“What are the most desired security features you’re missing in the cloud today?” was the question I’ve posted to leading cloud security LinkedIn groups. I’ve received quite a few interesting comments and wanted to share my interpretation to those on this post.
My personal favorite was “user education”. Simple, straightforward, and a must have in the cloud era. User education is a critical element in maintaining cloud security, not only to avoid malicious attempts, but also internally, for running the day to day administrative tasks. A good example is AWS VPC (Virtual Private Cloud). VPC environment is relatively isolated, essentially your VPN extension into the AWS cloud. Yet if you’d like to backup your virtual disks, the snapshots are stored outside your VPC account in S3 (Amazon’s Simple Storage Service). It wouldn’t be a bad idea to make sure your cloud administrators are knowledgeable and know what they’re doing, i.e. encrypting the snapshots before data leaves the isolated VPC environment.
Cloud security starts with user education
An additional desired feature that kept coming up was (unsurprisingly) cloud encryption. (In more than one form, including; encrypting data at rest, at transit, SaaS data, etc…) It seems that cloud encryption is a true must have in a public cloud for the simplest reason: it allows for privacy in a public environment. You should keep in mind though that cloud encryption is only one part of the solution. In order to truly isolate your data, the encryption keys themselves should be protected and cloud-enabled. I’ve previously discussed the cloud key management dilemma and alternatives here.
As mentioned above, cloud encryption is desired across all cloud elements. Ideally, one would want his cloud data encrypted while at rest, between application servers, and in transit. Here’s an interesting encryption scenario; A corporation migrating an on premise application to the cloud, would want the data encrypted on premise, so it could be transferred to the cloud securely and privately. Assuming the application server is already installed in the new cloud environment, it is expected that the data will reside on encrypted disk/s, ideally using the same encryption scheme, so the data would be visible to the application immediately.
As expected, users would also like to dynamically and easily control the access to their clouds of choice, and automatically identify anomalies and problems. With regards to dynamic firewall across deferent cloud platforms, our friends at dome9 are doing a great job enabling a cross-cloud centrally managed firewall, and although still in its beta stage, Newvem is an automated analysis service allowing cloud administrators to identify and mitigate performance and risk issues in real time.
Lastly, we’d love to hear your thoughts! Email us your most desired cloud security features to: contact@porticor.com, or contact us here.
Ariel Dan is co-founder, VP marketing and Sales at Porticor cloud security.
Ariel – I also want to add here a reference to a link for a Quora discussion I initiated and I suggest to read the comments about – What is the first priority cloud security concern?
http://www.quora.com/What-is-the-first-priority-cloud-security-concern