10 Points to Consider before Migrating to Cloud
Posted On April 7, 2012 by Priyadarshan Roy filed under Enterprise
Everybody's talking about putting their apps on the Cloud these days. But what do they really need to know when considering such a project?
Author gives a list of the 10 most important things you need to know and check before you start migrating your apps to the Cloud.
The popularity and widespread adoption of virtualization and Service-oriented architecture has slowly piloted to the evolution of a new utilization, and delivery model for IT services which today we refer to as Cloud Computing.
With the popularity and widespread implementation of Cloud computing, security has become a major concern. Before one jumps into cloud, he/she must know certain risk cloud entails. This article aims at addressing such issues and their impact on private, public and hybrid clouds.
Recently Cloud has been a headline stealer because of its enormous capabilities, flexibility and economical benefits. Cloud has emerged as new service model for delivery and deployment of IT services. A recent survey from Mimecast states that about 70 percent of companies currently using cloud computing are planning to increase their cloud deployments. The key factors guiding these migrations are:
• Cloud is economic.
• Cost savings make it attractive especially during recessions
• Helps the organization, move from CAPEX to OPEX.
• Cloud is highly scalable to meet up your needs.
• Cloud is powerful – A 64 node cluster can be made available within a few minutes.
The ease of service and cost effective powerful services of cloud have made it attractable for utilization and delivery of IT resources. But before jumping to cloud one must know unique security risks it entails. This article aims at identifying and discussing some of these issue in detail.
Issues pertaining to Cloud Computing
The economies of scale and flexibility are both a friend and a foe from the point of view of security. The massive concentration of data and applications provide a more attractive target to an attacker. Since, daily new attack vectors are being discovered by hackers across the globe and the lack of standard cloud based security approach, procedures and tools further push upon the need of security of the cloud.
Security and Privacy in cloud not only refer to the authentication and authorization issues but also to the security of data as well as User accounts and user information. Since, in cloud everything is deployed over the cloud service provider side, therefore it becomes very essential to address this issue in depth. Hence, before moving to cloud one must be careful to obtain all necessary and sufficient information about:
1. Data Protection
The degree of data protection refers to the ability of a cloud infrastructure to isolate Data of one user from that of another. This includes the ability to repel data leaks and third party attacks by ensuring the security of data at rest as well as data at motion. The major challenges for data protection are:
1. Lack of Transparency: The cloud service provider may not be following standard procedures that may lead to data leakage or unauthorized access of data. Since, most of the cloud service providers do not disclose information regarding data encryption technique, data transfer mechanism, data backup methods etc. hence the end user remains in dark.
2. Lack of Confidentiality: The information deleted by a customer may be available to the service provider in the form of backups. Also, insecure data wiping techniques may expose sensitive data to other customers. Hence there is no guarantee of proof of erasibility of data.
The cloud vendor must provide all necessary and sufficient information pertaining to data protection such as how the data is backed up, who backs up the data - the cloud service provider or it is outsourced to some third party, how the backup is transmitted to a remote site for backup, is it encrypted and then transmitted, is the backup properly destroyed after its use is over, what data erasing techniques are being used etc. The list of questions is large but one must ensure that he/she is not being kept in dark by the
cloud service provider.
2. Identity Management
Cloud security architecture must contain an adequate way of Identity and Access management for enforcing controlled access to information and computer resources. This can be done by:
1. Providing a separate Identity Management System.
2. Integrating Customer’s Identity Management System into their own infrastructure
by Federated Identity Management.
The later is a better choice than the former as end users may not be comfortable in sharing their private info (such as SSN, credit card numbers etc) with a 3rd party. Also, there is no need of creating separate user accounts. This can be easily done free of cost with the help of OpenSource solutions such as OpenAM.
Availability refers to steady and uninterrupted access to resources (both data and
applications) on cloud. Availability can be affected by:
1. Lock-in (Discussed Later)
2. Blocking of IPs (discussed later)
3. Confiscation of resources (discuss later)
4. Application Security
Application deployed on cloud or available as SaaS (Software as a Service) must be secured against known vulnerabilities (such as OWASP Top Ten). This requires the use of a secure ADM (Application Development and Maintenance) Cycle followed by Secure Code Analysis (SCA) and Penetration Testing of the application.
However, the biggest challenge lies in obtaining the permissions for the Security Assessment of the applications hosted on cloud as due to shared infrastructure, the results of your testing can also show you data from other Clients as well. Also, any VA/PT related activity can also disclose security loopholes in the cloud infrastructure. Hence, Cloud providers rule out any possibility of any VA or PT related activities to be carried out in their infrastructure in the SLA.
However, in case you carry out such an assessment in your Cloud Service Provider’s infrastructure without their concern then you may be sued by your Cloud Provider or other client or you may be end up getting black-holed or getting kicked off.
5. Compliance Issues
In general, compliance means meeting the requirements to a particular standard, such as a specification, policy, or law required for operational transparency. Certain organizations that are in process of migrating to the cloud may have made considerable amount of investments in achieving the required certification for competitive advantage or to meet industry standards or regulatory requirements (eg, PCI DSS). So in that case they need to ensure that they can maintain the same while moving to the cloud. However non compliance with such standards may result in loss of compliance certification which can bring down the quality standards and also the quality of service. In an article for Search Cloud Computing, Phil Cox - who provided the caveat that his position as a QSA does not make his opinion representative of that of the PCI Security Standards Council - reported that "if you do store or process cardholder data in a public cloud, however, then it is my opinion that it would not be possible to currently achieve PCI DSS compliance."
The only way a company could still maintain the PCI DSS compliance while using a public cloud such as Amazon, is by using the cloud only for securely transmitting cardholder data, which fundamentally is the equivalent of the internet. This issue is of increasing importance as cloud computing continues to grow rapidly.
6. Legal & Contractual Issues
Apart from Security and Privacy issues and Compliance issues, there can be certain issues related to cloud pertaining to liability (in case of security breach, data loss etc.), Intellectual Property issues, end of service agreement and the likes.
Some of these issues are:
1. Data Recovery: Even if one doesn't know where his data is, the SLA must clearly mention what will happen to his data and service in case of a natural disaster such as an earthquake.
2. Long-term viability: Ideally, a cloud computing provider should never go broke or get acquired or taken over by a larger company. But one must ensure that his data will remain available even after such an event. Otherwise, this may result
in a Lock-in.
3. Other contractual issues include end-of-service support — when the provider-customer relationship ends, customer data and applications should be packaged and delivered to the customer and any remaining copies of customer data should be erased from the provider’s infrastructure, etc.
Lock-in occurs when a cloud user, due to various reasons including poor service, decides to migrate to another cloud service provider or to in-house IT infrastructure. Since, different cloud service providers use different API which may or may not be compatible with each other for migrating the data. Thus, the application may not be available during this migration time.
8. Confiscation of Resources
This may occur when a User’s resources on cloud may be confiscated as a part of investigation due to some malicious activity carried out on the shared infrastructure. This is important is it would surely affect the availability of your web application and may put your reputation at stake. A proper mitigation process must be employed to deal with such situations.
9. Blocking of IPs
It may be possible that the Public IP that is currently assigned to one of your instances may have been blocked by a country or an organization due to some malicious or suspicious activity carried out earlier with the same IP using the same cloud infrastructure. Your web application may not be available in a particular region, organization, a community of users or to the entire world due to the public IP being blocked. This again endangers your reputation among your clients. A proper mitigation
process must be employed to deal with such situations.
10. Insecure APIs and Interfaces
Cloud Providers provide their customers with a set of interfaces or APIs to manage their resources over the cloud. This, the security and availability of all the cloud applications hosted by you again depends upon the security of these basic APIs. Thus one needs to have a complete assurance from the cloud provider about the security of these APIs and the cloud infrastructure.
These are some of the basic issues one needs to address before moving to Cloud. Although this is not a complete list as there may be certain issues pertaining to your specific requirements. It is better to address such issues before committing to a cloud vendor. One must avoid vendors that are not transparent and do not provide sufficient information about security programs and policies. One must clarify all doubts; ask tough questions related to data security, data recovery, and security policies. It is advised to get a security assessment done from a neutral third party vendor before committing to a specific cloud vendor. It is also advised that one must address all these issues in the SLA so as to get a written assurance from the Cloud Provider.
- Mimecast Survey http://www.mimecast.com/News-and-views/Press-releases/Dates/2010/2/70-Percent-of-Companies-Using-Cloud-Based-Services-Plan-to-Move-Additional-Applications-to-the-Cloud-in-the-Next-12-Months/
- ENISA guide for cloud computing – Benefits, risks and recommendation for Information Security
- “Wikipedia – the free encyclopedia”. http://en.wikipedia.org
“Understanding cloud compliance issues - By Phil Cox”. searchcloudcomputing.techtarget.com/tip/Understanding-cloud-compliance-issues.
• CSA Security Guidance for Critical Areas of Focus in Cloud Computing V2.1
• ENISA’s (European Network and Information Security Agency) Guide for Cloud Computing titled “Cloud Computing-Benefits, risks and recommendations for information security”.
• Eucalyptus Cloud Community.
Copyright © Vikas Saxena 2011 All Rights Reserved. No part of this document or the document as a whole may be reproduced, republished, or redistributed in either machine-readable form or any other form without written consent from the author.