One of the primary concerns about cloud computing services focuses on the ability to secure a multi-tenant environment. In cloud-based environments, multi-tenancy means customers share
Prior to pointing out the key security elements for multi-tenancy, it’s important to understand the Infrastructure as a Service (IaaS) and Software as a Service (SaaS) cloud computing models. In IaaS, tenants share infrastructure resources such as hardware, compute servers and data storage devices. With SaaS, tenants are sourcing the same application, which means data of multiple tenants is likely stored in the same database and may even share the same tables.
The risks with multi-tenancy must be addressed at all layers of these models. Critical steps for securing a multi-tenant environment include segmenting VMs that process regulated or sensitive data and database segmentation.
Virtualization is the platform that underpins IaaS offerings. Central to the virtualization platform is a specialized and optimized operating system (OS) called the hypervisor. This OS in part serves to map traffic from the virtual machines to the underlying VM host hardware so the traffic can make its way through the data center and out to the Internet (and vice versa). The majority of security concerns in the virtualized infrastructure relate to the co-residency of machines owned by different customers. This places machines in a privileged position relative to one another. Prior to virtualization, these residents would have been physically separated in addition to having specific access controls; now you potentially have different clients on the same infrastructure with sensitive data and potentially very different access control policies. This can elevate the risk for many types of breaches, including unauthorized connection monitoring, unmonitored application login attempts, malware propagation, and various forms of attacks.
Today in the world of physical machines, network segmentation is used to ensure sensitive back-end services are well protected from the (potentially vulnerable) publically available front-end. This has led to the development of the DMZ and tiered approaches to data center network design. Segmentation in a virtual environment is equally important because back-end database or application servers are no less valuable simply because they’re virtual. VM segmentation and isolation is a primary requirement for VMs containing compliance-related data, such as personally identifiable information (PII). Most regulatory mandates (e.g., PCI, HIPAA, SOX, and GLBA) require access be limited to a business need and control policies be set in place to enforce blocking of unwarranted access. For many organizations, what’s considered sensitive information goes beyond just regulation and compliance data to its intellectual property or other proprietary data. Because the hypervisor intercepts all traffic between virtual machines and virtual machine hosts, it is the natural place to introduce segmentation for the resources of IaaS tenants where VMs might be housed within the same VM host or VM host cluster. This segmentation can be accomplished by implementing a hypervisor firewall.
Database segmentation is required in SaaS -- where tenants share a database instead of infrastructure -- and is something customers should demand of providers. Several tools and technologies are available for controlling access to data. A system for authentication and authorization of the access request is usually implemented so only certain rows or fields are modifiable based on security policies. Encryption is also a primary security control to protect data at rest so if the database is compromised or the data is stolen, it would be difficult to decipher the underlying data.
The primary takeaway at this point is that segmentation should be available at all layers for a secure multi-tenant environment. IaaS users need to understand whether their VMs are being housed in the same host alongside those of other customers and what, if any, provisions the cloud services provider has made to isolate them. In the case where the onus is on the tenant to configure the segmentation, tenants must consider expert advice in defining and maintaining access control policies that enable warranted access while also limiting risk. Some of the key questions to be answered for both Iaas and SaaS users are:
1. How is my data protected at rest?
2. How is access authenticated, authorized and differentiated?
3. What onus is on the customer from a security perspective?
4. If a breach occurs, what is the process for dealing with it (SLAs, mitigation plans, etc.)?
VM Introspection, which has existed for some time in the academic world and is beginning to appear in commercial applications, helps secure a virtual environment. Virtual Machine Introspection (VMI) enables information gathering about virtual machines, virtual network security, and virtual environment settings without the use of agents. The ability of malware to disable or hide from security agents is a security problem that has plagued the security industry for decades. VMI offers an interesting approach to leverage the hypervisor for an uncompromised inspection of VMs. VM Introspection is basic ally a hypervisor-based service that examines the internal state of a running virtual machine. Recently, technologies have been commercialized that leverage VMI to provide high levels of segmentation and isolation for guest VMs or cloud-service tenants. VM Introspection provides rich detail about the applications and services that are installed on the virtual machine as well as its configuration. It is possible for security policies to be constructed based on VMI parameters. This could have significant positive implications for environments where the onus for configuring security and VM isolation falls on tenants, given that the level of experience in this area could vary significantly from one customer to the next.
The key to understanding the level of security for any customer in a multi-tenant environment is to ask your cloud provider about existing protection and about the responsibilities for defining and maintaining policies that ensure isolation from other cloud tenants. In addition, an understanding of how much of the process is automated is critical. This is essential given the dynamic nature of cloud-based environments and the high likelihood of resource and security misconfiguration. Customers must also ask and be clear on the ways in which they share responsibility for their security. Lastly, you should ask your service provider if you can audit your virtual environment. In many cases, this may be a requirement from a compliance perspective, but it is also good to have the ability to verify the service provider is adhering to your security policies and controls.
About the author:
Robbie Higgins is vice president of security services at GlassHouse Technologies.
This was first published in March 2011