Let’s assume you’re a security engineer working for a service provider and your organization has just decided to roll out its first cloud computing service.
The good news is that cloud security mechanisms aren’t much different from the traditional enterprise or service provider security solutions. The bad news is that “cloud services” can be anything from a virtual colocation business, to access to shared storage, to Web-based applications.
For that reason, discussing generic cloud security makes no sense, but talking about multi-tenant cloud security for a range of cloud services does. One of the fundamental building blocks of a successful cloud service is seamless auto-provisioning.
Making the auto-provisioning process and the resulting cloud infrastructure secure might not be as easy as it looks. Starting with the easiest cases first, here’s a look at cloud security issues for a variety of specific multi-tenant cloud services.
Software as a Service (SaaS) is really just a large-scale Web application solution. Any experienced software development team should be able to design, develop and deploy a secure application with strict isolation between groups of users. Note: Make sure you don’t fall into the “We already have software developers, so let’s use them” trap. Just because someone can spell HTML, Java Script, MySQL and PHP does not mean that person can develop secure applications -- as proven by numerous successful break-ins into large organizations using banally simple tools like SQL injection or cross-site scripting (XSS).
Database-as-a-Service security should also be pretty straightforward. Create a separate database for each customer and let customers create their own users. You should be worried about break-in attempts and denial-of-service attacks, so you might want to monitor authentication failures and implement automatic blacklist filters if your database software doesn’t provide that functionality.