Cloud computing is built on virtualization, a technology concept that allows multiple virtual machines to run on a single server. Although this means data centers can squeeze much more computing power out of each server, it also brings a set of additional security risks. Without insight into the other environments using the same server resources as your virtual machines, how can you protect your own data from malicious attacks on other tenants?
For some small businesses, the security risk associated with multitenant cloud is outweighed by the security gains of having the provider’s skilled information security specialists working on their environment, whereas they may have lacked a dedicated security staff in the past. However, other risks increase as virtual network tools and hypervisors present additional attack surfaces.
The more VMs in an environment, the greater the risk of malicious activity making it through one avenue or another. If that’s your neighboring IaaS tenant, your data could be compromised. Beyond possible attack routes, fellow cloud users can impact your own performance. Although your cloud provider should take measures to keep your environment running at top speed despite resource use by other tenants, you can also avoid this problem of “noisy neighbors” by overprovisioning, using standby resources you have reserved, or reprovisioning VMs to try and find a host with more available resources.
If you’re in a compliance-mandated industry like healthcare or finance, virtual machine segmentation and isolation might be required. Even without compliance standards, isolation is a best practice for multitenant virtual environments. Because hypervisor attacks are generally based on the processor, firewalls and intrusion protection might not catch them. Your cloud provider should be able to help you audit and harden your environment.
Isolating tenants through virtual and physical networking helps stop hackers or bots from intercepting neighboring network traffic. Guest operating systems must not be able to communicate with each other (unless they are supposed to). Virtual LANs can help secure multitenant clouds by separating at the data link layer of the OSI model. The provider’s management LAN must also be separated with both physical hardware and a virtual switch.
These isolation measures are likely outside of your control as the renter of cloud resources, so you should examine your SLA and question the provider about their segmentation methods. Steps you can take inside your virtualized environment include logging, monitoring, and encryption.
Work with your cloud vendor to check that monitoring tools are in place and keep an eye on operating system, application, and hardware logs in order to catch suspicious activity. Monitoring at the operating system or virtual machine level is easy, while advanced Intrusion Detection Systems and Virtual Machine Introspection can gather more involved metrics.
Because your neighboring cloud customers are outside your control, it becomes “all about the data”—your data, that is. Encrypt wherever possible, in transit and at rest. SSL and TLS can be used on data in motion, while at rest encryption will protect data in the case of a breach. However, encryption can impact processing speed and prevents searching and indexing. Managing your encryption keys is paramount to security. Keep access to your critical security team only, and do not share with your provider or any nonessential staff.
The three primary categories of information security should still be observed in a virtual environment, starting with premises and physical security. Your cloud provider can describe their cloud security measures in more detail. Make sure they are covered in your SLA or contract. With 40% of security controls projected to be virtualized by next year, there are many virtual antimalware and IDS/IPS systems that you can use to keep an eye on your environment.
It might be frightening to think that your critical data is hosted on shared infrastructure without knowing that fellow renters are taking these security measures, too. If you have them in place, you can at least catch malicious activity and prevent data breaches even with a lax neighbor.