Ensuring private cloud security begins by examining the security of the network in which the cloud resides. Depending on the nature of the specific private cloud, this can take on many forms. However, there are protocols and checks common to most any network.
Step one in maintaining your private cloud security is planning ahead. Implement protocols and procedures for accessing data in the private cloud in your planning stages. If the cloud is only meant to be accessed internally, clearly a company must ensure that these services can't be accessed externally. But if it is necessary to access private cloud resources when staff members are outside the company network, decide how the data will be secured, and put an authentication mechanism in place. Further, determine which restrictions -- if any -- should be placed on access to resources. If several individuals are accessing resources, creating multiple virtual machines (VMs) and running multiple applications, the private cloud can be seriously computationally overloaded, threatening its security. So, plan ahead for mitigating this risk and enforce your protocols.
When building a private cloud in addition to or instead of a public cloud, ensure your company has the security staff to mitigate risks. The personnel who will be securing the environment should be prepared to respond accordingly during catastrophic events.
Testing your private cloud security
Start by conducting periodic Wireshark or TShark captures on the physical machines that house the virtualized infrastructure. Once administrators have a general idea about which types of traffic should and should not be entering or leaving the network, they can easily script this. It's also a good way to develop a baseline regarding what is normal network behavior. For example, if network administrators know that no DHCP servers exist within their private cloud, yet they begin to see "DHCP OFFER" messages appear in a Wireshark capture, it's crucial that they investigate further.
When using Wireshark within a private cloud environment, ensure that the capture is done from a host machine. This will allow for a more comprehensive capture of network traffic, as opposed to simply capturing traffic from within a VM.
In addition, conduct frequent audits of system logs as they pertain to the private cloud environment. There are numerous hardware appliances and software applications that perform robust automated log analysis, complete with alert messages and alarm triggers. For example, if an individual is logging into the private cloud at 2 a.m. on a Saturday, this might be deemed irregular by an automated system and logged as such. However, these systems are only as good as the people that created them and they can never completely replace an experienced pair of human eyes that know what they are looking for. Therefore, an experienced professional who is comfortable conducting audits should be allowed to do audits on a frequent basis.
Is it worth it to move to public cloud?
Many organizations are moving to public cloud because offloading the cost and responsibility of maintaining their own cloud infrastructure was deemed well worth their time and money. However, is it the best move for security? Well, yes and no.
Many companies feel less vulnerable to DOS and other attacks because their infrastructure resides in, for example, one of Amazon Web Services' massive data centers. The provider is responsible if an organization's infrastructure is victimized by an attack. However, the company would be responsible for calling system and network administrators in on the weekend, and devoting copious amounts of time and resources toward mitigating an attack on a private cloud. Advantage: public cloud.
On the other hand, companies that decide to move to the public cloud have very little -- if any -- idea where data resides and how it is being treated. When a company uses a public cloud, it has no root access to the physical machine it resides on. Therefore, nefarious individuals with root access to a given box can wreak havoc on a company's data. For now, there are still pros and cons to both public and private clouds.
About the author:
Brad Casey is a former SearchSecurity.com expert. He holds a Master of Science degree in Information Assurance from the University of Texas at San Antonio, and has extensive experience in the areas of penetration testing, public key infrastructure, VoIP and network packet analysis. He is also knowledgeable in the areas of system administration, Active Directory and Windows Server 2008. He spent five years doing security assessment testing in the U.S. Air Force, and in his spare time, you can find him looking at Wireshark captures and playing with various Linux distros in VMs.
U.S. cloud security concerns go international
Cloud data security doesn't scare companies away