Public Cloud Security: Completing the Jigsaw
Author(s): Premkrishnan Venkatasubramanian, Posted on May 6th, 2015
As enterprises gradually migrate their applications to the public cloud, Amazon Web Services (AWS), the public cloud computing platform from Amazon, has seen the largest gains. According to data from the Synergy Research Group, the AWS market share of the worldwide cloud infrastructure service market for 2014 was almost equal to the combined market share of the next five vendors. AWS customers range from Fortune 500 companies and large enterprises to SMBs and startups.
However, enterprises still remain reluctant to move business-critical workloads to the public cloud. Fear of data breaches is the key reason. A Ponemon Institute survey on the “cloud multiplier effect” estimates that cloud usage can nearly triple the costs and frequency of data breaches. The probability of a breach can be reduced by enhancing security of data-at-rest as well as security of data-in-motion in the public cloud environment. This blog specifically addresses security of data-in-motion. For a detailed insight into other aspects of cloud security, please read Jeff Johnson’s blog on securing AWS workloads.
As per public cloud service providers, network data traversing between the enterprise datacenter and the public cloud is most at risk when it traverses the public Internet. This is of course true, given the presence of hackers and eavesdroppers lurking on the Internet, who sniff the network traffic for any sensitive information which can fetch them financial returns.
Public cloud vendors have tried to address this issue through a variety of solutions, such as VPN connections or even dedicated lines to the edge of the public cloud. However, is merely securing traffic on the Internet sufficient? What about the risk to data when it is in the clear within the public cloud environment? The public cloud is a multi-tenant environment and enterprises have no control over who their neighbors might be, even on the same physical host within the cloud. Given this scenario, can enterprises ignore security of data-in-motion within the cloud till it reaches the destination VM?
Currently most solutions for securing data-in-motion within the AWS cloud involve installing a virtual firewall or router on a VM within an AWS VPC (Virtual Private Cloud). This virtual firewall/router terminates encrypted connections and then routes them to the destination VMs within the VPC. So effectively this approach secures only the perimeter of the VPC. Given that perimeter security is already recognized as a ‘broken model’ for enterprise datacenters, can it be a suitable model for securing VMs in the public cloud that are not even under your control? A single configuration error can lead to your sensitive data being exposed in the AWS environment.
A newer approach involves running an agent on each VM in the VPC. This agent terminates encrypted connections at the network layer and transparently passes clear text data to the application layer. This approach has been adopted by Unisys Stealth for Amazon Web Services. While IT departments may hesitate to run an agent on each VM for performance reasons, Stealth for AWS offers a lightweight agent that consumes less than 2MB of memory. Running the agent on the VM rather than the hypervisor ensures that each VM is secured even from other VMs on the same hypervisor. And as VMs are migrated across physical hosts or even across regions, the per-VM agent approach ensures that security transparently moves with the VM, rather than having to be re-configured each time. Truly, a new paradigm in cloud security!
Allocation of encryption keys for the per-VM agent approach can be role-based or user-identity based. Such allocation can enable business unit-level segregation of VMs on AWS, similar to what an enterprise might do in its datacenter. Since the connection from the datacenter is secure all the way to the destination VM, effectively this leads to the datacenter being securely extended to the AWS cloud.
With encryption of the network data all the way to the destination VM and enterprise control of encryption keys, risks arising from multi-tenancy in the public cloud are greatly reduced, if not entirely eliminated. Enterprises can now leverage platforms such as AWS to host even their mission-critical business applications, and achieve significant savings on capital expenditure, without fear of introducing a new vector for threats and breaches. With the introduction of ‘last-mile security’, the jigsaw of public cloud security is finally complete.