In two previous posts, we discussed tips on connecting private and public clouds; the first as an immediate extension of a company’s data center, the second as a way to offload hardware costs, maintenance and any other issues to someone else, share the burden and lower the overall costs.
As it turns out, several companies are choosing a mixed model, which is being called the hybrid cloud.
The idea is, some companies don’t trust public cloud security enough to entrust their most sensitive data to it, but they still want to use it for some data or some applications; and at the same time they want to use the concept of the cloud for the sensitive data, so they build a private one, where they feel they are more in control of processes, procedures, security and anything related to it.
There are several points to consider.
As a security professional, my thoughts go immediately to the question – who says that the public cloud is not as (or more) secure than the private cloud? Assuming this would mean assuming that the company has security experts on staff that are absolutely certain of their ability to keep the company safe. Many companies can’t afford staff that’s trained in security matters; and most of the times security ends up in the hands of network engineers, whose training doesn’t allow them to properly address the security posture of a company.
As a managed services provider, we see this repeatedly: Networks that have all the tools necessary for protection, but are not protected because they are not configured properly; because the procedures are not in place; because the firewall is configured to the convenience of the network engineer and not to the dictates of security best practices.
So stating that sensitive data is better protected in the private cloud than in the public one is not necessarily a correct assumption.
This of course, assumes that the public cloud is protected. There are many different offerings for public cloud in the market today.
Some companies offer a protected cloud. They have a team of security trained experts, who establish processes and procedures, and are in charge of ensuring the security of the entire cloud offering.
Some public cloud companies do not offer any security at all. They simply sell IaaS. You just purchase the use of hardware from them. The advantage of this offering is price – usually you will be sharing the load with several other companies and pay only what you consume. There is a company (6Fusion) that has actually invented a method for calculating how much of the hardware resources a customer is consuming, and charges based on a concept similar to the power consumption at home – the KWh; in fact, they call it WAC. 6Fusion doesn’t offer anything but hardware; their customers are MSPs, who in turn build solutions for their own customers. The security of each solution is entirely left to the MSP.
There may be instances in such a case where the customer could be better off keeping sensitive data in house (assuming in house security is at least decent); or maybe they could both (MSP and customer) seek help from a company such as Network Box, which provides virtual managed security that is perfect for this type of offerings. In fact, Network Box has been a valued partner of 6Fusion for almost 2 years now, and we can count several of their customers as our own.
In last week’s posting, we focused on the private cloud. Let’s talk about the public cloud now.
In a public cloud, the infrastructure is shared and the location of that infrastructure may be unknown. The customer has no physical access to the infrastructure. Its data may be stored on a dedicated disk, but most likely it is not; everything is virtual. So the data is on a virtual disk and it appears isolated from other companies’ data, but physically it’s probably hosted on a very large array of disks set up in batteries of RAIDS shared among all the customers using that facility. The same happens for the servers, the switches, the firewalls and anything else being used in this infrastructure. Nothing is really as it appears; everything is virtual and shared.
This of course allows much greater savings than the private cloud, because a single physical server can be shared among several customers, and the same goes for disks and any other resource in the datacenter. There is no private cage with reserved racks and computers; everything is shared and the only thing that keeps things isolated from one customer to another is the VM software running the virtualization.
Companies offering this solution have adopted different business models. Some offer redundancy and backups included in the cost of the servers; some do not. Some companies are truly virtual in that the server’s location may be unknown; some specify precisely where the server is. Some companies rent out a physical server per customer, defeating in a way the scope of virtualization and going back to the rented physical infrastructure of many years ago.
Then there are several companies that have come up with software to measure the actual use of resources, so that customers can be billed based on the actual use rather than on a reserved amount of CPU or disk that they may never have used fully. Since the resources are shared, they are dynamically allocated to the various customers, and therefore allowing each customer to pay based only on actual usage seems like a fair business model, which helps reduce costs for the customers even further and making the provider economically more competitive.
With the public cloud you get away from having to deal with hardware altogether. No more hardware costs, amortization, obsolescence; no more A+ certified personnel to maintain that hardware; no more technical issues to deal with. Outsourcing is not new. But this is a form of total infrastructure outsourcing that makes a lot of sense for basically anyone. The private cloud model defeats the purpose, as it implies maintaining the same old model of having to deal with hardware issues in house. The advantages are too little when the savings of not having to deal with hardware are not properly realized.
Leveraging the cloud in its true sense can only be achieved using the public cloud; delegating entirely the issues of hardware to an infrastructure in the cloud vendor and getting away completely from having to deal with any hardware issues.
Nevertheless, since private and public clouds are a reality, how do we connect private and public clouds? The only logical way is via a VPN.
Too many companies, especially small companies, are connecting to their public cloud via remote terminal connections. This is not safe; unless you can set your firewall rules to allow only specific source subnets, using RDP means exposing a Windows login to anyone. And hackers have all the time in the world to attempt breaking that login. Your protection in such case is only as strong as your weakest password. Such logins should not be open to the public; it should be protected behind a VPN.
A site-to-site VPN is typically built using IPSEC; although devices such as Network Box nowadays support site-to-site SSL VPN, which in my opinion works much better. Eventually, as more and more vendors start supporting site-to-site SSL VPN, IPSEC will disappear; it is clunky and messy, routing through it is not the simplest thing, and it is sometimes rather unstable. SSL has none of these issues, and provides numerous advantages. It is very stable and routing is very simple. You can even set BGP through an SSL VPN; large networks that use dynamic protocols internally can take full advantage of this possibility, which is not so simple (if not impossible) with IPSEC.
Depending on the type of services hosted on each side, remote access software such as Citrix should be considered as well. It offers adequate security, nice wire speed, simplicity in its set up, and although it shouldn’t replace the VPN option, it can certainly complement it at least for users who do not have a need for complete access to a network but simply need to access a handful of applications. There are many competitors emerging, thanks to the cloud offers.
To connect the customer premises to the private cloud a VPN can be considered as well, though many companies are adopting other options, such as MPLS. This creates a private connection from the office to the private cloud, and ensures security of the communications. But it cannot usually be adopted to connect to the public cloud because in that case the Internet link is not under the control of the customer but is provided as part of the infrastructure by the hosting provider. Therefore VPN is basically the only real option.
Got any questions on private/public cloud security issues? We're more than happy to address them - contact us.