If you’re reading this blog, I’m going to go ahead and assume you’re interested in cloud. Maybe you’re even starting to look at public and/or private clouds but have concerns about security. If that sounds like you, the good news is, you’re not alone. In fact, you’re in very good company.
As heads of IT start looking at public clouds and shared infrastructure for internal private clouds, mulitenancy and security are often some of the most critical considerations.
Multitenancy is the ability to securely host multiple customers or departments on a common infrastructure and operating environment. One concern with multitenancy is that different customers or departments will likely have different security needs. This can lead to a segregated, inefficient infrastructure, which in effect undoes all the efficiencies gained through multitenancy.
Add to this the escalating requirements for tighter controls around sensitive customer data with regulations such as HIPAA, SOX, PCI and NERC, and you have a serious challenge for cloud providers. Namely how do you identify, audit and remediate the security challenges associated with compliance?
Below are a few steps organizations can take to deal with these challenges:
- Identify which applications and associated data are impacted by regulatory and operational compliance. You can then classify them in a CMDB/CMS solution. Due to the sensitivity of information, these virtual machines will likely require a higher degree of change control and process audit.
- Establish automated compliance auditing and remediation. Run a set of tests against virtual machines and the supporting virtual infrastructure. Make sure to take corporate and regulatory standards into account during the testing phase and keep an eye out not just for vulnerabilities from outside intruders but also to make sure each tenant is secure on the inside. You don’t want your VM’s to be accessed by other tenants on that shared infrastructure.
- Network security is paramount in shared environments. Protect your systems with multiple firewalls at the physical and virtual layers. As new (virtual) servers are provisioned rapidly in the cloud, so it’s important that these firewall configurations are orchestrated and automated at the server and network level (what we call Network Containers). Finally, disable any TCP/IP ports that are not being used.
- Last but not least. Remember to incorporate identity management into your plans to manage user access to the systems. Avoid guest accounts and use directory services for identity and group access. You want to make sure no two customers share the same username and password.
These are just a few tips for making your journey to the cloud more secure. If you have any more ideas, I’d love to hear them.