Cloud service providers are under immense pressure to deliver a secure cloud. Sixty-one percent of businesses say cloud computing security issues are one of their biggest concerns in the cloud, according to a recent member survey by Focus.com, a social networking site for business professionals. Nearly a quarter of respondents (23%) said they were not confident in their cloud provider's ability to secure their data and applications...
In the second half of this two-part Q&A with SearchCloudProvider.com, Savvis CTO Bryan Doerr outlines the cloud security challenges providers face, as well as how Savvis is overcoming them in its Symphony cloud services. Read the first half of this interview to learn about how cloud providers should broach cloud computing security issues with customers.
Do cloud services require a different approach to security than hosted services?
Bryan Doerr: One of the main things that [factors into a secure cloud] is the idea of multi-tenancy. If you're going to have a multi-tenant environment, you've got to pay attention to how those environments are segregated. That, of course, is something that we focus on fairly intently.
Another [factor] is that virtual environments are inherently more mobile. A virtual machine can move from one physical server to another. If the security policies of the physical [host] aren't following the virtual machine [when it moves], then it may not function correctly on the [physical host] it ends up on. To a degree, you've got to have security policies be as dynamic as the underlying virtual machine infrastructure is. These are things we've been dealing with as we get these cloud products into the marketplace.
How has Savvis made its Symphony cloud solutions environment into a secure cloud?
Doerr: That's something we focused on in the design of our cloud from the very beginning. Since we target the enterprise marketplace, since our products are geared toward that very selective and discriminating buyer, we knew we had to pass the security test. Our management infrastructure, our virtual security capabilities [and] the features that are in our cloud are all driven from the idea that we needed to build security in from the start.
The other thing that is important to know is that not all security in the cloud necessarily has to reside in the cloud. You can, for example, put security outside the cloud. Boiled down to some very simplistic descriptions, the services that you're getting in the cloud can be simply virtual servers, storage and network -- at some level, no different from their physical counterparts. And in the case of the physical counterparts, if you buy those capabilities from a service provider, the service provider will often have other security services that you add to your hosting environment to make it secure -- a firewall capability, an intrusion detection capability, anti-DDoS capabilities. Those aren't things that are in a cloud, per se, but they are available to your physical hosting environment. When you buy your cloud from Savvis, those same [security] services are available to your cloud solution. I frequently tell clients one of the reasons they should be selective not just in the cloud technology they're purchasing or the features of the cloud they're purchasing, but also selective in terms of the vendor that's providing it, [is] because there will come a time when they need services that aren't properly 'in the cloud' but are still available if they pick the right service provider.
For example, look at log management. Lots of companies, as part of their best practices in security, need to write [and] review logs from certain servers to ensure integrity in terms of logins and accesses. Well, Savvis has a log management service that you can connect not just to your dedicated managed services, but to your cloud services as well. You're able to satisfy that log management requirement in either case -- dedicated or cloud -- and that's just one example. As I mentioned, firewalls, load balancers, intrusion detection, anti-threat measures -- all of these things are services you can add to your cloud services just as easily as you can add [them] to your dedicated [environment].
What about when customers want more than just a secure cloud? How do you secure a hybrid hosting environment?
Doerr: It doesn't require magic, but it requires attention. Those hybrid [hosting] environments are the environments of the future. Initially, most applications that are being considered for cloud are coming out of formerly dedicated environments in private data centers. These are best realized as hybrid solutions in many, many cases. You've got to think through the entire security architecture, and that's a bigger challenge than just, say, a cloud-based deployment. But as you look more deeply into that, you see familiar problems that have familiar solutions, as long as the service provider has the capability to deploy them. There isn't a whole new technology stream required to meet the needs of a hybrid environment from the perspective of security.
To what extent are you dependent on your vendors to build a secure cloud? You previously spoke about how even a self-service portal can have unexpected security demands.
Doerr: To answer your question in particular, we've written our own portal. The user experience that we want customers to have as they deal with Savvis -- through cloud services and all the other hosting services that we offer -- is something we want to control and make common and bring our value proposition forward, so we've written all of that ourselves. We believe that the interface with the client where these roles are created and where these processes are adjoined is part of that experience, and we own that, so we don't have to wait for anyone.
On the technology side, we aren't a technology [manufacturer]. We don't write firewall software or build routers or servers, so we're a consumer of the technologies of the marketplace. And to that extent, some of the answers, some of the security capabilities that are really needed to build good cloud solutions have to be built there -- in the technologies -- and for those, we are dependent on our providers.
Where do you see room for improvement, in terms of how well vendors are enabling providers to build secure clouds?
Doerr: Our cloud today is built from a combination of VMware, Cisco and a virtual firewall solution from a company called Reflex [Systems], and those companies are doing well. We believe they're focusing on the right things and adding the kind of capabilities to their products that allow us to build credible cloud solutions. But I would say that prior to the latest generation of capabilities, those products didn't exist and the capabilities that were necessary didn't exist. [At that time], customers actually did have a good reason to make sure they took a second look and understand how certain designs accomplish good security because, in some cases, it would've been very hard, absent of features that are now available.
Let us know what you think about the story; email: Jessica Scarpati, Site Editor.