Towards Security as a Service?

There’s some fuss around the additional security risks of moving an existing service within a corporate data center, to a cloud-hosted virtual machine, with a shared infrastructure. I appreciate the caution, but I wonder if they aren’t overstated.

Sure, there are new risks, intrinsic to the cloud. For example, the so-called Hyper-jack is a security attack that could compromise the hypervisor, whether ESX, Xen, or HyperV. There are various ways to carry out a hyper-jack, also given suitably lurid names such as VM Escape, VM Hopping, VM Theft and VM Sprawl. However, even though these exploits are possible, they are not, as far as we know, a practical reality, since any effective intrusion prevention system make this sort of attack difficult.

In reality, most of the security risks are not new, but simply extensions of the risks with which anyone concerned with IT systems security within a corporate data center will already contend. The security policy that provides protection for any particular application must establish the essential firewalling, intrusion detection, threat prevention, defense against automated attacks, and zero-day vulnerability protection, and it must follow that application into the cloud.

Furthermore, when an organization moves to a shared infrastructure in the Cloud, it can still keep its data, networks and device policies separate from those of others. External traffic to the cloud-hosted VM can be diverted via the company’s own network. This allows the same security countermeasures and inspections to be applied to all the network traffic whatever its source. Not only is this possible, but it makes sense for controlling access to any system with sensitive data on it. By doing this, it makes it much easier for corporate IT departments to countenance a migration of applications to the cloud, because it allows far easier compliance.

The major Cloud vendors have the scale of operations to be able to attract and employ some of the best security experts. This has led to a high standard of security and a much greater willingness to accommodate the security concerns of the industry. It is reaching the stage where we can match security measures to the application’s requirements as simply as we currently do for CPU and disk storage.