Security observations from Gartner’s Data Center Summit

Neil MacDonald from Gartner often writes and speaks about the security problems around vritualization and now cloud. In the following blog post:

        http://ow.ly/84qXe

He gives observations from Gartner’s US 2011 Data Center Summit. “Interest in securing the next-generation virtualized data center remains high and the focus is shifting to how to separate workloads of different trust levels”. He believes that we will need software-based virtualized security controls. Different solutions are needed at different layers of the stack from the executing VMs down to the storage, backups, …

He also raises two important points:

• “In terms of cloud security, most questions revolved around extending enterprise virtualized data centers to public cloud IaaS providers in hybrid scenarios and how to protect this.“
• “The second most common cloud security issue discussed was the use of encryption and other approaches to securing data in the cloud. Since cloud isn’t one thing, our approaches to securing data in the cloud will be different at different layers.“

This echoes what I hear in many of the conversations I've had over the last several months. There is an overwhelming desire to utilize the public cloud but much caution around how to do so securely. The more savvy organizations are not going to put anything in the cloud if it’s not encrypted and they want to hold the keys. When asking one specific enterprise what they thought about S3 encryption the answer came down to key management – if they don’t hold the keys, it’s of no use to them

My data in the cloud just got taken!

I just read an interesting and frightening blog entry by Pete Malcom:

    http://wp.me/p1yZe9-78

in which he talked about how systems (and therefore your apps and data) can be taken from a service provider premises by the FBI under the Patriot Act.

In November, this occured within a data center in Virginia where the FBI went in and took 59 servers after making queries about a specific range of IP addresses. All 59 servers were returned but it took the provider, DigitalOne, 3 days to get most of the servers/apps back up and running. In some cases, they were unsuccessful.

So although there may have only been one “bad guy” it seems clear that there were apps (VMs) from multiple customers across those servers.

As Malcolm writes, the lesson to be learned here is that you should assume that if you’re using computing facilities that you don’t own (in the public cloud) you should assume that you’re sharing those systems with others. He also writes that this can have serious consequences for your systems, apps and your data.

Once again, this speaks to the concerns that organizations have about moving to the public cloud. You need to retain some level of control - if you move sensitive data to the cloud, make sure it’s encrypted in transit, at rest and make sure that any backups are also encrypted. Further, if you can control the encryption keys, you could avoid losing data to whoever takes any servers (or storage).