Securing a host in a physical environment, though by no means a simple task, is a well-documented procedure aggregated from decades of trial and error. To secure a traditional host, one must consider several factors, including the physical security, legal and regulatory requirements, configuration, inventory, networking, patching, and backups. Securing a virtual host in a public cloud environment has additional concerns, however. This paper will explore both the physical and the cloud-based environment and compare the complexities of both in securing virtual hosts.
In a traditional environment, physical access is the responsibility of the organization. The organization must provide, build, or otherwise acquire a location sufficient enough to secure the physical hardware from outside malicious access. Furthermore, controls exist which prevent unauthorized insider access. These controls exist in the form of alarms, locks, access cards, keys, guards, cameras, and other traditional physical security devices or methods. Though considered a separate factor, inventory tracking falls under physical security in that a system or representative of the organization tracks, monitors, and maintains information regarding the status of every piece of hardware or other item of property belonging to the organization. Physical security and inventory management are two primary factors; knowing the location of a server, its components, securing it from outside access are cornerstones of the other factors involved, discussed later.
In contrast, the physical environment and inventory management features of a cloud-based environment are not primary concerns for the organization, but primary concerns of the cloud service provider. Though this appears simpler, it adds a layer of complexity based on trust. The organization must trust the provider to provide equal or greater security for the host than the organization provides in its traditional environment. All organizations must conduct analysis of the risk/return ratio of trusting a third party.
This complexity of trust is present in every factor involving securing hosts in a cloud-based environment. For example, regulatory and legal factors involved are the responsibility of the organization. The organization must trust their provider to adhere to all compliance and regulatory issues, without the immediate means of verifying it. Should the provider fail to adhere to all required legal and regulatory issues, the fault will lie with the organization primarily (though it is exceedingly unlikely the cloud service provider will remain unscathed in such a situation).
In a traditional environment, configuration and networking is the responsibility of trained organizational personnel, well versed in such tasks. The personnel will plan the network, document, and diagram it, and implement it in a series of steps, adhering to industry norms and best practices. While some of these tasks will remain with the organization, others will fall upon the cloud service provider. Again, the complexity of trust becomes an issue, but it is far less a concern here with established providers. Organizational personnel will attend to the configuration of the software environment, choosing those applications necessary for operations; similarly, the organizational personnel will have some control over the virtual hardware configuration of a virtual host, such as storage space and the amount of available RAM and CPU power. But, the organization will have no control over the selection of the physical equipment providing the virtual environment. Only the cloud service provider will determine the brand of server, such as Dell or HP, and its technical specifications. All networking at the cloud service provider datacenter location will be the sole responsibility alone, while the organization will maintain control of networking within their physical location.
This division of responsibilities, with the provider responsible for part of the task, and the organization responsible for other parts, exists with monitoring, patching, and backups. Some services may charge for backing up data in a cloud environment, and organizations may have few options should they opt for cheaper service. The provider will provide patching and monitoring of the environment, but this will include only the actual physical equipment. Organizations must carefully determine if a provider adheres to a patch and backup schedule and must understand the monitoring requirements of their provider. A badly patched physical server presents an attractive target to malicious parties attempting to access a virtual environment, so in this case the organization must undertake every effort to understand this aspect of the providers operations. While the organization must, with almost paranoid attention to detail, understand the provider’s physical environment, it must also provide the monitoring, patching, and backups of the virtual environment (except as noted in cases where one or more feature is unavailable due to cost concerns, but these should be rare).
Though the base concerns, factors, obstacles, and requirements for a virtual environment remain the same as those for a physical environment, the shift from verification by action on the part of the organization to trust and assumptions in the cloud-based environment makes the decision to use either physical or cloud-based deployments very difficult. On one hand, organizations must balance the financial need for cost savings which a cloud-based environment may offer, but if the cloud-based provider fails to deliver on expectations, the costs of these failures may outweigh any savings benefit an organization hoped to realize. Virtualized hosts remove a level of complexity and requirements from the organization and shift them to the provider. Yet this complexity does not disappear; simply shifting it from one source to another may indeed add more stress to an organization because of assumptions and trust.