Is Security In The Cloud Illusory?
After a few days, working tirelessly to design a robust 'private' cloud infrastructure solution, maneuver vendors and nail down the cost of a project to meet the needs of a potential client who we perceived to have deep concerns with regards to security in the 'public' cloud, they quite elegantly and rhetorically stated "Let's go with a public cloud, this whole concept of security is illusory anyway".
Wow. Just like that, all the back and forth with vendors, carefully crafted proposal and presentation went out the window. Nonetheless, we enthusiastically proceeded to redesign the infrastructure on a public cloud that would meet their needs, reduce upfront expenditure and remove them of any and all ownership of hardware.
The client did, however, make a great point. While I don't necessarily believe that information security is illusory, I do feel the argument that a private cloud (where an organization owns and manages its infrastructure, or in some cases is housed on dedicated hardware) is more secure than a public cloud, is based on some degree of illusion.
Whether your cloud computing infrastructure is public (provided by a cloud service provider) or private (at your office or in a datacenter), the strategies and tactics required of you to maintain security are no different. Here are two quick points about cloud security that I wanted to share.
Cloud Computing Security Is Not a Problem of Shared Infrastructure
We wouldn't even be talking about the cloud, if it wasn't for the advancements that we've seen in virtualization technology. For those unfamiliar, virtualization technology is what allows a cloud service provider (CSP) to logically partition their resources (CPU, cheapest cloud storage, memory) into individual chunks and provision it either permanently or on-demand to different organizations and individuals. So while your data may reside on the same physical hardware, it is kept logically separated by the layers of virtualization technology that keep track of what belongs to who. It's been unfairly assumed that because your data is shared in this way, that it is somehow inherently insecure. Whether you're trying to keep your dedicated server secure or your small chunk of the public cloud safe from attackers, the rules are more or less the same.
Cloud Computing Security is a Shared Responsibility
Sure, Amazon, Rackspace or any other cloud service provider is responsible for the security of your cloud infrastructure, but only to a point. You still need to ensure that the security controls provided by the CSP are used appropriately, and that the applications you place in the cloud are securely designed. To assume that the CSP is responsible for the security of everything is irresponsible and ignores the fact that as the consumer of cloud services, you also have a responsibility to enact relevant security practices and policies. Being in the cloud, does not suddenly absolve of you this concern.
So to answer the question, is security in the cloud illusory? No. It's a very real concern. However, understanding that good security practices apply to virtually any network connected system whether or not you control the hardware is certainly not.