In many ways, a cloud computing operator deals with the same information security issues as any other computational infrastructure provider. Patching, firewalls, IDS and the whole host of familiar security tools and processes are an essential foundation for effective security. Likewise, the forensic capabilities of a cloud provider stand on familiar foundations, including classic log and disk forensics, as well as memory forensics and other emerging or rapidly evolving disciplines.
However, the underlying enabling technology of cloud computing brings with it some new factors that must be folded into the classic approaches to security and forensics. With ubiquitous virtualization come unprecedented possibilities to capture and analyze machine states in forensically sound ways. Along with those opportunities, however, come some unique challenges around privacy and operational continuity.
This series of posts will begin with a short overview of cloud computing and the operational environments that build and manage “The Cloud,” as well as typical approaches to security by today’s cloud operators. We’ll also quickly review some correlations with business and compute model of classic outsourcing and the typical approaches to security by today’s providers of classic outsourcing.
With that foundation, we’ll discuss some of the unique challenges to security and forensics that differentiate cloud computing operations from both in-house and classic outsourcing models. These challenges include: managing privacy in an environment where data is separated by logical, rather than physical, isolation; managing operational continuity for innocent customers in the face of degraded performance caused by a single party; dealing with legal requests while working with courts and law enforcement that understand neither the impact of their request nor the alternative means to achieve their end goals.
With an understanding of the challenges, we’ll discuss some possible solutions, including the controls, documentation, training and skillsets necessary to keep cloud operations running smoothly in the face of these challenges. We’ll also discuss tools to deal with some of the more troublesome aspects of sharing physical infrastructure among discrete customers, including fraud detection, resource constraints, and how to give law enforcement the comfort level to explore other options besides confiscating an entire cloud environment to respond to a single subpoena. Some of these tools take the form of technology, such as monitoring systems, other tools take the form of contract language that allows the operator to remedy situations where a single customer is impacting the overall environment, and some of these tools take the form of processes designed to allow the environments to operate gracefully in a temporarily degraded state – for example, during the service of a subpoena or other forensic capture process. In all cases, the case is made for instrumentation to track these states and provide enough information to support forensic investigators in drawing confident conclusions about root causes and responsible parties.
We’ll discuss some additional considerations along the way. Competing cloud providers today implement different operational models based on different business assumptions, including projections about supply and demand, details about resource consumption based on popular use cases, etc. These assumptions, in turn, drive operational decisions such as whether to invest in fully-vested cloud resources that allow every customer to consume all the resources they’ve contracted for, versus optimizing their investment so that fewer cloud resources go unused and arguably wasted. All of these operational decisions impact the security posture of the cloud infrastructure. Stay tuned, Part II will be posted one week from today, on February 28.