CloudPassage was kind enough to share with me the raw data from their latest cloud computing security survey. In many ways this is what you would expect to see in a survey of companies that are still working out exactly what they want to do in the cloud and the approaches they want to take with cloud computing. The survey is about a year old, but still highly relevant in relationship to how companies are viewing cloud computing, and cloud computing security.
The more important part is how companies are off loading bulk tasks into the cloud, but keeping some services still in house. This is exactly what cloud computing is good for, bulk versus items that you should retain in house as the investment has already been made for support and service in house, or the system is too complex or too customized for movement into the cloud. For some answers it is also telling just how dangerous from a security viewpoint companies are approaching the use of cloud computing. From the survey, it would appear that the hybrid cloud computing model is the one that most companies are choosing or one what separates its public side from its private side computing requirements.
The first question was “How many servers do you run in your datacenter, public or private cloud environments”. Based on the survey sample, 73.6% of all the sample respondents are running between 1 and 500 computers in a cloud computing environment. There are 52.7% that have less than 100 computers running in the cloud environment. This means that medium sized installations, or those between 50 and 150, are the majority of the types of cloud computing environments that are being run. There is a very small percentage that are not participating now (10.4%) and a very small amount (4.3%) that have over 5000 computers in the cloud environment.
This shows that the majority of companies are still working out what they want to accomplish with cloud computing. There is still a lot of room to grow with the cloud, as companies finish working out what they want to move into the cloud, and actually start doing more cloud based infrastructure than they are currently doing.
The second question directly relates to projected growth in the industry based on the survey participants. Based on these survey answers both 2012 and 2013 should be heavy growth years for Amazon AWS and other Cloud providers. With more companies moving more assets into Cloud providers, there will be an increasing demand for cloud computing skills.
Cloud computing skills are already hard to find, as the industry is still very young. Some companies are going to rely on people internal to retain, or hire costly contractors to help them migrate to the cloud. The migration into the cloud will also be dependent upon the companies being able to work out what services they want to move into the cloud. Growth across the ecosystem of Cloud Computing providers, even for smaller companies who provide cloud services should range into the 35% growth range in the next 12 months if companies manage to stick to their original projections.
Question three asks “how do you secure your cloud servers today”? This is one of the more interesting questions to ask because it shows not just the relative immaturity of cloud computing security tools (although there are some viable programs hitting the market now) but a growth opportunity that should be heavily marketed when they are available. What makes this graph disturbing is the over reliance on checklists and having the cloud computing vendor securing the cloud servers for the company. A whopping 19.9% companies are not securing their cloud computers at all.
|Manually, using a checklist||21.3%||30|
|Amazon security group||9.9%||14|
|Wrote my own automation tools||5.0%||7|
|My provider does it for me||31.2%||44|
|We’re not securing our cloud servers||19.9%||28|
|Commercial tool (please enter vendor name below)||6.4%||9|
|Open Source or custom tool (please enter vendor name below)||6.4%||9|
Realistically, with the approach of checklists only companies might be able to hit corporate governance goals, but still not be in full control of their data. Over reliance on information security that is cloud computing such as Amazon or Azure based is an insecure option for cloud computing because the focus is on their networks not your operating systems or applicaitons.
Companies that answered “We’re not securing our cloud servers will provide a very tempting target for hackers to break into cloud computing systems, and misuse them while costing the company money. With the primitive state of cloud computing security tools, this is a hack waiting to happen depending on Security Group Settings, ACLs, or other ways of slowing down hackers at the operating system level. Cloud computing makes an ideal platform for hackers to launch attacks with nearly unlimited bandwidth and computing resources if the customer account is taken over. Companies need to take a proactive stance when it comes to cloud security, and ensure that there is not an over reliance on checklists, security provided by the cloud computing hosting company, or not securing the web servers at all.
Question four asks “Which cloud hosting providers do you use?” was interesting because Microsoft Azure did not show up at all as a response. Amazon is the clear leader in the cloud computing hosting space with 30% of the market, with RackSpace coming in at 15.5%. What is all the more interesting is the number of cloud computing providers than make up less than 6% of the market, and that they have a very high number of people using them.
Microsoft Azure is in the “other” category which makes up 50% of the total responses from the survey takers. With so many smaller companies out there this is one way to avoid vendor lock in, but makes it more likely that as the market consolidates or a clearer market leader comes in place that these smaller companies might fail, leaving the company that is using that provider vulnerable to a shutdown of their cloud computing infrastructure. It is not surprising that Amazon is the clear leader, but it is also very good that RackSpace is coming in a strong second.
It will be interesting to see if Microsoft can make a better argument for Azure, or open it up for companies that have a minimal investment in cloud computing right now. With the number of servers and projected growth, Microsoft could make a much broader splash in the market, but strangely they are not in the top three of cloud computing providers that are being used based on the survey data.
Question Five asks the question “which operating systems do you run on your cloud servers”.
The answer shows that companies are working in a mixed operating system environment with Windows and Linux (any flavor) being the operating systems of choice. Amazon also makes this easy with the ability for companies to bring their own Windows license to the Cloud. With a current shortage in Linux system administration skills it is not surprising to see the mixed environments being used by companies.
The mixed environment is not surprising to see, but it will be interesting to see if Linux makes stronger gains in the cloud environment with companies that are strictly Windows moving over to Linux. The use of Linux will also help spur an increased demand for Linux qualified administrators, security personnel, and programmers.
Question six asks “What web servers do you run on your cloud servers?” This question shows the mixed environment much like question five does.
What makes this interesting from a hacker’s viewpoint is that the number of Apache and IIS servers out there makes it much more likely to be able to guess at the back end infrastructure of the servers themselves. While the databases are going to remain unknown to a hacker for a couple of minutes, the reliance on Apache and IIS shows that there is going to be the same level of threat environment in the cloud as there would be at a company.
In line with questions about cloud security and who is providing it, the richness of the cloud environment from a hacking viewpoint should mean that companies pay closer attention to the infrastructure based attacks against server software. Companies should be engaging in excellent patch management for all their software that is providing services to companies. The good part is that most patch management systems will work in the cloud without much difficulty in the process.
Question Seven asks “What database / data management technologies do you run on your cloud servers?” This also shows the mixed environment that companies are choosing to run with.
It is good to see that Oracle adoption is significant in the database back ends (Amazon provides access to Oracle databases), what is surprising through is the number of other database systems such as PostgreSQL and MongoDB. While technically Hadoop is not a database (more of a distributed file system), it can be used in line with MongoDB to provide a flat non-relational database to a company for large objects or data where relationships are minimal. Using MongoDB with Hadoop across multiple Amazon S3 buckets would make sense for companies that are providing picture storage, or render farming or other large object storage and retrieval. Otherwise the survey shows that there is the normal distribution that would be expected in the mixed operating system environment that the survey is showing amongst those that took the survey.
Question 8 asks “What security concerns are most important to you regarding public cloud computing?” There are two ways of looking at this data, from the raw survey data alone and from the size of the cloud computing installations that companies are using and developing. Initially the data shows that there are some unaddressed issues in the process of security and cloud computing resources.
Companies are having a hard time finding tools that address their needs in regards to perimeter defenses, network controls, and compliance.
|Multi-tenancy of infrastructure or applications||38.8%|
|Lack of perimeter defenses and/or network control||44.7%|
|Provider access to guest servers||24.3%|
|Achieving compliance with PCI or other standards||25.7%|
|Enterprise security tools don’t work in the cloud||21.7%|
|We have no security concerns||16.4%|
|Other (please specify)||5.3%|
The worrying part is that 16.4% of respondents state they have no security concerns when it comes to cloud computing. Much like any other computing environment the needs of the company dictate security in line with legal, regulatory, or industry controls that must be met to remain in business.
There is a large amount of room in the industry for companies to develop tools that are enterprise grade, but can work in the cloud computing environment. With the projected growth of cloud computing as a major resource for companies, the lack of enterprise grade tools, including forensics tools will be a stumbling block for companies expanding into the cloud. The responses to the survey do not mean that there are not tools out there already in the market, but that the company for one reason or another does not know they exist, or cannot afford them. This has been a continuing issue with cloud computing, in that many of the things you can do on your own infrastructure in terms of monitoring simply cannot be done to the same precision that monitoring can be done on the company network.
Question nine asks “Who is raising cloud infrastructure security issues within your company?” There are two ways to slice this data, one as a general overall response to the survey question and the other is to break this down and separate it out by the size of the installation. In the survey from CloudPassage, the core issue of raising security concerns is on the management side with a respectable number of managers asking what can be done to secure cloud computing for the company.
What makes this more interesting is the number of Customers and Partners that are reporting security issues to the companies that took the survey.
|Chief Security Officer||27.3%|
|Information Technology Management||63.3%|
|Customers / Partners||13.3%|
|Analysts / Consultants||7.3%|
|Other (please specify)||8.7%|
Fully 13.3% of the respondents said that customers and partners were raising cloud computing security issues with the company. This makes sense in relationship to trusted trading partners, customers of the company in a B2B process, where both customer and company have a relationship and shared computing resources or shared data. When you break down the data though in conjunction with the size of the installation and see who is reporting the security concerns the data looks a bit different from the initial survey draw.
The smaller the installation the more likely that management and application development will be concerned about cloud computing security and the more willing they will be to raise issues. It is only amongst the larger cloud computing installations that security becomes more evenly spread amongst customers, partners, management and development. This seems to suggest that in relationship to cloud computing security that everyone in the company who will be using the systems are taking an active role in helping identify and reporting security issues.
The survey shows that there is a good use of mixed operating systems, databases, and web servers in the cloud. This makes for a rich environment for development, system administration, and being able to migrate applications from the company’s data center to the cloud. Amazon and RackSpace have a good command of the market, but younger companies like Terramark and GoGrid are quickly growing and taking advantage of the cloud computing space. Microsoft surprisingly does not show up in the survey as a major player in cloud computing.
Cloud security remains a challenge, and provides a number of opportunities for hackers to break into a company. If the majority of companies are relying on their service provider, checklists, or not worried about cloud computing security at all this leaves the cloud as the next major hacking platform as seen with the Sony Play Station Network hacks.
If a company is not doing their due diligence in relationship to securing their systems, then the company faces a high risk of litigation. The best part of the survey is that for those who are asking questions about information security that it is both a management issue and a programmer issue.
While information security and corporate audits were not questions in the original survey, the more people in the company asking questions about cloud security means we might just be able to have a safer cloud computing environment in the future. We just need to make sure that everyone who is using the cloud is responsible and starts taking cloud computing seriously enough that they are willing to make the investments in time, tools, and personnel to ensure a secure and robust cloud computing infrastructure.
(Cross-posted @ Managing Intellectual Property & IT Security)