Showing results for 
Search instead for 
Did you mean: 
Cisco Community November 2020 Spotlight Award Winners

Chalk Talk - Security in a World of Many Clouds


by Chris Jackson

Face it, Cloud is hot. So hot in fact, that practically every tech  company on the planet has jumped on the bandwagon with brash  pontification and feverish zeal about how their solutions leverage this  mystical cloud thingy. If you ask five people what cloud means to them,  you would probably get six different answers. Marketing folks are having  a field day slapping the cloud name on everything and anything. With  all of this cloud stuff fogging up the technology landscape, how is  someone responsible for security supposed to protect intellectual  property and keep evil hackers from backstroking through our sensitive  data? The answer to this question lies in understanding the ways in  which your organization will use cloud, and what architectural  requirements are necessary to limit your exposure to a new set of risks  brought about by its adoption.

On  December 6th 2011 Cisco announced CloudVerse, which paints a vision of  the future of IT as a "world of many clouds" that organizations will  stitch together into a cohesive services catalog that saves money, makes  the business more agile, and offers more productivity enhancing  technologies at the same time. The IT services catalog will consist of  private applications and technologies that the business owns and  manages, but will also include various cloud applications like Cisco  TelePresence and Hosted Collaboration Solution. The goal of the  CloudVerse concept is to simplify the complexity of offering these  technologies without having to add the additional burden of supporting  and managing the underlying "stuff that makes it happen" on an already  overworked IT staff.

To  this end, CloudVerse is broken into three main categories Cloud  Applications, Unified Datacenter, and the Cloud Intelligent Network.  Cloud Applications represents the services that IT will be offering to  the business like Telepresence, HCS, or storage. The Unified Datacenter  consists of the datacenter stack as a whole with all of the underlying  technologies like Flexpod and VBlock managed and orchestrated through a  Unified Management platform. Last but not least is the Cloud Intelligent  Network, which enables the interconnection of cloud services in a  secure manner by automating the deployment and provisioning of network  resources. Security functions are baked into each of these categories  with the deployment model dictating how much control and responsibility  you have over the operational aspects of security for the service you  are utilizing.

Capture01 Dec. 14.jpg

The Cloud computing paradigm focuses on the service itself as opposed  to the mechanics of the technology. It generally includes technology  automation, pooling of resources, and is often metered in a manner  similar to how you are charged for electricity for your home. You don't  care how the power is acquired, and transmitted, but you do expect that  it will be there when you need it. Cisco's CloudVerse focuses on three  main types of clouds, Private, Public, and Hybrid.

Private:  This is a cloud you own and control. Many businesses have started here  on their cloud journey. It's way more than just running virtualization  software on your servers and having a big data center. The private cloud  ultimately represents a shift in how IT delivers its services back to  the business and fully leverages automation and orchestration to  abstract bits, bytes, and flashing lights by enabling the provisioning  of new services through web portals and simple tools that enforce  business logic and policy. The key aspect of the private cloud from a  security perspective is that your data stays internal to the  organization and you control security policy and governance.

Public:  This is a cloud that you contract with a third party for. These  services are often based on user counts and usage, like hosted email or  Cisco Webex.  With a Public cloud your data is stored with others by the  provider in their data centers and on their equipment. The only  controls you have are those that are outlined in the Service Level  Agreement, and what is put in place by your cloud service provider. The  biggest problem from a security standpoint is one of transparency into  the security operations of the provider. You must rely on someone else  to do their job in order to protect your data. This is one of the main  reasons why cloud providers seek SAS70 certification. In doing so they  provide a level of assurance to their customers that they have the  appropriate controls in place. While this is no guarantee against bad  things happening, it should be something you look for in a potential  provider.

Hybrid:  The Hybrid cloud is one that enables the private and public clouds to  operate together sharing data and allowing an organization to expand  resources on demand to handle peak usage cycles without having to build  out excess capacity locally.  The economics of a hybrid cloud can be  very attractive to the business. Hybrid clouds require more  co-ordination between "your stuff" and "their stuff" but afford a  greater degree of visibility and control into the exchange of data  between the business and provider. As with public clouds Service Level  Agreements are key to outlining expectations and responsibilities for  the protection of business assets.

Security  in CloudVerse has a few key security architectural requirements that  should be addressed, regardless of the cloud model your organization  decides to utilize. They are as follows:

Logical Separation

One  of the most essential aspects of security is the concept of building  walls around data to protect it from unauthorized access. Segmentation  separates the protected from the unprotected and can occur in both  physical hardware and virtual software. The challenge comes with the  co-ordination and interaction between the two worlds as your data moves  back and forth. In the virtual world, separation of protected assets  occurs in logical zones, which are accomplished with technologies like  Cisco's Virtual Security Gateway and ASA 1000v. While physical  separation can occur with traditional firewall technology like the ASA  5585X. The multi-tenancy aspect of cloud requires that strong controls  are in place to ensure that Customer A and Customer B can not interact  with each other's data. Which can be enforced through Network Zoning and  access control. Keeping it all separated is a crucial part of  protecting cloud services.


A  defining characteristic of any cloud service is automation and  orchestration of virtual and physical resources. The CloudVerse  announcement brings to light a number of Cisco acquisitions over the  last year designed to address this very subject. Cisco Intelligent  Automation for Cloud (CIAC) provides a services catalog portal system  for requesting services and orchestration software that turns those  requests into scripts and API calls that make all of the magic happen in  the background. CIAC is as extremely flexible solutions that is  infinitely extendable through automation packs, that are preconfigured  for common tasks like spinning up new virtual servers, provisioning  storage, configuring the network, and interacting with billing systems.  Given the right amount of motivation, you could configure CIAC to order  pizza through the web, which would be a gross misuse of advanced  technology but could score you some serious geek street cred.

Policy Consistency

A  security policy is written by taking the goals of the business,  applying a healthy dose of risk management to come up with policies and  procedures that accomplish what the business wants to do, without  landing the CEO on the front page of the Wall Street Journal as the next  big security fail. In Cloud policy enforcement can actually be easier  through the use of automation technologies like Cisco Intelligent  Automation for Cloud. Security can be built into the service  provisioning process, where it is applied automatically and consistently  across the company. Here again is where having a discussion with your  provider is so crucial to make sure that your policies and their  policies are compatible for your level of risk.   

Authentication and Access Control

Many  companies have standardized on Active Directory for access control, but  if your services are being consumed from the cloud then you may have to  deal with the fact that your users are going to have to login with  separate credentials to someone else's servers. This can dramatically  increase the level of support and co-ordination required, just to reset  someone's password. Luckily, Cloud providers have been able to address  these problems by allowing for federated access control through  technologies like SAML and WS-Federation. These are two of the most  popular techniques used to allow authentication and access control to  pass between two Clouds. Cisco supports SAML in the Ironport Web  Security Appliance natively for a number of web based cloud services,  but if a more complete single sign on and cloud federated identity  solution is needed, then you should look to companies like PING Identity  to address your needs

So  there you have it, Cisco is serious about the cloud and has shown a  strong vision of the future of how cloud will be consumed and adaptable  to various business needs. It's a world of many clouds connected through  technology that embraces a flexible and efficient model where you pay  for what you use, when you use it.  Security in the cloud requires more  co-ordination about who is responsible for what, but all of the  fundamental security controls that you are accustomed to still apply.

Check out Chris's book Network Security Auditing on Cisco Press

Content for Community-Ad