Is there security in the cloud?

Everybody is talking about it, but how secure is cloud computing really?

Text: Rüdiger Rissmann, published on 17.07.2014

We at SWITCH started our cloud computing pilot in 2012. We have now reached the point where we are building our production level cloud infrastructure as part of the SCALE project, and are offering the first services to the community, such as SWITCHdrive. Cloud security is only one of the main topics we are addressing when building the cloud architecture.

In my experience with cloud security, probably the most interesting question is how secure clouds can be, and also what people understand by security. The answer to this question can be split into two main areas: the technical and the non-technical aspects.

Technical aspects

As regards technical aspects, we have to compare cloud service delivery with "hardware based" delivery models. The table below shows that the surface for attacks grows the more layers we add. Bare-metal applications expose a smaller surface for attacks than virtualized and cloud applications. Each of these layers introduces its own problems and risks, and essentially it gets more insecure with each layer we add. But this is not the whole story, since each of these layers can also enhance the security of the cloud environment:

Surface / grade of virtualisation	Bare metal based	Virtualisation	Cloud
Cloud frontend			X
Cloud Infrastructure			X
Virtualisation layer		X	X
Hypervisor OS		X	X
Hypervisor management		X	X
Application	X	X	X
Middleware	X	X	X
Operating system	X	X	X
Hardware	X	X	X

Surface for attacks. Crosses stand for possible vulnerabilities.

As mentioned above, cloud computing offers new security features and cloud resources can be tracked back to their owner. For example, at the virtualization layer each virtual machine can be tracked back to a user account, and the cloud has a built-in inventory of virtual machines hosted. These virtual machines can be secured with virtual firewalls as well as other cloud security features.

One indication for this are special cloud offerings for regulated industries, such as pharmaceuticals and banking, where the security requirements are extremely high.

Non-technical aspects

When it comes to the non-technical factors, the use of cloud services poses increasingly complex challenges (e.g. with regard to legal, organizational and process aspects). At the same time, it is often said that the security requirements for IT infrastructure stay the same, irrespective of the technical implementation. It does not matter if the services are delivered by internal IT or by external providers, which usually provide globally standardised Service Level Agreements (SLAs).
In the latter case, we have to make sure that the contract with the external provider covers all our security requirements. As many members of our community have told us, security quickly extends beyond firewall filters, snapshots, redundancy, and the like. These days, there are various forms of possible interventions that can compromise data protection, without touching on basic forms of technical security. It is also becoming increasingly important to know which laws apply to a provider and its offerings, this depending on the countries they operate in.

Besides the technical know-how, this is where SWITCH can add considerable value and expertise to its cloud offerings. SWITCH’s governance model makes it possible for its stakeholders to take part in shaping the cloud offerings. In this sense it aims to become an extension of an institution’s infrastructure, thus performing quite a different role from an external provider. This allows the SWITCH community to participate in the governance of the SWITCH cloud and its operation.

Cloud for the Swiss academic community

Here at SWITCH, we are building a cloud infrastructure that is aimed at the Swiss academic community. In the initial phase, our target user group will be research projects and researchers. Based on the feedback from the community and our experience with the cloud infrastructure, we will be able to adapt these services in line with the future security needs of our community. We will be focusing especially on an integrated view of security that addresses both the technical and even more importantly non-technical aspects of operating a cloud, including specific legal and governance requirements of Swiss higher education institutions.