The Patchwork Cloud Part 1: An Overview

Thursday, February 23, 2012

Rafal Los


Working my way back into cloud I'd like to start a series called "The Patchwork Cloud" taking a realistic focus on the use-cases of cloud computing in today's technology and business environments. 

Over the course of this series I'll highlight many of the challenges and opportunities [both business and technical] that cloud computing presents us with to maximize your benefit and minimize your frustration.

You know, many of the roots that cloud computing has go back to some of the unfortunately failed outsourced application hosting models of the mid-to-late 90's known as "ASPs" or Application Service Providers. 

In the blur of the Internet boom where data centers sprouted up everywhere, servers were bought by the truckload, spare capacity was no stranger to the corporate data center.  All that spare capacity came in the form of servers which were vastly under-utilized but couldn't share space (or wouldn't share space) logically or physically across applications. 

If I recall correctly this was partly because many applications simply didn't compartmentalize properly in resources and didn't really respect security boundaries... especially when attacked.  This kept excess capacity humming and server over-build coming until we reached a glut that struck epic proportions in recent years.

When the tipping point struck, every CIO went to swing the pendulum the other way.  As efforts to curtail sprawl and waste gained momentum, contraction started in many organizations under the guise of server consolidation projects.  Looking at all the hardware that was humming along CIOs quickly realized the extent of all the extra capacity. 

Then came the light-bulbs.  Virtualization was already in the works with the likes of Sun Solaris (containers or zones starting in 2004, and domains on the E10k hardware) and VMWare virtual machines could be used to bring some of that extra capacity (on each physical chassis) to better use with isolated operating system and application instances. 

Whether this became the roots of today's cloud computing, or whether you believe some of cloud's foundations came from the old mainframe days ... that's immaterial to this conversation, but it ultimately means that we could start abstracting the physical machine from the logical machine (operating system).

The challenges with keeping these containers, zones, and domains separate from each other in a security context was always interesting.  In the early days, any time you had bits sharing physical pieces of hardware you could never really be sure that they weren't going to collide or somehow snoop on each other. 

While there weren't any massive exploits that I can easily remember, there were at least a few cases in my old organization where a minor mis-configuration caused a boat-load of pain when containers, and more particularly zones, were allowed to look in on each other.  These were just a foreshadowing of the challenges ahead as software further abstracted the logical workload (operating platform) from the metal and silicone that powered it.

It wasn't until recent years, about 5 years ago now or so, that the industry really figured out how to think outside the box... literally.  Thinking across physical hardware and virtualizing workloads that could live and function outside the constraints of a physical piece of hardware. 

Actually, taking the focus away from 'systems' and into 'workloads' is another huge milestone.  Where is security in all this, you ask?  Great question!

So far we've been innovating and patching things together as they happened, and security was one of those things the security folks wouldn't let the innovators and implementers forget.  The problem is this - as abstraction becomes the predominant feature it's more difficult to follow some of the old security paradigms and easier to make configuration 'oops' which have catastrophic results for security. 

You can't easily put a physical fence around systems that are virtual like in the old days.  I know this sounds simplistic but I'm making it a point to illustrate the challenges we're about to start facing on a large scale so that it's simple in everyone's mind.

In this series I'll cover how things like IPS are still keeping their relevance in a virtual world through policy-based inspection and traffic offloading, and many of the other challenges that are bound to lie ahead of us as we journey out into the clouds.

Let's be serious though, cloud computing isn't a paradigm every organization will follow whole-hog, nor should it be!  Public cloud, hybrid cloud, private cloud, these are all terms that need to be understood first and have some sort of rational approaches to security and risk management around them investigated. 

Follow me as I do just that... hopefully we'll all learn something! See you in the clouds!

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Cloud Security
Service Provider
Cloud Security Enterprise Security Risk Management Virtualization Managed Services Configuration Platform Data Center Rafal Los Application Service Providers
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.