Nmedia - Fotolia
There are various parallels between the cloud and the data center, but teams managing cloud services should evolve their IT security model.
In its simplest form, the cloud is a remotely located server, or a cluster of servers, that provides a service. When a third-party provider "owns" the cloud, and processes users' data, it's considered public. When a cloud, or at least a portion of the cloud, is contained within a company's own data center, it's referred to as private. A mix of both models, with orchestration across the two, is considered hybrid cloud.
When administrators evolve their IT security model for cloud -- whether public or private -- they often need to secure various types of cloud service. For example, some enterprise networks may allow customers to store data via a cloud storage service. If this service is publicly available, such as OneDrive, Google Drive or iCloud, placing firewall and rule sets in front of the servers providing the service may not be the best idea, as performance may suffer. Consider placing a tightly configured firewall behind these servers, within the demilitarized zone, for added protection.
Another way an administrator may attempt to secure infrastructure within the data center is through identity management. Many times, identity management is best achieved via federated single sign-on, which is a platform that allows users to have one set of credentials to access a range of systems. For example, VMware's Identity Manager allows administrators to provision access to different applications for different users via their Active Directory infrastructure and to add end-user mobile devices to the domain to allow trust between devices. When someone joins an organization, the administrator can add her mobile device to the domain via Identity Manager, and if that person later leaves the organization, the administrator can delete that mobile device from the domain.
In the cloud, an IT security model for identity management also changes. The system administrator in charge of identity management is often granting access to cloud resources that are not maintained locally. While using Salesforce, for example, the administrator and user access the same cloud-based resources, but the administrator is granted escalated privileges that allow him to grant or revoke privileges to others. Still, if some portion of Salesforce goes down, the system administrator can do little about it. Conversely, in a traditional data center environment, the system administrator not only grants and revokes access to end users, but is tasked with troubleshooting any problems that may occur with services on infrastructure located on premises.
In a traditional data center environment that hosts a cluster of email servers, the host machine often runs antivirus software behind some type of network firewall device. In recent years, many companies have seated their email infrastructure behind a network firewall device capable of deep packet inspection.
One method for securing email is a cloud-based email inspection, such as TrendMicro's Hosted Email Security and Antispam Protection. In this model, an organization still maintains owned email servers, but it would also register the email domain with TrendMicro. Any email that comes from an IP address outside of the organization's network will be sent to TrendMicro's antivirus servers, where it is first inspected against the latest malware signatures. If the email is deemed safe, it is then sent to the intended email recipient.
Test your ability to avoid cloud security risks
Storing data in the cloud can be risky, but there are methods to minimize risks. Take our quiz to measure your cloud security expertise.
Virtual desktop infrastructure
If a company owns the data center that provides cloud services and it is inaccessible to the public, only authorized personnel can access the data within that data center. For example, a company may maintain its entire corporate network within a data center, and offer virtual desktop infrastructure (VDI) as a service. In this scenario, users do not access their respective desktops from the machine at their desk. Instead, they access a virtual desktop hosted on a server within a data center. From a security standpoint, this may prove advantageous for a variety of reasons. For example, administrators can allocate different desktop loads to various employees or departments; one desktop load may be suitable for finance and accounting, whereas another type of desktop may be suitable for marketing and sales. However, a scenario involving this amount of granularity may prove strenuous on server capacity.
In the case of VDI within the data center, administrators manage virtual environments, as well as bare-metal servers that host the virtual desktops. From this perspective, data center administrators approach security in terms of the physical machine as opposed to the virtualized environment. Therefore, many of the traditional security mechanisms, such as network firewalls, are items to consider. Administrators may have specific segregated physical servers allocated to hold different desktop loads. To protect sensitive data on certain loads, the team may implement network firewalls between different VDI deployments.
Many of the actions taken within data centers create ripple effects with private or public cloud applications and services. Decide which public or private cloud services to support from within your data center, and make sure your infrastructure and IT security model -- including permissions -- are set up for each service appropriately.
Strict procedures and tools bolster private cloud security
Best ways to employ cloud-based security services
Maximize benefits with private cloud automation