ByTeWrangler]

Hey I just went over Trend's documents and presentation (sale's oriented) describing how they are using cloud computing for their anti-malware / enterprise grade products..

I really don't like the way they have done this! I mean it's stupid and actually decreases security level provided.. It does decrease the time frame for new malware to be detected but provides much less security too..

Can we discuss this? (PM / IM maybe, please )

[MrLinus]

Hey I just went over Trend's documents and presentation (sale's oriented) describing how they are using cloud computing for their anti-malware / enterprise grade products..

I really don't like the way they have done this! I mean it's stupid and actually decreases security level provided.. It does decrease the time frame for new malware to be detected but provides much less security too..

Can we discuss this? (PM / IM maybe, please )

I'd be interested in discussing it but if it's ok, can we get into the in-depth discussion next week after Monday morning? I'm in the process of studying for my VCP 4 Beta exam (it's rather lengthy) and want to pass it on first go but I know it'll be longer than the regular exam.

[ByTeWrangler]

ALL THE BEST FOR YOUR EXAM'S !

YOU WILL PASS I'M SURE !

[nihil]

Funny things clouds...........they are woolly, fuzzy, and obscure your vision. But, every one of them has a silver lining, or so the saying goes.

At least that seems to be the hope of Google, Microsoft, IBM, Sun Microsystems and everyone else who seems to be trying to jump on this "cloud computing" bandwagon............or will it be a gravy train?.............they wish!

There is no such thing as "The Cloud" other than in the imaginations of marketing drones and media hacks.

It already has a name as it happens.............it is called "The Internet"

So, given that we are really talking about "Internet Computing", I would suggest that these are a few of the areas where security needs to be considered:

1. Everything is a service so who is responsible for controlling and securing it?
2. Who audits their stewardship of these responsibilities?
3. Who hires and vets the staff?
4. Who ensures regulatory compliance and how?
5. Location of data.
6. Encryption and secure data transfer.
7. Access control; both physical and remote.
8. Disaster recovery
9. Business continuity.
10. Forensics

It might be useful to look at stuff on e-commerce security, as a lot of the issues will be similar.

P.S. Good Luck MsM!

[Cider]

Byte, Well we have moved over to cloud computing for over two years now and everything is going good so far.

Could you explain the security aspect because as a "Management Hosted Service" with our product such as Managed Office Protection , it makes it relatively easier for the customer as no infrastructure needs to be installed at the premises besides the resident which is light due to "scanning" from the cloud.

Im also very interested in this topic, dont make it a private discussion