Cloud Hosting

You did it: You managed to carefully shepherd your organization through the minefields of cloud computing. You selected a security-friendly provider, carefully planned your architecture and migration, and even implemented a nice set of cloud-specific security controls, with a mix of public and private clouds. Excellent job.

Then you were smashed by the freight train of reality as developers, administrators and even business units shattered your well-laid plans by, you know, actually using the darn cloud. Instances began spinning up left and right, quickly falling out of security and compliance because of old patch levels, improperly configured security groups, and all the little, tiny changes introduced by maintaining state through day-to-day usage.

We struggle to manage these issues with our traditional infrastructure, but at least in those circumstances we have a modicum of physical control. It isn't like business units are sneaking into the data center to add new 1U servers to the racks. But in the cloud? Assuming you set it up properly to actually leverage the advantages of cloud computing you will have new servers and applications

Managing basic operations under these conditions is extremely challenging -- outside of security -- especially when you dig into the technical issues of managing your entire infrastructure through network connections and APIs. For example, one friend once had to launch disaster recovery plans because an administrator accidentally used the wrong command line. Instead of shutting down three key servers on Amazon Web Services, he "terminated" them. If you don't know, terminate on AWS means immediately stop this server and erase all associated storage irrecoverably.

Companies like RightScale Inc. and enStratus Networks Inc. insert a proxy in front of the management plane to provide greater compatibility, control and policy-based management across heterogeneous cloud deployments.

However, a new breed of tools and services is emerging to help with the complexities of managing cloud infrastructures. Companies like RightScale Inc. and enStratus Networks Inc. insert a proxy in front of the management plane to provide greater compatibility, control and policy-based management across heterogeneous cloud deployments.

Although the primary goal of these cloud management platforms is operations, when you get down to it, a large percentage of security is really just operations. Keeping systems patched, positioning instances in the right parts of the network, controlling which administrators can manage which resources are all critical security functions that don't necessarily need to be part of security.

Let's look a little deeper into how these tools work (although keep in mind different vendors have different implementations and this is a broad generality). Normally we manage cloud through a mix of direct API calls, command line tools or Web interfaces. Administrators (and users) have access to all or some of these resources across different cloud platforms, which requires some complex entitlement and user management. Also, even when you can restrict their activities, it's either so granular as to be incredibly complex or so broad that it's worthless.

Plus, there are other, extensive operational functions like patching that must be managed with a patchwork of tools.

Cloud management platforms are usually a proxy between the users and the cloud management plane. The proxy has access to the entire cloud infrastructure, and users run through the proxy instead of making direct API calls. They don't even have access rights to the cloud's management plane.

Read more:
Cloud management platforms key for cloud security