One of the first questions that delegates at CBR Dining Club events ask when you talk about cloud-based services, is ‘how do I know my data will remain safe?’
So it’s little surprise that security vendors are starting to respond to the need for reassurance in this space, with a mixture of security technologies for cloud service providers, and increased virtualisation security that will be key for companies building their own private clouds.
But what are the real threats in the virtual and cloud worlds, and what can you do about them?
This week open source intrusion prevention and detection firm Sourcefire announced its first VMware-based virtual appliances to extend IPS protection to virtualized systems and remote office locations.
Its first VMware-based virtual appliances include the Sourcefire Virtual 3D Sensor and Sourcefire Virtual Defence Centre. Compatible with VMware’s ESX and ESXi platforms, the Virtual 3D Sensor offers IPS protection from 5 to 500Mbps and can be monitored and managed by physical or virtual Defence Centre management consoles.
Sourcefire’s Dominic Storey, EMEA technical director, told me that VMware is simply the first of the virtualisation environments that the firm plans to support, and that support for additional environments such as Xen will start coming on stream in the first half of next year.
Storey described the virtual intrusion detection capability as “out of band”, in other words parallel to any traffic between virtual machines rather than sitting in the data stream. So although the use of additional security technology like Sourcefire is always going to have some impact on the performance of underlying server hardware as it must use a few CPU cycles of its own — “That’s just maths,” Storey notes — it shouldn’t add noticeable latency to the performance of the virtual machines or any traffic between them.
But do companies really need additional security in virtualised infrastructures? Is the threat of intrusion into virtualised infrastructures anything more than a theoretical risk? Sourcefire’s analogy was that just because a bank has not been robbed in five years, does not mean that you can stand down its security guards.
Ovum principle analyst Graham Titterington insisted that the potential threat of attack from within or outside an organisation is very real. “The thing about virtual machines is that the data on them is nearly always in use, and data that is in use is never encrypted, because once you encrypt it it’s not much use to you,” he said.
Meanwhile Neil MacDonald, VP and Gartner Fellow has said that, “In the rush to virtualise for cost savings, security and management issues are often afterthoughts, resulting in a reduction on overall security levels from physical environments. To avoid unexpected costs or increased and unexpected risks, engage proactively in a discussion of the security and management issues associated with a virtual environment before widespread virtualization initiatives are undertaken.”
Andrew Yeomans of the Jericho Forum – a group of security professionals who offer advice, guidance, best practice and the like – notes that many organisations forget about security best practices when it comes to virtualised environments. “People are doing things in virtualised environments that they would never have done in the physical world,” he says.
Experts also argue that the ability to ‘roll back’ in many virtualised environments may be seen as one of the advantages of virtualisation, but it is not without its risks if used without caution. Roll backs are the ability to roll back changes that you have made which may have compromised the performance or configuration of the virtual machine.
But they also hold the potential to remove security patches that have been made to a virtual server; these will need to be added once more if the security of that virtual machine is not to be compromised.
Taking the various threats of attack from within or outside the organisation, or the security risks introduced by a lack of management discipline in virtual environments, gives Sourcefire a credible argument as to why companies should be running its intrusion prevention technology in their virtual infrastructure as well as the physical.
“With Sourcefire’s new virtual security solutions, organizations can secure their VMware infrastructure and better leverage their VMware investment,” says Tom McDonough, president and COO at Sourcefire “Sourcefire now enables customers to secure critical assets in both their physical and virtual environments without the fear of disrupting business operations.”
In a recent interview with CBR, Trend Micro CEO Eva Chen hinted that the firm is working on increasing its virtualisation security products. She suggested that the quiet acquisition last year of Bristol University incubator Identum, an encryption technology firm, could be put into action to help to make virtualised environments more secure.
Talking of encryption, Neil Hollister, chairman and CEO at CRYPTOCard, a Canadian network authentication specialist with a European HQ in Bristol, tells me the firm has tweaked its authentication service to run in the cloud, ushering in what he calls ‘passwords as a service’.
“Authentication is a natural for the cloud,” Hollister says. “It’s a piece of infrastructure that’s a pain in the butt to manage internally.”
But as well as offering cloud-based authentication to users accessing corporate networks, Hollister says the firm will also sit in front of single sign on (SSO) systems to add more secure authentication, and increasingly sees its role as easing the complexity for users signing on to multiple, disparate Software as a Service (SaaS) apps hosted in the cloud.
I predict that both virtualisation and cloud-based security will be particularly hot topics in 2010.