Home > Blogs > Rethink IT > Monthly Archives: September 2010

Monthly Archives: September 2010

What The World’s Biggest Bank Heist Tells Us About Cloud Security

During the launch of VMware's vCloud Datacenter Services, I was asked if there were applications or datasets that could never be moved to public or hybrid clouds because of security concerns. It's a legitimate question given the uncertainty of what security, exactly, is provided in many public clouds. My answer is an emphatic "No", as an implicit assumption is that the physical walls of an organization offer superior security.

A sophisticated attempt to steal $440m from Sumitomo Mitsui bank's London offices in 2005 showed that what is within the four walls of one’s own building are just as vulnerable to attack as those outside them. The criminal case was tried in 2009, convicting everyone involved and providing the following details.

Bribed security staff disabled security cameras and let in hired hackers under the cover of an after-hours poker game. The hackers installed key logging and "screen scraping" software onto Sumitomo's inter-bank transfer systems. Armed with credentials collected from these systems, the would-be thieves returned a month later disguised as office cleaners and attempted to transfer 229 million Pounds Sterling (approximately $440m at the time) to accounts in Dubai, Spain, Hong Kong and Singapore.

The key takeaway is this: security is about transparent risk management, whether it is implemented inside the walls of your building or someone else's. Yet security teams are often correct that their own datacenters are more secure than some of the best-known public clouds, because internal security controls are fully transparent — all physical and logical controls are known and can be audited.

Many public cloud providers take the approach of "security by obscurity", the reverse of transparent security. It's characterized by refusing "for security reasons" to provide details on the actual security controls implemented in the public cloud datacenter and infrastructure, and refusal to provide logs and documentation for security audits. You don't need to be a security professional to see that "just trust us" is a triumph of hope over experience.

True cloud security requires service providers who offers transparent security operations, where you know what security is in place and can audit the logs and records from the security controls. This is one of the key capabilities of all vCloud Datacenter Services offered by VMware's service provider partners. We also made sure VMware security technologies like vShield Edge provide logs for audits. While this sounds like a simple thing, firewall logs simply aren't offered by many public cloud providers.

Fortunately for the bank’s customers, the hackers knew more about programming than they did about inter-bank transfers and tidiness: they were unable to complete the transfer screens correctly, and the transactions failed. Returning bank staff found unplugged cables on their computers, leading them to conduct checks which uncovered the bogus transfer attempts. Fundamentally, this story illustrates that transparent, audited security controls – whether internal or external – are key.

 

Virtual Data Centers — The Goldilocks of Enterprise Cloud Computing

It’s no surprise that just about every customer likes the on-demand, rapid scale nature of cloud computing.

More interestingly, we also heard from enterprises with public cloud experience that this was a double-edged sword. Dynamic and on-demand can also mean unpredictable and hard to control. As one customer explained to me, “We have no idea what the credit card bill is going to be at the end of the month, and we have a finite budget”. In other words, dynamic is great if your budget is dynamic too – which isn’t the nature of budgets and finance folk. And this was for one application. Just imagine a situation where an IT department is providing raw compute to many different business units, and wants to delegate administration to them but also stick to a budget.

Fundamentally, the tension between on-demand infrastructure and predictable costs isn’t going to go away anytime soon. But I do believe that the concept of virtual data centers can provide a “Goldilocks” middle ground solution. Within vCloud Datacenter Services from VMware’s partners, enterprises can subscribe to committed VDCs of a given size. The cost of that VDC is fixed and predictable — related to the amount of resources that are now committed. This puts a control boundary on costs, and your service provider can tell you exactly what that will be – so you get predictable spending against your budget.

Within that VDC, you and your user population can run, start and stop as many VMs as you like – truly dynamic self-service. End-users can never run up a massive bill through over-consumption, because they can never consume more resources than the VDC provides (and vCloud Director offers automated policy controls to clean up forgotten VMs). If it turns out you need a bigger or smaller VDC, you open a ticket with your service provider to make that change. So you haven’t had to give up on-demand compute infrastructure, either.

Perhaps not surprisingly, when “cloudy” types gather over drinks this is a source of vigorous debate. Can opening a ticket really be on-demand? Frankly, I don’t think there will ever be agreement on that, but it does provide a useful middle ground: on-demand self-service for VMs within the boundaries of a virtual data center, which can itself be scaled up or down quicker than you can fill out a PO for a new server. It’s something a geek Goldilocks would love—and understand.

Getting rid of noisy neighbors: Enterprise class cloud performance and predictability

If you’ve ever lived in a multitenant building like a condo or apartment complex (or flats, as they’re called where I grew up in England), then you know all about the problem of noisy neighbors. One reason many enterprises are leery of public clouds is the same issue: in some multitenant infrastructures, the bad behavior of other tenants can affect the performance of your systems. In fact, it’s more insidious than that: when you’re buying a virtual server instance in an infrastructure cloud, you may not actually get what you pay for due to other tenants stealing physical server resources.

This typically happens because the hypervisor used to virtualize the service makes each VM think it has exclusive access to the physical server hardware, yet places few limitations on how those resources can be consumed. So a VM generating a lot of network traffic gets as much as it can use – at the expense of other VMs from other tenants of the service. The same goes for other types of I/O, especially storage. If you are unlucky enough to have your VM land on the same physical server as one of these noisy neighbor VMs from another tenant, then you won’t get the virtual machine instance you paid for.

If this weren’t bad enough, another consequence is complete lack of predictability – you have no idea what the performance of a given VM will be, since that depends on the other tenants of the service. Some of my cloudy colleagues spent time with IT teams who were running tests to guess the physical server size of their cloud service provider, so they could buy virtual server instances of the same size – guaranteeing that they wouldn’t have any noisy neighbors. It’s a bit like renting an entire building in the apartment complex to make sure you can get a good night’s sleep.

Ensuring that the resource consumption of one VM doesn’t affect others that happen to be located on the same physical server is a key function of vSphere. Any VMware virtualized service is capable of delivering this capability, and in vCloud Datacenter we took it a step further by defining two virtual data center (VDC) classes that offer guaranteed server resources for your VMs. The Committed VDC allows you to subscribe to a set of compute, memory and storage resources that are guaranteed to be available for your virtual machines, even though the underlying hardware is shared with other tenants.

The service also offers the Dedicated VDC, which provides physically separate hardware – ideal for meeting security or regulatory requirements where physically sharing isn’t an option. This is also sometimes known as virtual private cloud. The difference is the ease of mobility between VDCs within the service – you can quickly move VMs between VDCs as requirements change. One less thing to lose sleep over, and you don’t need to buy out the building to do it.