Security
Blended Cloud Environments – A Financial Services Use Case
Digg
Reddit
Delicious
StumbleUpon
Facebook
Twitter
LinkedIn
BuzzBy Damon Miller, Director of Technical Field Services
One of the most interesting trends in cloud computing is the emergence of “hybrid” solutions which span environments that were historically isolated from one another. A traditional data center offers finite capacity in support of business applications, but it is ultimately limited by obvious constraints (physical space, power, cooling, etc.). Virtualization has extended the runway a bit, effectively increasing density within the data center, however the physical limits remain. Cloud computing opens the door to huge pools of computing capacity worldwide. This “infinite” capacity is proving tremendously compelling to IT organizations, providing on-demand access to resources to meet short and long-term needs. The emerging challenge is integration—combining these disparate environments to provide a seamless and secure platform for computing services. CloudSwitch provides a software solution that allows users to extend a data center environment into the public cloud securely without modification of workloads or network configurations. I’d like to discuss a specific example of how CloudSwitch delivered a solution which spanned environments in a corporate data center and external cloud.
A large financial services company approached us some time ago with an ambitious plan to leverage cloud computing as a strategic initiative within the organization. Their goals were to reduce operating costs, improve responsiveness to the various business units, and differentiate themselves within the industry through technological innovation. Security was a fundamental requirement and a number of risk assessment groups were involved throughout the design and evaluation phases of the engagement. Finally, this company also wanted to leverage a traditional colo environment from their cloud vendor to provide high-speed access to shared storage while also supporting their traffic monitoring equipment. After a period of technical diligence, we established a reference architecture which satisfied all internal security requirements while remaining true to the fundamental goal of moving to a dynamic cloud environment. The result was a true realization of the hybrid model.
In the customer’s reference architecture, there are three primary components:
- Internal data center environment hosting the CloudSwitch Appliance (CSA)
- Private colo environment hosting the CloudSwitch Instance (CSI) and CloudSwitch Datapath (CSD) as well as shared storage for cloud instances
- Public cloud environment hosting customer workloads
The CloudSwitch Appliance is deployed into the customer’s data center environment to allow central management of one or more colo environments. Each of these environments supports an isolated cloud deployment, for example for a particular business unit. CloudSwitch’s virtual switch and bridge components are implemented for high-speed connectivity between cloud servers and shared storage. Finally, the public cloud environment is used to host actual customer workloads (operating systems). Network communication and local storage are protected through CloudSwitch’s secure overlay network and transparent disk encryption functionality.
This approach yields several benefits:
- Multiple instances of this dedicated environment can be independently deployed to support different business units
- High-speed access to the enterprise cloud environment is available since the colo environment is physically located in the same facility
- Physical infrastructure can be deployed into the colo environment in support of cloud servers—for example, shared storage devices
- Dedicated firewalls can be deployed and traffic inspection is possible, satisfying the security groups’ requirements
The reference architecture supports the organization’s high-level goals while remaining compliant with all existing security and regulatory requirements. Cloud servers have high-speed access to shared storage as a result of the colo deployment alongside the public cloud environment. All network traffic and storage is encrypted automatically through CloudSwitch’s security capabilities, and through CloudSwitch’s role-based access controls (RBAC) the security team has centralized control over who is able to access each cloud environment. The end result is a deployment model which truly implements a hybrid environment combining resources from the public cloud with traditional colo resources to deliver a secure, scalable platform for dynamic computing.
Is Encryption the Solution to Cloud Computing Security and Privacy?
By Guest Blogger Erik Heels, Partner at Clock Tower Law Group, experts in patent law
Wikipedia defines "cloud computing" as "the logical computational resources (data, software) accessible via a computer network (through WAN or Internet etc.), rather than from a local computer. Managing local computers is hard: there are security issues, computer lifecycle issues, accessibility issues. Cloud computing, ideally, is easy: set it and forget it, access your data from anywhere, outsource your IT headaches to your service provider. To end users, whether individuals or companies, "the cloud" is an abstraction, a computing environment that can expand to suit users' needs.
What's The Problem?
One problem with cloud computing is that both cloud computing providers and law enforcement agencies can access your files, usually more easily than if your stored the files on your own computer.
Also, security breaches, like the much-publicized Dropbox security breach, during which all Dropbox accounts were accessible to all users without any password protection, can occur in the cloud.
For users, it is important to know whether your data is secure, who can access it, and what happens when there is a security breach.
For service providers, it is important to comply with both US and non-US laws including (1) data retention laws, which are ostensibly designed to help law enforcement entities do their job and (2) data disclosure laws, which are ostensibly deigned to help users know when their private information has been compromised.
Is Encryption The Answer?
Most cloud computing providers (1) authenticate (e.g. transfer usernames and password) via secure connections and (2) transfer (e.g. via HTTPS) data securely to/from their servers (so-called "data on the wire"), but, as far as I can tell, none (3) encrypts stored data (so-called "data at rest") automatically.
So if you want your data to be secure in the cloud, then consider encrypting the stored data. And don't store your encryption keys on the same server! It is unclear whether a cloud computing provider could be compelled by law enforcement agencies to decrypt data that (1) it has encrypted or that (2) users have encrypted, but if the provider has the keys, decryption is at least possible.
I have used and abandoned both Microsoft's Encrypting File System (EFS) and Apple's FileVault for encrypting data on my desktop computers. But desktop encryption is painfully slow! Perhaps cloud computing providers can leverage the power of their data centers to make the performance hit of encryption-decryption imperceptible to the user. That would be cool. And would make the benefits of cloud computing greatly outweigh the risks.
Here are three security questions you should ask of your cloud computing provider:
- Data on the Wire. Are files transferred to/from cloud servers encrypted by default?
- Data at Rest. Are files stored on cloud servers encrypted by default?
- Data Retention. If files on cloud servers are encrypted and there is a request from law enforcement to decrypt the data, then what do you do? Bonus question: What if you have the key(s)?
I searched for answers to these questions for four cloud computing providers (sourced in part from TechTarget's list of top cloud computing providers and Wikipedia's list of cloud computing providers) that are popular with small businesses like mine:
Simple Google searches of these providers' websites provided more questions than answers on the topic of encryption:
- search Amazon.com for encryption
- search Google.com for encryption
- search Apple.com for encryption
- search Dropbox.com for encryption
Cloud service providers need to do a much better job of communicating what is and what is not secure about their offerings. For example, I would characterize Dropbox's security page as misleading at best:
"Your files are actually safer while stored in your Dropbox than on your computer in some cases. We use the same secure methods as banks and the military.... Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule."
Just because your files are transferred securely to Dropbox does not mean they are stored in an encrypted format on Dropbox's servers. And it is the "rare exception" that is, or should be, the concern of users.
For More Information
- International Association of Privacy Professionals: Ten Steps Every Organization Should Take To Address Global Data Security Breach Notification Requirements. I would add "11. Get insurance" and "12" Get a good lawyer."
- Electronic Frontier Foundation (EFF): Surveillance Self-Defense. What can the government legally do to spy on your computer data and communications? And what can you legally do to protect yourself against such spying?
- Electronic Frontier Foundation: Mandatory Data Retention. Regarding controversial laws that require Internet Service Providers (ISPs) to collect and store records documenting the online activities of users.
- PrivacyLawCompliance.com. Law firm specializing in helping Massachusetts companies comply with privacy laws.
- ZDNet: Microsoft Admits Patriot Act Allows Access To EU-Based Cloud Data
- Centre for Commercial Law Studies (CCLS) at Queen Mary, University of London: 'Personal Data' In The UK, Anonymisation, and Encryption
Summary
As more individuals and companies move their computer files and computer applications from local client computers (over which they have a great deal of control) to remote server computers (over which they have limited control), security becomes a bigger concern - both for users and for service providers.
Erik J. Heels is an MIT engineer; trademark, domain name, and patent lawyer; Red Sox fan; and music lover. He blogs about technology, law, baseball, and rock 'n' roll at ErikJHeels.com. His law firm, Clock Tower Law Group, represents cool companies such as CloudSwitch.
SharePoint in the Cloud
By Pavan Pant, Director of Product Management
As customers continue their march to the cloud we have heard from a large number who want to use SharePoint Server in the cloud. Two major concerns that show up frequently are migration of existing custom deployments and data security.
These organizations have spent years customizing their SharePoint deployments so they work just right in their environment, and moving to the cloud is a daunting proposition. Consider a scenario where a customer has deployed SharePoint and each department has its own intranet and individual sites for employees – the proliferation of these sites across organizations and the customization required has created a situation where customers typically stay away from using the cloud for their existing SharePoint deployments and start from scratch in the cloud.
We’ve also heard from customers who already have SharePoint deployed in their data centers with sensitive content (e.g., PII information) and would love to take advantage of the elasticity the cloud has to offer but have security concerns about using the cloud. In a shared multi-tenant environment customer data needs to be protected from unauthorized access at all times, and must be off limits to cloud providers. This essentially means that customers need full disk and network encryption to protect their data while it is at rest and in motion.
CloudSwitch allows you to take your existing SharePoint deployments and run them the cloud without requiring any changes to your application or networking. In addition, all your data remains secure – we provide full network and disk encryption (including encryption of the boot partition) in the cloud to ensure that your content remains secure while in transit to the cloud and in the cloud itself. Most importantly, the disk encryption keys remain in your control as opposed to being stored and managed with the cloud provider.
One of our customers is a large health insurance company that has sensitive patient data and other information in their SharePoint content management system. Their primary goal was to offload their ongoing management of the SharePoint servers in their data center and use Amazon’s public cloud. This would allow them not only to lower their costs but also to take advantage of the elasticity offered by the public cloud. The configuration in their data center is a two-tier SharePoint deployment – one server runs SQL while the other runs both the SharePoint Content Server and the Front-End IIS server.
With CloudSwitch’s software in place in their internal VMware environment, this customer was able to migrate their existing SharePoint deployment to the cloud securely, simply and without any changes whatsoever (IP address, MAC address, network configurations, etc.). Their end users can access and use the SharePoint sites for content management exactly as they did in the data center. SharePoint administrators are able to add servers to the farm, cluster the SQL server and burst in the cloud as needed just as they would in the data center but with all their security needs being met. Also, with the “infinite” scalability of the cloud, they no longer need to worry about the time it takes to buy and install new storage. They can allocate new resources to their cloud SharePoint deployment in minutes.
In addition to all this, the customer can also continue using their Active Directory installation in the data center to control authentication and authorization to the SharePoint portal – again, all of this without installing any agents or software on servers in the customer’s data center or any agents for the customer’s servers in the cloud.
Leveraging the Cloud
I recently attended a cloud computing panel where one of the panelists was lamenting how SharePoint was never architected with the cloud in mind because cloud providers like Amazon impose networking and storage constraints (e.g., dynamic IP address and ephemeral storage) that SharePoint does not handle well. Some of the main reasons to deploy SharePoint in a multi-tenant environment are to consolidate resources and take advantage of the scale the cloud offers – by having multiple users in a single deployment that can take advantage of storage as you grow. Many enterprises have been shying away from using SharePoint in the cloud because of concerns around security, storage management and networking implications. That applies only if you think about the cloud as an opaque system where only the cloud provider can control networking, security and configuration. With CloudSwitch, all of the control is shifted back to the enterprise and the users can run their existing processes and applications. We do all the heavy lifting for you so you can move your SharePoint deployments to the cloud and get started today!
A Cloud Security Bill of Rights
By Dave Armlin, Director of Customer Support at CloudSwitch
Cloud security remains a top concern for enterprise cloud deployments. Unresolved policy and control issues make it difficult to meet the requirements of corporate security and networking teams. As a result, we frequently hear from our customers that they assume they can only put the lowest-risk data and applications into the cloud – or that their cloud projects are on hold till the security issues get resolved. This is a major limitation for cloud adoption, often creating a false belief that the cloud only works for apps “that don’t matter,” or for companies who are willing to take risks.
Customers Have the Right to Demand More
We believe that customers have the right to demand more from the cloud industry when it comes to security. They know the levels of security needed across the range of apps and data in their portfolios. And they shouldn’t have to settle for anything less than the security and control they’ve put in place internally.
Here’s what customers have the right to expect regarding cloud security:
- The right to control their data: In the shared environment of the cloud, customer data needs to be protected from unauthorized access at all times, and must be off limits to cloud providers and their technology partners. This means that data needs to be encrypted end to end, from inside the corporate firewall, across the Internet, and within the cloud — in storage, during processing, and in transit through the cloud network. The cloud should be a seamless extension of the customer’s IT environment, while the cloud provider sees only an encrypted connection running into its virtual servers and storage.
- The right to own their encryption keys: The biggest encryption challenge in the cloud involves managing the encryption keys used to decrypt data. The standard practice of storing the keys in the cloud and exposing them to the cloud provider greatly reduces the effectiveness of encrypting the data in the first place. Storing keys in virtual storage alongside the data also defeats much of the protection since if someone gains access to the disk, they will have both the data and the keys needed to access it. Thus the control of the encryption keys need to stay with the customer at all times, with keys delivered securely to the virtual machines in the cloud only when needed to decrypt the data for processing.
- The right to their access policies: For many enterprise applications, the only way to use the cloud safely is for the customer to use their own security policies and remain in control of them in the cloud. System administrators already have controls in place, typically with Active Directory, and use Role-Based Access Control (RBAC) to define users, groups, and roles to control access to applications and computing resources. A customer should be able to extend the internal security policies out to the cloud, so roles and permissions are consistent regardless of where a workload runs.
- The right to their network services: Every enterprise has a unique network infrastructure and configuration settings for providing connectivity between servers and applications. This includes a combination of things like addressing, related services (DHCP/DNS), identity and directory services (LDAP/Active Directory), WAN optimizers, load balancers, and firewalls. Cloud providers have completely different network architectures designed to support their multi-tenant environments. Customers should be able to choose whether they want to use the cloud provider’s network services or extend the products they’ve already put in place internally (many of which are now available in the cloud as virtual appliances).
- The right to their compliance processes: If the business depends on the ability to demonstrate compliance with government or industry regulations, the customer already has proven processes in place. Customers should be able to extend those compliance processes into the cloud, rather than be required by the cloud provider to adopt a whole new set of guidelines and procedures.
- The right to put their data where they want: Often, data must legally reside in specific geographic locations (e.g., EU, Canada), but the rest of the app tiers can be located wherever makes sense for performance and latency reasons. Customers should be able to put their data in the most suitable environment and move it when needed, whether to a preferred cloud or back to the data center, without being constrained by a particular cloud platform or technology stack. Applications should be able to run across multiple networks, geographic locations and computing environments, tying back seamlessly to processes running in the data center.
For Cloud Providers, It’s Time to Step Up
Making these rights available to cloud customers is not easy; otherwise cloud providers would have done it already. But if customers don’t set their standards high, they’ll start making compromises, either in the level of security they’re willing to accept or the types of workloads they’re willing to put in the cloud. For their part, cloud providers and their technology partners need to give customers the same security and control they already expect internally so they can use the cloud without risk and without constraints. Customers have the right to demand a safe environment for their apps and data — when the cloud industry can deliver it, everybody wins.
In-Path WAN Optimization for your Cloud Deployments with CloudSwitch and Riverbed
By Pavan Pant
As our enterprise customers embrace the cloud, we’ve been hearing a growing demand to help them optimize enterprise network connectivity as they scale their cloud deployments. At CloudSwitch, we’ve been thinking about the issue of network optimization for quite some time now and working with partners like Riverbed to tackle network performance in the cloud.
Today we are pleased to announce our support for Riverbed’s Cloud Steelhead® to help customers optimize their hybrid cloud deployments. Many of our existing customers have already invested in Riverbed infrastructure in their data centers, and want to extend these trusted resources into the cloud. The primary drivers for WAN optimization in hybrid cloud architectures are twofold:
- Improving network performance between data centers and the cloud for better end-user experience
- Reducing bandwidth between the data center and the cloud, thereby reducing cloud costs
In a hybrid model the public cloud acts as a remote data center, making infrastructure resources available to distributed teams of users, but requiring connectivity back to corporate data center resources. Riverbed’s WAN optimization technology can reduce bandwidth requirements and accelerate a number of applications and protocols including Windows file shares, NFS servers and Oracle forms. Riverbed’s innovations in data compression, de-duplication, and other techniques enable much more efficient data movement between customer data centers and the cloud, while freeing up bandwidth for other applications. In our testing we have seen anywhere from a 5 to 100x improvement in your application’s performance, and 60-80% reduction in bandwidth costs.
Simple and Secure Deployment in the Cloud
Our joint solution allows customers to easily select Riverbed’s Cloud Steelhead from CloudSwitch’s network library and launch it unmodified in the Amazon EC2 and Terremark clouds. The user can simply select the cloud networks they would like to optimize, and the Riverbed appliances will take it from there – automatically selecting the network traffic and applications to optimize.
Once Riverbed’s Cloud Steelhead is running in the cloud on CloudSwitch’s isolation technology, customers simply enable automatic peering through Riverbed’s user interface. This ensures that network traffic is optimized as soon as servers in the data center try to communicate with servers in the cloud or vice-versa. In addition, CloudSwitch ensures that all communication and data are automatically encrypted so that your extension of infrastructure into the cloud is always protected, end to end.
CloudSwitch allows Cloud Steelhead to be deployed in-path so that all network traffic on the optimized LAN for your servers in the cloud runs through Cloud Steelhead. This allows the WAN optimizer to accelerate cloud traffic automatically without requiring any additional modifications (no agent installations, no drivers, no changes) to your servers in the cloud. This is the unique advantage CloudSwitch offers– simplicity, security, and the ability to offer WAN optimization with full configurability and control by the enterprise.
Our mission at CloudSwitch has always been to make it easy and secure for customers to launch virtual machines in the cloud. Last year, we enabled public IP access to cloud resources by adding an open-source firewall to our network appliances library. As we learn more from our customers about their requirements, we continue to build our library of partner offerings, demonstrating the strength of our platform and our ability to act as a cloud gateway. We’re excited to support Riverbed’s Cloud Steelhead and are hard at work integrating with market-leading firewalls, load balancers, storage appliances and other devices. Our software lets joint customers easily deploy these virtual appliances in the cloud with secure, in-path configurations to enable much more efficient data movement and scalability in the cloud.
To learn more about how enterprise customers are optimizing the cloud today, please join our upcoming webinar with Riverbed, “Optimizing Your WAN Connectivity for Hybrid Cloud Deployments.”
Protecting Your Cloud Deployments with Enterprise-Class RBAC
By Pavan Pant
We recently talked about CloudSwitch’s security model while highlighting our integration with Active Directory. Our architecture addresses three areas of protection which we believe are required to make the cloud secure for enterprises – security within the data center, between the data center and the cloud, and within the cloud itself. Given that this is an area of paramount importance for enterprises I thought it would be useful to continue with the theme of security by discussing our role-based access control (RBAC) model. CloudSwitch’s RBAC capability is directly related to protecting resources in your data center from unauthorized access, while also controlling the privileges users have over cloud resources.
Years of experience in enterprise software development have taught us that retro-fitting an access control model is not a viable option – it’s like closing the barn door after the horse has bolted. Our solution was built from the ground up with an RBAC mechanism in place. We developed a granular RBAC model which allows administrators to delegate permissions across users and groups using roles and access control lists (ACLs) defined by a CloudSwitch administrator.
This gives customers the ability to group users with similar job functions into roles, and to give them authorizations to perform actions on objects in CloudSwitch. Our objects are entities such as folders, virtual machines, cloud accounts, etc. Using our RBAC capabilities allows customers to create a least-privileged access control model by only providing users with access that is absolutely essential for cloud operations. Every object and action in our system can be assigned to an ACL so that an administrator can enforce policies for cloud usage, cloud control, and local resource control. This approach allows customers to select roles in which users can operate, and the capabilities of each role are based on those users’ expected responsibilities. For example, a developer role might have permissions to create, clone, start, stop, and delete servers, whereas an operator role might only have start and stop permission.
Another important point here is that administrators can grant or revoke privileges on a CloudSwitch object independent of what the role does. As an example, you may have a set of IT administrators with privileges in CloudSwitch to start, stop, and delete servers that are running in the cloud. However, there could be a specific subset of production servers that you may not want even the IT administrators to control. With our RBAC model you can grant users permissions across the whole system with the ability to restrict access for specific servers.
These controls take on even greater significance as customers move production workloads to the cloud. With that in mind I thought it would be useful to walk through some of the RBAC use cases we have heard about from our customers, and how CloudSwitch can be configured to meet those use cases.
RBAC Use Cases
Use Case 1: Creating Sandboxes in the Cloud for Developers and QA
One of our large customers in the pharmaceutical space was running into a problem where their research scientists were increasingly faced with delays in gaining access to computing resources primarily due to a large and growing IT organization. They wanted to use the public cloud for their computing needs as an alternative to using internal IT resources.
Their primary objective was to deliver a streamlined solution to their developers which would allow them to clone read-only gold images created by administrators. The process needed to be as simple as possible with the appropriate security controls in place to prevent developers from modifying the images shared with them by administrators.
With CloudSwitch, this customer’s administrators were able to easily upload their gold image to the cloud, provision a server template in the cloud using the gold image and place it in a folder structure within CloudSwitch that only developers could access. Once that step was complete, the customer used our RBAC model to ensure that developers had permissions to clone the server template made available by the administrators and permissions to perform server lifecycle actions on the cloned server (start, stop, delete, power off, add NICs, add disks).
The end result was that developers could easily login to CloudSwitch’s user interface, clone the administrator template that was made available to them, start that cloned server in the cloud and shut it down when their work was complete. This was a much quicker and cost-efficient way to get access to compute resources in the cloud, especially when compared to the customer’s previous approach of waiting for resources from their IT department. It also ensured that the developers had just the right amount of privileges to perform their daily activities in the cloud.
Use Case 2: Network Administrator Privileges
Our customers have also frequently asked us about separating out permissions such that only specific users have the ability to modify network settings for cloud networks. Customers wanted each department to control their own network mappings without allowing other users or groups to modify the networking configuration.
To solve this problem with CloudSwitch you would simply create a role (e.g., a Network Admin role) and define an ACL where only users in that role would have the ability to configure the network and NIC configuration for servers in the cloud, or even networking configurations for CloudSwitch components. You could even go a step further by creating a “Network Administrator Subnet 1” role for servers on a specific subnet in the cloud, and a “CloudSwitch Network Admin” role for users who only have permissions to manage networking configurations for CloudSwitch components such as the CloudSwitch Appliance which resides in your data center or private cloud.
Other Common Use Cases
Other customer scenarios involve using RBAC to define and limit which import sources can be moved to the cloud, and which target clouds can be used. CloudSwitch allows customers to migrate virtual machines from VMware or Xen to the public cloud without making any changes to the virtual machine (e.g., no changes to the kernel, OS, IP address, MAC address, storage controllers, subnet information, etc.). As part of this process, you can define import sources from VMware or Xen in the user interface, and specify which roles get access to those resources. You can create multiple import sources in CloudSwitch for different groups within the organization while ensuring that the appropriate people or groups (e.g., Development, Quality Assurance) have the right amount of access to these import sources. We have also had cases where customers want to restrict which cloud regions (or cloud providers) certain groups have access to. For example, one of our customers wanted most of their users to deploy in Amazon’s US-East region since it is cheaper than US-West. However, there was a group on the west coast that really benefited from the geographic proximity of using US-West. CloudSwitch’s RBAC model allowed this customer to grant that one group access to the more expensive resources in US-West while the rest of the organization was restricted to using resources in US-East.
These are the types of granular access control capabilities that a growing number of customers have requested, especially as they move production workloads to the cloud. It has been great to see large enterprises across verticals using our RBAC capabilities to secure their cloud deployments, from the data center, to the cloud and within the cloud. CloudSwitch was designed with the hybrid cloud in mind and our core value proposition lies in the ability to securely transport your virtual infrastructure to the cloud provider of your choice without requiring any modifications. A large part of that vision hinges on giving enterprises the ability to control the type of access people have both in your data center and in the cloud. We’ve built a solution that gives customers the ability to use their existing security policies and permissions in the cloud instead of creating new ones for their cloud deployments.
Active Directory Integration Now Available for Stronger Cloud Security
Security concerns about the public cloud have always been a top priority here at CloudSwitch. Moving to the public cloud is fraught with potential risks and security managers have legitimate concerns about data integrity, an opaque security model in the cloud and unauthorized access by cloud administrators. The question is: how can you protect information in a shared multi-tenant environment just as you would within the secure confines of your data center? With that question in mind, I thought it would be useful to review CloudSwitch’s security model while also discussing an exciting new feature we’ve just released: integration with Microsoft Active Directory (AD) 2003 and 2008.
The CloudSwitch Security Model
Our customers have stringent requirements not only to protect their data in the cloud but also to protect communication paths from the data center to the cloud. CloudSwitch delivers a solution for both by providing full encryption of all data and communications for cloud deployments. From the moment data moves out of the data center to the cloud, it is automatically encrypted at the block level, which means every bit of data on a disk is transparently encrypted so that no unauthorized users can do anything with the data even if they manage to get their hands on it. We also provide a secure, layer-2 tunnel to the cloud so all connections are authenticated and encrypted to prevent data in motion from being exposed or compromised.
Another important and frequently asked question is related to key management. CloudSwitch performs all key management on the CloudSwitch Appliance (CSA) that lives in the data center behind the firewall, and the keys are controlled by the enterprise customer, not by the cloud provider. In a cloud scenario without CloudSwitch in the mix customers need to store their encryption keys within the multi-tenant environment of a cloud provider which creates additional security risks and would never pass muster with security-conscious enterprises.
Finally, for applications to run safely in the public cloud, they need to be isolated from the environment around them at all times. Our Cloud Isolation Technology™ automatically builds a secure envelope that encompasses customers’ entire cloud deployment, providing a single integrated environment that allows workloads to run in the cloud with the same protection and control available internally. Once data leaves the physical data center it is isolated at all times as an extension of the enterprise’s security perimeter.
CloudSwitch has worked closely with large financial institutions and pharmaceutical companies—some of the most security-sensitive enterprises out there—to complete rigorous security reviews of the product, and our solution passed with flying colors. This is testament to the work that we put into developing our security strategy by collaborating from the very beginning with CSOs at large enterprises that care deeply about such issues. Veracode has also performed a security review of CloudSwitch’s solution and validated that we met or exceeded the security score outlined in Veracode’s methodology for an “A” rating. We have a comprehensive security story and have now added a critical enterprise capability with an integration point for Microsoft AD.
Active Directory Integration
As our customers embed CloudSwitch software into their daily operations, almost every one has asked us to allow users to log into CloudSwitch using their Active Directory credentials. Customers typically have multiple applications in their data center which leverage AD as a user store and an authentication source – they simply wanted to extend that to users accessing the cloud with CloudSwitch. In our latest release, we’ve delivered the capability for AD users to authenticate against CloudSwitch (e.g., jdoe@abc.com can login to the CSA with his existing AD credentials).
There are a couple of simple steps to enable this integration point. The first requires an administrator for your CSA to define the hostname and port for your primary and backup AD domain controllers. The next step entails mapping an AD user or group to a CloudSwitch role which ties into our Role-Based Access Control (RBAC) model. We use our RBAC mechanism to define and control different levels of access to the CloudSwitch system for each user. Each object and action in CloudSwitch can be assigned to an access control list so that an administrator can enforce policies for cloud usage, cloud control, and local resource control.
Mapping an AD User or Group to a CloudSwitch Role
A typical scenario is one where you want specific groups of developers to access CloudSwitch by logging into the CSA with their AD credentials, but to be limited by CloudSwitch’s RBAC model once they’re logged in – for example, you may want a model where developers are only authorized to start, stop and clone a server in the cloud. It is important to note that your AD administrators have complete control over which AD users and groups can access the CSA. This provides an additional layer of security by preventing unauthorized access to the CSA. CloudSwitch will continue to leverage your existing AD security policies (e.g., password policy) to authenticate users.
One final point on the AD integration – if you have applications running in the cloud that need to authenticate back to the AD domain controller those scenarios will work as they always have in the past. This is because CloudSwitch does not make any changes to your applications when migrating to the cloud and maintains connectivity back to the data center. All your existing data center services such as identity management, single sign-on solutions, DNS etc. will continue working as they always did.
We understand that security and data integrity are important considerations for enterprises that are looking to build their hybrid cloud models. CloudSwitch’s security strategy is a key part of our vision to make the cloud a secure, seamless extension of your data center. It is with this security context in mind that we have integrated with Microsoft AD and we expect to have many more integration points in the near future.
After Security, Network Bandwidth is the Next Cloud Bottleneck
By Ellen Rubin
Security concerns (real and imagined) have long dominated much of the cloud conversation and caused many companies to deliberate about getting started in the cloud. Slowly, the security issues are being addressed--through the adoption of corporate policies for cloud usage, maturing cloud provider offerings, and by technologies such as CloudSwitch which isolate and encrypt all cloud resources to meet the requirements of the CSO. But while the focus has been on cloud security, another potential bottleneck is on the horizon as companies start using the cloud in more substantial ways.
In our discussions with IT executives and their teams, we’ve been hearing about a new concern: the ability of corporate networks to handle cloud traffic. Network performance is a lurking issue that hasn’t yet received the attention it deserves. That’s understandable, since bandwidth is rarely a problem for companies exploring the cloud in a small way, where they may deploy a few experimental VMs in order to understand the process. But as they start expanding their cloud footprint and running production-oriented applications, data movement takes on a completely different scale. As enterprises start to move real workloads out to the cloud (or to straddle internal and external clouds), look for network performance to become top of mind.
IT professionals and developers often assume they have huge network capacity, and it’s probably ample for their current Internet usage or the small cloud projects they may have tried so far. But what will happen, for example, when you have dozens of developers all trying to use cloud resources? Or if you put high-transaction processes in the cloud that need to “talk back” to your data center? What if you are trying to move a lot of video or graphics between your business users and the cloud? Network usage is about to get much more demanding, and the traffic will need to flow without bottlenecks (or saturating the network) for an organization’s cloud strategy to work.
Thus potential cloud users will have to do some back-of-the-envelope analysis of the maximum bandwidth they might need and how much additional traffic the network can handle. While the data center (or internal network) is running at speeds of 1Gb and even 10Gb, the connection to the Internet is lagging behind. Today, a “good” Internet connection is considered to be in the 100Mbps range. Some companies have more, and many have less than this capability, so when extending services to the cloud, you have to consider what impact this lower speed could have, and how to deal with it.
This is actually a two-part problem. You have to consider initial data movement: how long will it take to move a terabyte of data over the Internet and into the cloud? What impact will that have on current users and your business? You also have to look at ongoing updating of that data: how much traffic will be flowing back and forth, and what will that mean for your steady state? Will you have to buy more bandwidth for the cloud to be viable? Obviously, any major new capex requirements would be a challenge for cloud adoption.
Fortunately, technologies are emerging that can help optimize your current network and avoid an expensive upgrade. For example, CloudSwitch has a public IP address capability that provides direct access to cloud resources without having to go through the enterprise data center, avoiding what could otherwise be a huge bottleneck. Rather than relying on the Internet connection to the data center, cloud deployments can take advantage of the aggregate bandwidth of end users. This CloudSwitch feature also allows enterprise firewalls and load balancing capabilities to run in the cloud so traffic can flow smoothly and securely. In addition, companies like Citrix, F5, Riverbed, and Cisco are developing software versions of their WAN optimization technologies that can be deployed in the cloud. Their innovations in compression, de-duplication, and other techniques will enable much more efficient data movement so you can make better use of the network you already have.
If you’re the head of IT or Application Development looking ahead to 2011, you probably have some great cloud pilots under your belt, and you’re evaluating moving into the cloud in production mode. Just remember that bandwidth is something you’ll need to think about and prepare for.
CloudSwitch has been thinking about these issues, and together with our partners we’re working on solutions to ensure optimum bandwidth for the cloud. Emerging technologies will allow you to meet the bandwidth demands required by production applications, so you can scale out your cloud footprints without building out your corporate network, leveraging the investments you’ve already made.
Cloud Computing Compliance: Exploring Data Security in the Cloud
By Guest Author, David Mortman
David Mortman, Director of Operations and Security at C3 and former CISO at Siebel Systems, has a proven track record in leading security teams and setting security strategy at several companies, including C3, Siebel Systems, Network Associates, Securosis and Echelon One. David is a regular presenter at RSA and Black Hat and has also presented at SOURCE Boston, Information Security Decisions and the CSO World Congress.
Amid an ever-increasing bevy of regulations that enterprises need to worry about -- from SOX and PCI DSS to HIPAA/HITECH and the FTC's Red Flags Rules -- and a growing number of cloud service providers to choose from, enterprises have a lot of options and a lot of questions to consider concerning cloud computing compliance.
While migrating services to the cloud may provide many benefits, it does not absolve an enterprise of certain responsibilities. Most notably, the enterprise is still required to remain compliant with the assorted regulations and laws that it would fall under had it retained that service inside the company.
In some cases, as with PCI DSS, there is definite potential to reduce a company's compliance scope by outsourcing certain services. Most notably, by wholesale outsourcing the credit card processing to a third-party provider, an organization's PCI scope will be significantly smaller (though not go away completely). With the FTC's Red Flags Rules, however, that is not the case, as the FTC has mandated that any outsourcing must entail equivalent or better security than the enterprise would have implemented internally.
As you start to investigate moving services to the cloud, it's important to ask several cloud computing compliance questions:
- Does this data that will be moving to the cloud fall under any compliance-related regulations or requirements? This includes data such as Personally Identifiable Information (PII), Personal Health Information (PHI), or corporate finance-related information.
- If the answer to question one is yes, which regulations does it fall under and what controls are necessary?
- Can the cloud provider actually offer the identified or equivalent controls that your organization's data requires?
- Does the cloud provider have the necessary policies, processes and procedures to properly maintain those controls?
- Does the provider have appropriate disaster recovery and business continuity processes to meet your organization's business needs?
- What happens if the cloud provider goes bankrupt? Can the enterprise's data be sold to a creditor or at auction as a provider's asset?
- Should I decide to change providers, is there an easy way to export my data in a useable format?
- Is the provider willing to alter its default terms of service in order to guarantee or provide service level agreements (SLAs) around questions 3-7?
That last question is particularly important, as many cloud providers refuse to use anything other than their default contract language. As a result, they have effectively eliminated themselves from being potential providers of compliance data-related services. Several of the compliance regulations, most notably HIPAA/HITECH and the FTC Red Flags Rules, specifically mandate that an enterprise must have contracts with its service providers mandating appropriate controls, processes and procedures in accordance with each regulation's guidelines.
Similarly, if the providers can't meet the requirements of questions 3-7, they should also be eliminated from contention for your company's business. Lack of ability to meet requirements is a problem especially when it comes to PCI DSS and HIPAA/HITECH. Thus, you will quickly find that your options for cloud service providers are limited -- at least in the short term -- though rumor has it that several of the larger cloud providers are working on retooling their systems to meet these compliance needs. There are a handful of cloud providers on the healthcare side that have built applications specifically to meet the needs of the healthcare industry, but I have not yet seen any security evaluations of these applications to determine their effectiveness.
In the meantime, I recommend passing the above questions to providers that you're evaluating, much like you would pass them a request for information (RFI )for any other outsourcing project, and then choose the provider that can best meet your needs.
Alternately, if none can, investigate ways of removing or obfuscating the relevant data (such as hashing or encrypting information prior to moving it to the cloud), so your organization can still get the business benefits of the cloud.
Hear more from David Mortman in this recorded CloudSwitch webinar:
Title: “How to Secure the Public Cloud for the Enterprise: Making the Public Cloud Work Like a Private Cloud”
WATCH ON DEMAND >
Hubs, Spokes and WANs
By Ellen Rubin
Recently, we’ve had a number of discussions with enterprises about how they’d like to use the cloud. The basic use case is around capacity on-demand (not surprisingly), but the specifics have raised some interesting issues. The companies have distributed branch offices that need the capacity for a range of applications, including dev/test environments as well as back-office and web apps. Today, these distributed groups are relying on corporate IT to meet their scaling and infrastructure needs, and they are frequently bottlenecked. This is both in terms of overall challenges in getting new capacity approved in a timely way, but also from a network bandwidth perspective. At a panel this week at Interop, Riverbed noted that 2/3 of their enterprise customers have a hub and spoke model that requires the “spokes” to backhaul to the “hub” for connectivity to the internet, and thus to cloud computing services. Only the remaining 1/3 have direct connections. At the same panel, Blue Coat agreed with the stats but commented that the branch sites are trending towards a direct-connect model as new sites are added.
All this is interesting to us at CloudSwitch since we have been hearing more and more frequently from enterprises that want more “edge” computing, and to empower the branch offices to add capacity on-demand in a controlled but self-service way. This creates a set of new requirements around cloud computing, in terms of both networking and security. In the hub and spoke model, corporate IT maintains control over all access to the cloud, which has benefits on the security and permissions side, but creates potential bottlenecks – both in terms of the need for self-service management tools to increase agility, as well as in bandwidth constraints where the backhaul traffic starts to strain the corporate networks. Backhauling also creates strain on the branch offices since it often adds significant latency to their internet connections.
Most of the vendors at the Interop panel (including Akamai, Riverbed, Ipanema and Blue Coat) claimed to be developing or are already offering WAN optimization products – increasingly in the form of virtual appliances and/or software versions – to help alleviate these bottlenecks. These will surely help, but will become even more important as the branch offices start to have more direct connectivity to the cloud. WAN optimization offerings at the “edge” will be increasingly needed, and cloud service providers are focused on building out these capabilities at their end of the network. Security in a more distributed model will also require some new thinking, since users in the branches will want to maximize flexibility and agility, while corporate IT will still need a way to limit potential threats and exposure created by opening these direct connections.
Underlying all these discussions is the fundamental issue of the laws of physics. As enterprises start to embrace the cloud model, they’ve realized that the major choke-point will be their network bandwidth. Innovation around addressing these issues, especially in the virtualized world of the cloud, will definitely be required. At CloudSwitch, we’re staying closely involved in discussions around customer requirements and vendor offerings to increase performance for workloads moving to the cloud.
