When customers sign up for an infrastructure-as-a-service (IaaS) plan from one of the number of vendors in the market, usually a name and credit card is needed before data is stored in the provider’s cloud. But just what are public cloud providers doing with that information?
Security remains one of the chief concerns users have related to deploying the cloud, studies have suggested, and various providers seem to tout their security features for protecting data in the cloud. IBM, though, may take that even a step further by not just protecting data that’s in the cloud, but regulating which customers use their cloud services.
A blog post from Microsoft community website Redmond Channel Partner recently reported an interview with an IBM executive who was quoted saying, “An individual can’t simply sign up with a credit card” to use IBM services. Rich Lechner, vice president of cloud for IBM’s Global Technology Services unit, notes that IBM monitors the identity of each customer using its cloud service so that they know “who is in the building,” he says.
Are IaaS providers vetting data from individual customers before allowing it to be stored in their cloud? For most IaaS providers: Fat chance, says Alan Shimel, managing partner at the CISO Group, a consultancy.
“Do you really think they’re doing a customer-by-customer review of who you are and what data you’re putting up there on an ongoing basis?” Shimel asks. “Most likely not. The very nature of the elasticity of the cloud would make that nearly impossible, or at least cost-prohibitive.” Shimel notes that he’s not familiar with the security policies of each individual cloud provider, and those may change from vendor to vendor. But some of the large public cloud IaaS providers, he says, can’t possibly keep tabs on all their customers.
A spokesperson for IBM would not comment on the company’s policies beyond what Lechner was quoted as saying in the blog post. But, Shimel suggests that another potential reason for IBM’s wanting to know the identity of individual customers is because their clouds are aimed at enterprise users and the company may tailor services to meet their needs.
Other IaaS providers were more vague regarding their strategies. A spokesperson for Rackspace wrote in an e-mail that, “Maintaining customer trust and the security of customer data are top priorities for us.” She did not provide details of efforts the company takes to identify customers or if they vet data before it is stored in the company’s managed hosting or cloud environments though.
Amazon Web Services, seen by many as the market leader in the IaaS category, provided some additional details. “We do not inspect customer data,” wrote AWS spokesperson Kay Kinton in an e-mail. But, she went on to say that the company uses “sophisticated screening up front to protect against fraud and abuse before customers are allowed to consume our services and then to scale.” AWS requires customers to submit an e-mail address, phone number and credit card information before using its offerings, then it sends a PIN to customers granting access to the service.
But Shimel says customers shouldn’t necessarily demand that their IaaS provider knows exactly who all their customers are. The more important security concern he says, is protecting the data once it is in the provider’s cloud.
“If solid security measures are put in place, then providers can make sure that even if unwanted data is put in the cloud, there’s little harm that it can cause,” he says. One of the best ways to do that, he says, is to segregate customers’ data, which is something providers seem much more willing to discuss publicly.
AWS, for example, notes that each customer instance has its own firewall, which prevents intrusion from other instances in its cloud. It uses packet-level isolation of network traffic and supports industry-standard encryption, Kinton says. For extra security conscious customers, AWS offers a Virtual Private Cloud (VPC) offering, which gives customers dedicated IP address space if they wish. She added that Amazon has certifications such as ISO 27001, FISMA, SAS-70 and PCI.
Sean Jennings, senior vice president of solutions architecture for cloud and managed services provider VirtuStream, agrees that it’s unrealistic to think that providers would vet individual customer data. “I think they’re taking a credit card swipe and generally not doing a whole lot of screening,” he says. That could change depending on the provider though. For example, as community clouds – which are cloud environments geared toward specific vertical industries such as healthcare or finance – become increasingly popular, providers may work more closely with individual customers to be aware of what type of data is going into the cloud to better optimize the product for use by customers in that vertical industry.
Virtustream is a public cloud provider itself, and Jennings says segregation of data is a paramount concern for his firm and most other cloud providers. At Virtustream, each customer has a dedicated vLAN input to the data center. There are firewalls at the perimeter, and then again at the virtual switch layer too. These ensure that if for any reason any sort of malware did get into the data center, it can’t spread. Virtustream backs that up with monitoring of traffic in the data center and flagging suspicious behavior. Still, he says even in a dedicated private cloud environment, there may be some aspects of core networking equipment, such as core enterprise switches and routers that are shared across the data center and customers.
Overall, Jennings says rather than providers vetting customers and their data, it is incumbent on users to verify the security features of their IaaS provider before putting data up in the cloud.
