Cloud computing and virtualization are powerful new technologies, but they aren’t without their own risk concerns. In this video, you’ll learn about the risks associated with cloud computing and virtualization.
<< Previous Video: Risk AvoidanceNext: Recovery Time Objectives >>
Cloud computing is all the rage isn’t it? It’s a technology that we’ve named now, and it’s things that we’re starting to do more of because our bandwidths are getting better, people are creating resources for us in remote locations, and we’re able to blend that in with what we do as a normal part of doing business.
But there are risks associated with cloud computing, just like anything else, we have to consider those risks. One is that the data that we may be putting into the cloud may be available to more people than we want. Sometimes we’re dealing with machines and services that are managed by other people, they’re managed by third parties. And if you’re putting data out there, there’s a possibility that someone from those third parties might have access to that data. So if you’re dealing with cloud computing, and your data is extremely important or extremely sensitive, you may want to consider making sure that you put limits on what people are able to see. Maybe you don’t put the data in the cloud. Or maybe you encrypt it when you put it in the cloud. There’s things you can do to help mitigate and allow that particular risk in your environment.
Another challenge you have from a security perspective is that the actual security access to this data, or this information, is managed by a third party. If you look at something like Google Mail or Yahoo Mail, you really don’t manage the security for that. You trust that Yahoo or Google is going to be able to make sure that you’re mail is secure, that nobody else gets information that you have inside of your inbox. So that’s a bit of a challenge, because now we’re putting that trust in a third party. And if you’re putting information into the cloud that’s being managed by a third party, that’s certainly something you should consider.
Another piece that’s important with cloud computing is that these servers are somewhere else. You may just be buying a service that happens to be on somebody else’s equipment. And in that particular case, you may not have a lot of control should a problem occur with that server. If the server goes down, it loses power, a hard drive fails, or perhaps you get locked out of your accounts, you don’t really have direct access to be able to resolve that particular issue. Just because it’s in the cloud doesn’t mean it’s always available. These are humans that are managing technical systems, and sometimes what happens out there in the cloud creates downtime and outages for you. You also have to keep that in mind because there is a risk from your organization not having access to your systems. If that occurs, you need to have an understanding of what that means for the organization.
Another technology that has really come on strong is virtualization– this idea of having one big monster computer. And inside of that device you can build virtual systems. Before, we used to have 20 different servers. Now we’ve got one big server and virtually there’s 20 little servers sitting inside of it. What’s nice about that is we have a lot of control over what we can do with that system. We can allocate more memory. We can give it some more disk space. We’re not limited by physical constraints anymore. So there’s a lot of good business value associated with virtualization.
But from a security perspective, there is an emerging set of threats coming by somebody taking advantage of that virtualization layer. That’s the layer that sits on top of all these virtual systems. And the bad guys know that if they can get access to that virtualization layer, there’s a potential then for gaining access to every single virtual system that might be on that physical computer. That’s a pretty big concern. You might have some very important information. You might have 100 different virtual systems on a physical device. And by gaining access to that virtualization, maybe putting every single one of those systems at risk. And it’s something you have to keep track of as a security professional, because those are challenges with virtualization you simply can’t ignore.
There is very little control over what happens between virtual systems. They’re all inside of one big computer. It’s kind of hard to take a firewall and cram it inside of this physical computer and make all the different systems communicate back and forth through that firewall. There’s not a lot of virtual firewall support out there in the world, and the virtual firewall support that exists today is very, very limited on what it’s able to do relative to a physical firewall. So something also to consider there. You may be doing a lot more software-based firewalls, and they might be on the servers themselves. But certainly something to consider when you’re moving into a virtual environment.
There are also challenges when you start looking at multiple systems being crammed into one physical device. In a data center, if it was a physical server, you had a lot of control over who accessed that server physically. You were also even able to separate these servers off into completely different areas of the data center, and some cases, into separate data centers. And that provided you with some advantages from being able to separate that out in the environment you had, both from a data perspective and physically.
When you stick everything on one system, that separation becomes a little bit harder to manage. And yes, you can manage the separation there, there are things in place that allow you to do that, but you have to make sure they’re implemented properly, that different systems are moved on to different VLAN’s, that physically they can’t access each other. And those things are in place. It’s not as easy as looking in a room and knowing everything in this room is separated from everything in the other room. Now you have to make sure in that virtualization layer that things are being managed as separate entities, and those two systems are not able to communicate with each other.
From a business management perspective, we also have to be clear about separation of duties. When everything is on one big computer, maybe all of your databases are on separate virtual machines inside this one system, separation of duties becomes a little bit more difficult. How do you separate somebody from managing one big server that happens to contain many, many, many different servers within it?
So that’s something that just has to be part of your policies. If you’re managing a virtual server, maybe you have multiple people that can manage that virtual server. Maybe the administration of that server is split off into other pieces. Maybe there is an overlay on top of every single one of those individual virtual machines for management and security. Something that you may have to consider implementing into the security policies in your organization.