Even as cloud computing has become more mainstream, a lot of people are still confused about security in the cloud. And one of the things that gets confusing is just who is responsible for providing that security. However, providers are very clear that while they take responsibility for their physical facilities, hardware and cloud hypervisors, the customers are responsible for the security of their virtual servers — the operating system, application stack and data.
CloudPassage conducted a survey recently and found that 31 percent of cloud users believe that their cloud provider will secure their cloud servers for them. Another 20 percent do not secure their cloud servers, leaving them open to exploits and malware. This highlights a critical point in the shared-responsibility model of using cloud infrastructure: Public cloud providers are not securing customer cloud servers.
I had the chance to get feedback from Andrew Hay, chief evangelist at CloudPassage and a former security industry analyst, on the subject of shared security in the cloud, particularly the public cloud. He told me:
When you sign up for an Infrastructure as a Service (IaaS) public cloud like Amazon Web Services or Rackspace, the provider makes a catalog of cloud server images available for you to use. Unfortunately, these cloud servers typically start up completely unpatched. For example, choose a Windows 2008 service pack 2 server from the catalog, and it will spin up missing about three years’ worth of patches. This creates two problems right out of the gate. First, you’ve just spun up a publically accessible server that is vulnerable to every exploit created since the product was released. Second, you will need to patch the server prior to using it, which increases deployment time as well as cost (you will need to pay for the CPU and network utilization required to patch the server).
Hay also pointed out that it is the customer’s responsibility to lock down their cloud server’s firewall, manage server configuration, update software and manage server access. He went on to tell me:
Public cloud servers need to be protected in a similar fashion to laptops. Plan on leveraging the operating system’s built in firewall and focus on tools that will facilitate its management. Rather than focusing on performing intrusion detection and prevention on the wire, implement host based solutions. Concentrate on solutions that have been specifically written for cloud environments. A cloud friendly solution that offloads the heavy lifting helps to ensure that you can continue to scale your architecture without compromising on security. The best solutions will offload the work to another hypervisor, thus ensuring scale and cost are not impacted.
What do you think of Hay’s points? I think he breaks things down simply — think of securing the cloud as you would your computer. I suspect that we tend to make cloud security more complicated than it has to be because we are still on the learning curve of just what the cloud is and who is responsible for what.