Yes, we have no problem putting all of our important data on Amazon, right? Blog off Dell OEM group discusses security and the cloud. Good to see Dell taking up position in this space.
Dell OEM Group News | LinkedIn
Learning about cloud security at the Cloud Computing Expo
By: Josh Neland
When I ask people why they are moving with such caution to the cloud, their responses are overwhelmingly aligned: security seems really daunting in the cloud.
Where is my data? Who has access to it? What if a hacker compromises my cloud vendor? What if a hacker taps into my data pipe?
Because of this concern, security was a big topic at the Cloud Computing Expo in Santa Clara across the tradeshow floor. I attended separate sessions given by two of the resident security experts from McAfee and Amazon, and the differing perspectives addressed many of the concerns of those evaluating the cloud for high security applications.
Who’s at the front door?
First up, Scott Chasin (McAfee) recommended that developers utilize McAfee’s SaaS solution as a proxy for communications with exposed services as a way to ensure that traffic is being actively monitored for threats. The approach is appealing because it bolts right onto your web service interface and the McAfee service can filter out malicious requests using up-to-date assessments. You could even choose to scrub traffic between your code and key SaaS vendors to make sure that everyone is behaving well or while you are waiting for the vendor to be added to your AVL.
Who’s in the basement?
Then Steve Riley, an Amazon evangelist, described AWS’s storage and virtualization implementation. For the details about the safety of AWS data, feel free to refer to this whitepaper, but here’s a quick summary of the juicy stuff:
- Transient data is completely lost once you shut down a VM. Not even Amazon can retrieve it. And you can only read what you write; if you attempt to read before you have written to your local storage, you get null.
- Persistent data is backed-up automatically, but all access is highly restricted to Amazon staff and audited for compliance. To ensure you don’t try to access data that is not yours, all bits are zeroed before you can access them.
- The hypervisor is secure because only Amazon staff has access to it (if you don’t trust their staff!)
Additionally, Steve outlined two other nifty features of AWS: Security Zones and Virtual Private Clouds.
Security Zones allow you to firewall traffic between zones using policies, allowing you to define roles for your VM pools. For example, if a VM is in a particular Security Zone, it may be allowed to talk HTTP over port 80 with the outside world and then talk SOAP with a particular web service in a different Security Zone. This is a great way to limit the exposed attack surface of interfaces throughout your architecture. It can also be used to setup a DMZ filter (like the McAfee example above) as an initial filter for your internet traffic.
Virtual Private Clouds allow you to configure a set of AWS VMs that can only be accessed through a VPN connected to your local router. This is a secure and transparent way to begin moving your local IT infrastructure (domain controllers, active directory servers, etc.) into AWS without fear of rogue access through the internet.
Who is standing guard?
Chris received bonus points by showing how McAfee is already monitoring traffic this way for a large portion of the Fortune 1000 and describing how the team was using near real time threat detection to continually refine his service’s behavior, including the prioritization and severity given to a particular threat.
Steve discussed AWS’s fully staffed team of round-the-clock talent that watches for active threats and responds to customer inquiries. He did ask the audience to report any security issues to the AWS team before going public so that Amazon could assess and address the threat appropriately. Steve is confident in the security AWS (and I am too given the amount of work and 3rd party certification they have achieved) but also understands the PR nightmare that could ensue when issues are found if the issues are not dealt with to customers’ expectations.
Are you convinced?
So what do you think? Would you trust Amazon’s sys admins with your most important customer data? Do you think McAfee can keep the bad guys at bay?
When I started the conference, I felt that cloud brought many complexities and as a result there would be more nooks and crannies for bad things to hide. As I fly home, I realize that while the end solution is getting more complicated, using it involves surrendering control of large portions of the complexity to companies like Amazon and McAfee . . . and they are pretty good at what they do. At the same time, the most carefully prepared plans may go wrong, so being an early adopter might just be too much risk for some customers to tolerate.
You can follow Josh on twitter @joshneland and learn more about Dell OEM Solutions at www.dell.com/oem.
This site is produced by