Monday, August 31, 2009

My data centre is in your cloud, your cloud is in my data centre

Amazon announces VPC (EC2 instances on a private network) and this interesting article on ReadWrite about Zoho putting their SaaS offering behind the corporate firewall via vSphere (on what I assume is a VMWare).

Both solutions bring a piece of the cloud inside your environment and a first I was wondering if the connectivity or embedding increased security risks. I ran through the gamut of concerns such as:

  • Unknown vulnerabilities hidden in the stack
  • Immutable vulnerabilities in the solution that can't be patched
  • Malware/Malmachines

However, all of these can be addressed using existing controls we already deploy in our corporate environments, case in point:

"...and to extend their existing management capabilities such as security services, firewalls, and intrusion detection systems to include their AWS resources."

So now I've got IPS, internal firewalls (you have those right) and network anti-X to monitor and contain anything these external assets could throw at me. These controls are also useful if I choose to expose my pieces of the cloud to the outside world.

In reality though, Zoho's solution is just software-in-a-virtual-box based on popular software normally found in the cloud; while Amazon's VPC is just collocation with a point-to-point VPN (IBM and CGI have offered this forever, so does my employer for that matter). Most businesses are already comfortable with both of the former, so if the biggest objection to going Cloud is around governance, then maybe this is the compromise answer. If the biggest concern is data location, then this provides a nice compromise as well (keep the database inside the corporation).

Note the key assumptions for EC2 VPC integrity are:

  1. EC2 admins can't disengage the network isolation controls
  2. The network isolations control are some orthogonal mechanism that cannot be directly accessed from any EC2 instances (either inside or outside the VPC zone)
  3. The EC2 VPN endpoint is strictly bound to isolated network

I don't think these are unreasonable assumptions to make, not independently testable nor inviolable by any means but still reasonable.

No comments:

Post a Comment