Security Challenges for Cloud Environments
The Cloud Security Alliance, an industry group promoting cloud computing security best practices and standards, has identified seven areas of security risk.3 Three of these apply directly to our focus on protecting data and platform: multitenancy, data loss, and unknown risk. Multitenancy and shared technology issues. Clouds deliver scalable services that provide computing power for multiple tenants, whether those tenants are business groups from the same company or independent organizations. That means shared infrastructure— CPU caches, graphics processing units (GPUs), disk partitions, memory, and other components—that was never designed for strong compartmentalization. Even with a virtualization hypervisor to mediate access between guest operating systems and physical resources, there is concern that attackers can gain unauthorized access and control of your underlying platform with software-only isolation mechanisms. Potential compromise of the hypervisor layer can in turn lead to a potential compromise of all the shared physical resources of the server that it controls, including memory and data as well as other virtual machines (VMs) on that server. Experience at Intel found that virtualization brings with it an aggregation of risks to the enterprise when consolidating application components and services of varying risk profiles onto a single physical server platform. This is a key limiter faced by most IT organizations in achieving their virtualization goals—and subsequently in moving workloads to the cloud. Data loss or leakage. Protecting data can be a headache because of the number of ways it can be compromised. Some data—customer, employee, or financial data, for example—should be protected from unauthorized users. But data can also be maliciously deleted, altered, or unlinked from its larger context. Loss of data can damage your company’s brand and reputation, affect customer and employee trust, and have regulatory compliance or competitive consequences. Unknown risk. Releasing control of your data to a cloud service provider has important security ramifications. Without clearly understanding the service provider’s security practices, your company may be open to hidden vulnerabilities and risks. Also, the complexity of cloud environments may make it tempting for IT managers to cobble together security measures. Unfortunately, that same complexity and the relatively new concept of cloud computing and related technologies make it difficult to consider the full ramifications of any change, and you may be leaving your cloud open to new or still undiscovered vulnerabilities.
Intel and Best Practices in Cloud Security
Intel is a member of several industry groups that develop standards and best practices for security and cloud computing, such as the Cloud Security Alliance (CSA). For example, Intel is the nonvoting technical advisor to the Open Data Center Alliance (ODCA), an independent IT consortium comprised of global IT leaders who have come together to provide a unified customer vision for longterm data center requirements represented by more than 280 member companies. ODCA released a roadmap of hardware and software requirements in June 20114 with the goal of promoting more open and interoperable cloud and data center solutions. Intel is also an active participant in the Trusted Computing Group (TCG), formed to develop and promote open, vendor-neutral standards for trusted computing building blocks; and the Distributed Management Task Force (DMTF), a global organization leading the development, adoption, and promotion of interoperable management initiatives and standards.
4 Information about the Open Data Center Alliance roadmap can be found at opendatacenteralliance.org/publications.
3 Top Threats to Cloud Computing, v1.0. Cloud Security Alliance (2010). https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf (PDF)
Intel IT Center Planning Guide | Cloud Security