Security controls in the cloud are, for the most part, no different than security controls in any other IT environment. However, because of the cloud service models employed (the operational models and the technologies used to enable cloud services), the risks that cloud computing may present to an organization differ from the risks traditional security services do.
To meet their cloud management and security management requirements, organizations might need to integrate multiple tools or customize their chosen product.
The security responsibilities of the provider and the consumer differ greatly among cloud service models. The Amazon Elastic Compute Cloud (Amazon EC2) Infrastructure as a Service offering, for example, accepts responsibility for security only up to the hypervisor, meaning that Amazon can only address such security controls as physical security, environmental security and underlying platform virtualization security. The customer is responsible for security controls that relate to the IT system, including the operating system, applications and data.
The opposite is true for Salesforce.com's customer resource management Software-as-a-Service offering. Because Salesforce.com provides the entire "stack," the provider is responsible not only for the physical and environmental security controls, but also for addressing the security controls on the infrastructure, applications and data.
Nearly every cloud computing provider is unique in how it divvies up information security responsibilities. It's no wonder enterprises often struggle to manage security for the cloud services they get from a variety of providers and the different sets of rules and responsibilities each brings. That's where cloud computing management consoles come in.
What a cloud management console does
A cloud management console is a simple and intuitive Web-based user interface (or in some cases, an application for a mobile device) that allows enterprise IT and information security teams to quickly access and view cloud resources on the go. An IT administrator can log into the interface and see a snapshot of the organization's cloud usage, including instances deployed, applications running and bandwidth consumed.
With the Amazon Web Services management console, for example, users can access and manage their AWS usage through a Web-based user interface. The management console offers the user an easy way to deploy and manage applications in the AWS cloud quickly without giving up control of the underlying cloud resources. It also automatically handles the details of capacity provisioning, load balancing, auto-scaling and application health monitoring.
Because most of these cloud consoles provide a variety of data and information while simultaneously managing cloud operations, the shared use of a cloud console can be a win-win for IT management and security teams. Cloud consoles allow management and security teams to leverage the data for cloud security management tasks, such as defining specific health, risk and capacity thresholds; alert types and notifications; and many other configuration settings (for example, changes in the file system or system parameters at different levels (such as the network, OS or application) to prioritize operational activities for business-critical applications). This data can be directly used to get a sense of the current security posture of the cloud and support ongoing efforts to meet compliance mandates.
Many cloud consoles offer a level of security detail that extends to each instance. VMware's vCenter, for example, provides out-of-the-box templates to ensure continuous compliance with security best practices, security standards, system hardening guidelines and regulatory requirements.
Cloud consoles: Build or buy?
Today, the majority of consoles are offered by cloud providers themselves and are limited to the individual provider's services. There are a growing number of third-party cloud management tools, however, from such vendors as RightScale, enStratus, Nimbula and other traditional systems management and data center monitoring vendors that are beginning to branch out into cloud management.
A small number of cloud management vendors offer built-in security features. Nimbula provides tools to build, manage, scale and secure cloud environments across on-premises pools of virtualized computing, networking and storage resources, as well as resources in public clouds, such as Amazon EC2.
From the editors: More on cloud security management
See our Amazon Web Services and EC2 security tutorial
Beyond the API: Cloud management
The features that potential cloud console buyers should look for really depend on the buyers themselves and the market segments they operate in. An enterprise should design its cloud architecture requirements before selecting a vendor. This avoids creating multiple cloud silos with associated integration and complexity challenges. Buyers should be sure they know their key general criteria -- such as heterogeneity and support for public and/or private clouds -- and security criteria before they select a product.
The number of vendors providing these services continues to grow, but no vendor provides a complete product for every organization's unique cloud security management needs. To meet their cloud management and security management requirements, organizations might need to integrate multiple tools or customize their chosen product. It's also important to note that building one's own cloud management console isn't easy; It requires a significant investment of skills and resources, and because cloud technologies are still emerging and are likely to evolve considerably in the near term, buying a vendor product that is likely to evolve as well should be a time- and money-conscious decision.
Managing and designing a cloud console
Using the security-related data from cloud management consoles and integrating it with existing security management tools and the larger security management program can be a resource-intensive task. To do it, an organization can develop a framework or architecture to define the vision and standards that will guide the deployment, operation and processes of the cloud management platform and any supporting integration efforts.
More specifically, organizations that implement a cloud management console should adopt a methodology for developing a risk- and- opportunity-focused security and information assurance architecture that can be mapped to critical business initiatives. For instance, consider using the Sherwood Applied Business Security Architecture (SABSA) framework, a methodology for developing risk-driven enterprise information security and information assurance architectures and for delivering security infrastructure services.
The SABSA framework gives a 6x6 matrix (horizontal columns for the what, why, how, who, where and when), in which each cell in the matrix represents a component in the security architecture,andeach row represents a viewpoint, from "business view" (the contextual layer) to "IT specialist" or "tradesman's view" (the component layer) that together describe the full enterprise security architecture.
A key player in the field of security management is "big data" -- taking massive amounts of disparate data and correlating, analyzing and mining it for meaningful patterns, or even identifying advanced persistent threat, or APT-style attacks. While big data is an exciting opportunity, it is still nascent. However, enterprises should consider what sort of security-related big data analytics projects they might seek to undertake in the next three to five years, and ensure they have a plan to integrate with whatever cloud management console the organization chooses.
At the end of the day, a cloud management console should offer a range of features that ensure fast, convenient and intuitive access to information; and provide valuable data to business owners, chief information officers, chief information security officers and the like that enables them to make quick business decisions and balance risk. The console should have a customizable and graphically rich dashboard that helps ensure business and technical views are tailored to deliver insights to the appropriate individuals within an organization. It also should be able to provide a single view of a company's security posture based on validated attacks and business risk, while geographic and network map views allow users to maintain awareness of their organizational responsibility and compliance status.
About the author:
Ajay Kumar is an information security manager who has worked for a decade in the information security and risk management domain, and has expertise in infrastructure security, identity and access management, threat and vulnerability management, data protection and privacy, cloud security, and mobile security. He specializes in the planning, design and implementation of the security services and systems required to protect the confidentiality, integrity, privacy and authenticity of the information stored in enterprise environments. Ajay can be reached at firstname.lastname@example.org.
This was first published in February 2013