I’ve aimed to outline over the previous three security posts to show how to secure your Infrastructure-as-a-Service (IaaS) cloud computing and how we as a vendor approach the various aspects to deliver our part of that solution. In this the final part I outline how we feel IaaS should be approached and how that has profound implications for the concerns currently dominating the cloud computing debate
Personally and as a company we very much believe that the concerns with public clouds currently are more vendor created than fundamental problems related to the concept. The issues of control and security stem from the fact that the large incumbent vendors are mixing the infrastructure and software/networking layers. With these platforms, a customer is forced to accept:
All of the above are vendor choices not technological restraints. Many vendors come from a traditional hosting background and have large conflicts of interest between adopting pure utility cloud computing models and damaging their (still larger) incumbent businesses. These vendors have chosen a walled garden approach to cloud computing; they are the AOLs of the cloud. For sure its one approach and it will fit with some companies but for most, all these restrictions are unnecessary and force broad choices on very disperate computing needs. In short, AWS et al dominate a sub-set of the potential IaaS market. Why not let customers use any OS they like with full and sole root access? Why should the vendor have visibility inside customer cloud servers? Why not let customers run whatever firewall servers and VPNs in the cloud that they like?
IaaS doesn’t need to be a walled garden. The happy benefit of turning away from this approach is that you solve a great many of the problems around control and security in the cloud as a consequence. By splitting responsibility between delivering pure utility style computing resources and actually managing the internals of customer networks and operating systems, the customer retains control of maintaining their own security policies. That means customers get to choose their security according to what they feel is the correct approach for their particular business and computing needs. Its fundamentally different to asking everyone to ‘trust us we know what we are doing’ and imposing a generalised policy on very different customers. The majority of companies have the ability to maintain their own infrastructure in an optimised and highly efficient fashion. The issue of security then comes down to how the cloud vendor maintains physical security and how the vendor secures access to the cloud infrastructure management tools (think API and web console). That’s a much easier knot to unpick and to comply with for both sides.
By giving customers the power to have full control over their cloud servers, it also means giving open choices for software and networking set-ups. A happy consequence of this is reduced vendor lock-in and also significantly easier and shorter migrations to the cloud. That equals quicker and higher returns on investment for migration to the cloud.
With this extra control we see companies focusing on their core skills. Often they will be using a security service provider to ‘rent’ a firewall server for example in a SaaS type model within our cloud. Again with open software and networking this model is possible and works extremely well. Customers can choose what to do in-house and what to outsource with a completely open choice of vendors. Division of labour still exists but the huge difference is that each customer is making those choices and forming their own approach. Customers are able to deploy best of breed solutions for their computing needs without relying on the cloud vendor for all aspects of their computing. An IaaS company is a utility company just like electricity or water. Your electricity company wouldn’t dream of insisting on what brand of electronics to use with their electricity, likewise an IaaS company shouldn’t start telling customers what operating system they should run. By doing this not only does the cloud vendor restrict customer freedom but it also de-focuses the company and means they start penetrating into the software and networking layers with the security and control issues that that then creates.
For those that want a more managed approach, PaaS providers such as enStratus and others are much better positioned for more managed approaches whilst avoiding individual IaaS vendor lock-in.
Companies tend to be experts on their own business and we treat the as such; it is our job to be the invisible partner and facilitator, not to get in the way of customers or impose specific working practises on their computing.