We talk to Bryan Doerr, CTO, Savvis Inc. on how a business can best protect its cloud computing investment
Analysts and vendors may say that cloud computing has moved beyond hype but are businesses ready for adoption? What has been holding up adoption till now? What are the compelling business and technical arguments (if any) for adoption? What would a complete solution look like?
There are a number of converging factors that have given rise to cloud computing’s emergence as a new IT service delivery option.
1. Today’s shared hosting platform economics reflect continued resource infusion at the compute processor, memory, and bandwidth levels. Without this expanded capacity, the abstraction levels necessary to effectively isolate customers wouldn’t be possible
2. The increased adoption of virtualization technologies, service-oriented architectures (SOAs), and ubiquitous computing standards have expanded the availability of lower-cost and massively scalable computing-related services (Gartner)
3. The ability to develop and deploy feature-rich user interfaces
4. The capability to distribute access and quickly connect to hardware and software at a low cost usually using Internet-based access
Adoption has been cautious because while cloud computing is a simple model, it requires a great deal of consideration on the part of the enterprise. In our conversations with IT executives, the words may differ, but there is a unifying thread regarding the decision to outsource IT functions; specifically that the service provider will not deliver as expected. This limits adoption of what is otherwise a clear choice when viewed from an organizational core competency perspective.
In short, outsourcing infrastructure makes sense, but only when IT executives envision compelling, tangible rewards that far outweigh perceived risks.
In terms of security, how do you work with customers to prevent potential unauthorized access, inappropriate use and loss of control of proprietary corporate information and applications? Who is and should be responsible for corporate policy distribution, management and control?
Savvis works closely with our customers to define the access, authorization, and authentication controls they require. Savvis provides a user interface to enhance our customer’ visibility to the controls they are interested in reporting against. In addition, Savvis supports Group Policy and Fine Grain Entitlements to enable authorized access and log any attempts at unauthorized access.
There are security challenges in cloud-based infrastructures. Conventional infrastructure security controls designed for dedicated hardware do not map well to virtualized environments. To address these challenges, virtual infrastructure architectures must have well-defined security policies and procedures in place. Additionally, although they will never be identical to existing dedicated security controls, there must be compatibility between the technology advances in security protections specifically designed for virtualized environments and traditional controls.
When considering cloud-based infrastructure, understanding the technology and process issues contribute to the challenges of effectively mitigating risk. Two main technology challenges are security attacks designed to exploit a hypervisor and security attacks targeted towards other virtual machines that reside on the same physical host. The lifecycle of the VM and its changes in state as it moves through the environment is important to understand. VMs can be on, off, or suspended. VMs can also be unallocated in storage, with no state associated with them. It is important to continually assess a VM’s vulnerabilities and apply updated security patches to VMs that are off, suspended, and unallocated.
In addition, virtualized environments may provide limited visibility to inter-VM traffic flows. These traffic flows are not visible to traditional network-based security protection devices, such as the network-based intrusion prevention systems (IPSs) located in the data center network. A virtualized IPS solution, integrated with the hypervisor, could prevent direct communication between hosted partitions within the virtual server. One way to secure the virtual infrastructure is to require virtualized security capabilities be inline with the virtual network and between the guest operating systems to provide visibility and protection against attack. The challenge is that signature, filters, and rule updates are needed for offline VMs. In addition, VMs should be protected from tampering while VMs are in motion.
Process challenges must also be addressed, including defining separate administration of server configurations from the administration of network, security, and storage configurations and addressingVM sprawl, or the situation where the number of VMs being created is growing more quickly than an enterprise’s ability to control the overall environment.
Both provider and customer dimensions must be considered when designing access control requirements. Responsibility lies with the customer for all customer specific controls. For infrastructure controls (Firewall, Intrusion Detection, Security Policy, OS Hardening) Savvis works with our customers to understand their requirements and define measurable controls.
How do you address performance issues? Quality-of-service commitments and service-level agreements from cloud computing vendors may not meet corporate availability, legal, budgetary and insurance requirements. Who is responsible for loss of revenue/profits from a significant cloud-computing outage, high network load or insufficient bandwidth access as a result of a denial of service?
Obviously the relationship needs to begin with trust and honesty between customer and provider. We work closely with customers to map out their needs and provide measurement points to ensure confidence in the provided services.
With Savvis’ open cloud environment, all critical pieces of the infrastructure are considered. Savvis does not oversubscribe the compute environment and we offer 99.9% availability which covers:
1 Instance availability
2 Connectivity to the instance
3 Virtualization Operating System
4 Instance Operating System
5 Access to the Utility Storage service
6 Power in the data center