Mike Fratto

Network Computing Editor


Upcoming Events

Where the Cloud Touches Down: Simplifying Data Center Infrastructure Management

Thursday, July 25, 2013
10:00 AM PT/1:00 PM ET

In most data centers, DCIM rests on a shaky foundation of manual record keeping and scattered documentation. OpManager replaces data center documentation with a single repository for data, QRCodes for asset tracking, accurate 3D mapping of asset locations, and a configuration management database (CMDB). In this webcast, sponsored by ManageEngine, you will see how a real-world datacenter mapping stored in racktables gets imported into OpManager, which then provides a 3D visualization of where assets actually are. You'll also see how the QR Code generator helps you make the link between real assets and the monitoring world, and how the layered CMDB provides a single point of view for all your configuration data.

Register Now!

A Network Computing Webinar:
SDN First Steps

Thursday, August 8, 2013
11:00 AM PT / 2:00 PM ET

This webinar will help attendees understand the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging. It will also help users decide whether SDN makes sense in their environment, and outline the first steps IT can take for testing SDN technologies.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

Vendor NewsFeed

More Vendor NewsFeed »

See more from this blogger

Public Cloud Is Neither More Nor Less Secure Than Private Cloud

There's a meme in the water that public cloud is more secure than private cloud. That's just plain wrong. Also wrong: the idea that the private cloud more secure than public cloud. There's nothing inherently more or less secure about either cloud model, and you can put VMs or applications securely in either (or both). Don't get excited by these FUD-filled claims.

Let me be clear: When people talk about something being more or less secure than another, what they mean is that one thing is better protected than another--that the better-protected thing is harder to break into. What they don't often talk about is risk. Risk is the likelihood that some loss will occur. There is always risk. Always. With public cloud, you face different risks than if you use a private cloud. I will not be focusing on risk--rather, I will focus on protection and debunking the pernicious myth that public cloud is more secure than private cloud.

More Insights

Webcasts

More >>

White Papers

More >>

Reports

More >>

Here's the common reasoning for why public cloud is more secure than private cloud (see if you can catch the flaw): Public cloud providers have a vested interest in providing a secure, multitenant service offering, and they can do so at scale. They have the resources to acquire well-trained experts to secure and manage their services. Security is part of the cloud provider's core competence. Your organization does not have the same skills and security is not likely a core competence.

The flaw is the reasoning doesn't take into account the boundaries of responsibility between you, the customer, and the cloud provider. I wrote about the responsibility in Network Computing's November 2010 digital issue (free, registration required), but this meme continues to crop up like toadstools.

Cloud providers focus on ensuring the following:

  • Multitentant isolation;
  • A secure and reliable underlying infrastructure, as well as services;
  • A secure management framework that also exposes the features and functions that customer require; and
  • Monitoring to detect and respond to security and service issues.
  • The protection measures are fundamental to cloud offerings.

    The cloud provider should use a number of technologies and processes to implement both electronic and physical security, but there's a bright line between where its responsibility ends and yours begins. Using key cards, physical cages, security guards and tight physical controls, as well as monitoring who has physical access to the cloud infrastructure, are best practices. Electronic separation and isolation technologies like firewalls, IDS/IPS, VPNs, encryption and a number of other software security products are also good practice, but there's no magical transference of security benefit from provider to customer.

    Where that bright line of responsibility falls depends largely on the type of service you use:

    • IaaS offers you a virtualized environment that you put your VMs into. The provider is responsible for protection mechanisms applied to the underlying environment and the management services that are offered. You and you alone are responsible for securing the VM and applications that you place in the IaaS. The cloud provider isn't. If you place a vulnerable VM into an IaaS, it doesn't become magically secure.
    • PaaS offers a development environment that includes the IaaS components plus the language, libraries, API, interfaces and other services such as a service bus, database and storage. The PaaS provider is responsible for that entire environment. You're responsible for the security of the code you place in it, as well as any services that you access outside of the PaaS. If you put the code into a PaaS that's vulnerable in and of itself, that's your responsibility. If your code uses a library, function or service that PaaS offers, then it's the service provider's responsibility.
    • SaaS offers you a complete application. In this case, the provider is responsible for the security of the entire operation and you're responsible for the configuration options that you make. For example, a SaaS may offer HTTP or HTTPS access. If you enable HTTP access and someone uses it and his credentials are stolen by an attacker who sniffs it off HTTP, well, that's your fault for enabling, or not disabling, HTTP.

    Next: Who's Responsible for Cloud Security?


    Page:  1 | 2  | Next Page »


    Related Reading


    Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

     
    Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
     
    Vendor Comparisons
    Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

    Public Cloud Reports

    Research and Reports

    Network Computing: April 2013



    TechWeb Careers