I’ve heard a lot being said on the subject of cloud security, particularly over concerns with multi-tenancy. Multi-tenancy is where your OS/Apps run on a single piece of hardware or move around on multiple hardware systems within a virtual machine. The key concern here lies in the fact that many other customers use exactly the same hardware or multiple systems, thus multiple virtual machines amongst multiple customers… for an enterprise customer this posses a real security threat.
Picked up this article a few weeks ago, it’s an interesting read on the subject of multi-tenancy and discusses potential security concerns in more detail: http://people.csail.mit.edu/tromer/cloudsec/
I believe multi-tenancy services and ‘public’ cloud architecture do have a place. These types of cloud services built the foundations for cloud computing, pushing the boundaries and making ‘cloud’ the latest IT buzz word for 2009. The model provides the fundamentals for the flexibility to buy on demand computing! However, enterprises have a right to be concerned with public, multi-tenancy cloud models – after all your technology supports the business intelligence fundamental to your stability, growth and sustainability. It’s therefore important to do your research when you look at these multi-tenancy services:
- Is the provider SAS 70 certified?
- Can you see the report?
- Do they offer a penetration test on your set-up within the cloud before it goes live?
- Can you have a platform that is dedicated to you but still benefit from the virtualisation features of IaaS (Infrastructure as a Service) AND still have a dedicated hardware platform that runs the virtualisation software to enable the provision of virtual machine within this DEDICATED resource?
- Can you have a dedicated ‘virtual firewall’ that has your own rule base so you can command what you want to let in and what you want let out?(… this would be great and possibly alleviate a number of concerns that the CIO/CTO/CXO have.) and to enable VPN (Virtual Private Network) services from either client or your firewall at your office(s)
- Can you know where your data is and can you have it encrypted? But that’s another subject for another time…