The two biggest lies about cloud computing security

May 27, 2011, 2:05 PM — Survey afterwards survey note that security is the biggest concern potential users have with respect to public cloud computing. Here, for instance, is a survey from April 2010, indicating that 45% of respondents felt the risks of cloud computing outweigh its benefits. CA and the Ponemon Institute conducted a survey and found similar concerns. Nevertheless they as well found that deployment had occurred in spite of these worries. And similar surveys and results continue to be published, indicating the mistrust about security persists.

Most of the concerns voiced about cloud computing relate to the public variant, clearly. IT practitioners throughout the world consistently raise the same issues about using a public cloud service provider. For instance, this week I am in Taiwan and yesterday gave an address to the Taiwan Cloud SIG. Over 250 people attended, and, predictably enough, the first question addressed to me was, "Is public cloud computing secure enough, and shouldn't I use a private cloud to avoid any security concerns?" People everywhere, it seems, feel that public CSPs are not to be trusted.

However, framing the cloud security discussion as a "public cloud insecure, private cloud secure" formula indicates an overly simplistic characterization. Put simply there are two big lies in this viewpoint, both rooted in the radical changes this new mode of computing forces on security products and practices.

The first big lie is that private cloud computing is

The first big lie is that private cloud computing is, by definition, secure merely by way of the fact that it is deployed within the boundaries of a company's own data center. This misunderstanding arises from the fact that cloud computing contains two key differences from traditional computing: virtualization and dynamism.

The first difference is that cloud computing's technological foundation is based on the presence of a hypervisor, which has the effect of insulating computing from one of the traditional tools of security: examining network traffic for inappropriate or malicious packets. Because virtual machines residing on the same server can communicate completely via traffic within the hypervisor, packets can be sent from one machine to another without ever hitting a physical network, which is where security appliances are typically installed to examine traffic.

Of course, one might point out that this issue is present with vanilla virtualization, without any aspect of cloud computing being involved. That observation is correct. Cloud computing represents the marriage of virtualization with automation, and it's in this second element that another security shortcoming of private clouds emerges.

Cloud computing applications benefit from this automation to achieve agility and elasticity--the ability to respond to changing application conditions by moving virtual machines quickly and by spinning up additional virtual machines to manage changing load patterns. This means that new instances come online within just a few minutes without any manual interaction. This implies that any necessary software installation or configuration must as well be automated so that when the new instance joins the existing application pool it can suddenly be used as a resource.

ITworld Answers is a service that helps IT pros resolve innovation questions. Post a question, and let your peers in the ITworld community take a crack at solving it!