In addition to well-known public cloud service providers like Amazon, many hosting providers have transformed static
co-location infrastructure and standalone data centers into a more elastic infrastructure supporting public cloud offerings. These providers often have a wider range of security services than any “pure cloud” service, making them better choices for security-conscious organizations looking to leverage the public cloud environment.
Terremark cloud security
Miami-based Terremark Worldwide Inc. (which Verizon proposed acquiring in January) offers a range of co-location and cloud-based services, including rapidly provisioned virtual machines for development environments, hybrid clouds that are distributed between customers’ internal cloud and a cloud environment managed by Terremark, and its Enterprise public cloud services.
In its Enterprise cloud services, Terremark provides numerous security capabilities, some of which can be managed by customers alone or co-managed by Terremark data center teams. Firewall capabilities can be managed by Terremark, customers, or co-managed. Both network-based and host-based intrusion detection and prevention capabilities can be implemented within the cloud environment, as well, and Terremark allows alerts to be sent to a variety of security event and information management (SEIM) systems. Additional managed security capabilities, such as network flow data aggregation and analysis (with Arbor Networks) and file integrity monitoring and log management (with Tripwire Inc.), can be implemented within the Terremark cloud.
For most security professionals, these services represent a more well-rounded security architecture than those available at providers such as Amazon, Microsoft and Google, including both preventive and detective measures. Managed incident response services are available, too, which offer customers a means to address one of the cloud’s thorniest issues: how to handle a security breach in an environment you don’t control.
Rackspace cloud security
Another major hosting provider, Rackspace Inc., offers several public cloud services, such as Cloud Servers (rapidly provisioned Windows or Linux systems), Cloud Sites (cloud-based website hosting) and Cloud Files (a cloud-based data storage and redundancy package). San Antonio, Texas-based Rackspace has numerous packaged security services, including SSL certificates, antivirus, firewall, IDS and distributed denial-of-service (DDoS) mitigation. However, these services seem to be available on the managed hosting side more so than the cloud hosting side, although the company’s hybrid hosting offering may offer more flexibility.
Additionally, Rackspace is one of the primary organizations driving the open source OpenStack cloud computing platform, which has garnered positive attention as a way to help build security into the cloud more deeply and at higher layers up the stack. Several of the company’s services are built on OpenStack, so potential customers should take a look at the project and ask questions about security capabilities or shortcomings.
NaviSite and GoGrid
Andover, Mass.-based NaviSite Inc., another provider of both hosted and cloud-based services, offers many of the same security capabilities as Rackspace. However, the company is much more explicit in describing what security options are available, both internally and for customers to manage themselves. For example, intrusion detection and prevention, as well as enterprise firewalls, are enabled and managed by NaviSite. A host-based firewall can be managed by customers within their cloud instance, and customers can also pay for a dedicated firewall appliance. Antivirus is managed internally for all cloud environments, and file integrity monitoring (with Tripwire) is enabled, much like Terremark. Vulnerability scans and penetration tests are performed on a regular basis, and customers can provision separate penetration tests by coordinating with NaviSite ahead of time.
GoGrid, a cloud services provider that specializes in “hybrid hosting,” with traditional physical hosting services and cloud-based provisioning, offers few details on their security capabilities. One interesting point to note, however, is that dedicated physical firewall appliances from either Fortinet Inc. or Cisco Systems Inc. can be purchased as a separate managed service with a hosted package. In addition, like many other cloud service providers, security products from companies like Sentrigo Inc., Trend Micro Inc., Sourcefire Inc. (Snort) and Art of Defence GmbH can be integrated into the GoGrid environment.
Currently, there is a definitive gap in security offerings and capabilities between most hosted services and pure public cloud services, even within the same provider’s infrastructure. Since managed services and co-location are more mature in general, hosting providers have had more time to incorporate security capabilities into these services. But for now, most enterprise-class public cloud services have quite a bit of catching up to do, even those offered by traditional hosting firms.
About the author:
Dave Shackleford is a founder and principal consultant with Voodoo Security and also a certified SANS instructor.