Risks with Cloud Computing and Virtualization – CompTIA Security+ SY0-401: 2.1
Articles,  Blog

Risks with Cloud Computing and Virtualization – CompTIA Security+ SY0-401: 2.1


Cloud computing is
all the rage isn’t it? It’s a technology
that we’ve named now, and it’s things
that we’re starting to do more of because our
bandwidths are getting better, people are creating resources
for us in remote locations, and we’re able to
blend that in with what we do as a normal part
of doing business. But there are risks associated
with cloud computing, just like anything else, we
have to consider those risks. One is that the data that we
may be putting into the cloud may be available to more
people than we want. Sometimes we’re dealing with
machines and services that are managed by other
people, they’re managed by third parties. And if you’re putting
data out there, there’s a possibility
that someone from those third parties might
have access to that data. So if you’re dealing
with cloud computing, and your data is extremely
important or extremely sensitive, you may want
to consider making sure that you put limits on what
people are able to see. Maybe you don’t put
the data in the cloud. Or maybe you encrypt it when
you put it in the cloud. There’s things you can do
to help mitigate and allow that particular risk
in your environment. Another challenge you have
from a security perspective is that the actual
security access to this data, or
this information, is managed by a third party. If you look at something like
Google Mail or Yahoo Mail, you really don’t manage
the security for that. You trust that
Yahoo or Google is going to be able to make sure
that you’re mail is secure, that nobody else
gets information that you have inside
of your inbox. So that’s a bit of a
challenge, because now we’re putting that trust
in a third party. And if you’re
putting information into the cloud
that’s being managed by a third party, that’s
certainly something you should consider. Another piece that’s
important with cloud computing is that these servers
are somewhere else. You may just be
buying a service that happens to be on somebody
else’s equipment. And in that particular case, you
may not have a lot of control should a problem occur
with that server. If the server goes
down, it loses power, a hard drive fails,
or perhaps you get locked out of
your accounts, you don’t really have
direct access to be able to resolve that
particular issue. Just because it’s
in the cloud doesn’t mean it’s always available. These are humans that are
managing technical systems, and sometimes what happens
out there in the cloud creates downtime
and outages for you. You also have to
keep that in mind because there is a risk
from your organization not having access
to your systems. If that occurs, you need to
have an understanding of what that means for the organization. Another technology that
has really come on strong is virtualization– this idea
of having one big monster computer. And inside of that device you
can build virtual systems. Before, we used to have
20 different servers. Now we’ve got one big
server and virtually there’s 20 little servers
sitting inside of it. What’s nice about
that is we have a lot of control over what
we can do with that system. We can allocate more memory. We can give it some
more disk space. We’re not limited by
physical constraints anymore. So there’s a lot of good
business value associated with virtualization. But from a security
perspective, there is an emerging set of
threats coming by somebody taking advantage of that
virtualization layer. That’s the layer
that sits on top of all these virtual systems. And the bad guys know that
if they can get access to that virtualization
layer, there’s a potential then
for gaining access to every single
virtual system that might be on that
physical computer. That’s a pretty big concern. You might have some very
important information. You might have 100
different virtual systems on a physical device. And by gaining access
to that virtualization, maybe putting every single
one of those systems at risk. And it’s something you have
to keep track of as a security professional, because those are
challenges with virtualization you simply can’t ignore. There is very little
control over what happens between virtual systems. They’re all inside
of one big computer. It’s kind of hard
to take a firewall and cram it inside of
this physical computer and make all the different
systems communicate back and forth through that firewall. There’s not a lot of
virtual firewall support out there in the world, and
the virtual firewall support that exists today is
very, very limited on what it’s able to do
relative to a physical firewall. So something also
to consider there. You may be doing a lot more
software-based firewalls, and they might be on
the servers themselves. But certainly
something to consider when you’re moving into
a virtual environment. There are also
challenges when you start looking at
multiple systems being crammed into one
physical device. In a data center, if it
was a physical server, you had a lot of
control over who accessed that server physically. You were also even able to
separate these servers off into completely different
areas of the data center, and some cases,
into separate data centers. And that provided you
with some advantages from being able to separate that
out in the environment you had, both from a data
perspective and physically. When you stick
everything on one system, that separation becomes a
little bit harder to manage. And yes, you can manage
the separation there, there are things in place
that allow you to do that, but you have to make sure
they’re implemented properly, that different systems are moved
on to different VLAN’s, that physically they can’t
access each other. And those things are in place. It’s not as easy as
looking in a room and knowing everything
in this room is separated from everything
in the other room. Now you have to make sure
in that virtualization layer that things are being
managed as separate entities, and those two systems are
not able to communicate with each other. From a business
management perspective, we also have to be clear
about separation of duties. When everything is
on one big computer, maybe all of your databases are
on separate virtual machines inside this one system,
separation of duties becomes a little
bit more difficult. How do you separate
somebody from managing one big server that
happens to contain many, many, many different
servers within it? So that’s something
that just has to be part of your policies. If you’re managing
a virtual server, maybe you have
multiple people that can manage that virtual server. Maybe the administration
of that server is split off into other pieces. Maybe there is an overlay
on top of every single one of those individual virtual
machines for management and security. Something that you may have
to consider implementing into the security policies
in your organization.

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *