5 security questions you should ask your cloud services provider
By Russell Skingsley, Juniper Networks 16-Mar-2012
If you're in the market for a cloud services provider, you should have several security questions at the ready. Consider it a shopping list of must-haves to run through with any provider, and the best way to ensure you're getting the most secure and trusted IaaS offering possible.
1. Can you ensure isolation of my virtual machines (VMs) from those of your other customers?
In a multi-tenant environment, for any offering to be secure, it must include proper isolation of customers' VMs. Without VM isolation, you can't be assured that infections or malware won't proliferate from some other customers' VM to your organizations VM or that your sensitive and valuable information will remain protected from unauthorized access.
That's why your IaaS provider must offer both highly granular firewall-based isolation for each VM or group of VMs via virtual firewall technology, as well as an automated security-enforcement process. This way, newly created VMs within a group inherit the security policy being applied to the resources of that group, ensuring that virtualization security and firewall protection is applied and enforced consistently and that your business remains decisively your business (and vice versa).
2. Are you able to deliver PCI-compliant operation of my VMs?
Any business that processes credit card information needs to be in compliance with regulatory mandates, such as PCI. In a virtualized environment, to remain compliant, you will need the ability to restrict VMs to a single function and this can only be done with virtual firewall technology that can granularly restrict a VM to accepting and forwarding only certain types of traffic (i.e. by application, port, protocol).
Therefore, you should ask your IaaS provider if they incorporate a virtualization security solution that offers granular visibility, segregation, and access control of VM use for PCI compliance. To boot, your provider should also offer the means to fulfill compliance reporting requirements in an automated manner.
3. As the customer, do you allow me to manage the security of my own VMs?
Self-service options are always a plus. Ask if your IaaS provider can offer you visibility and manageability over your own security. While the cloud service provider may offer you properly configured and secured VMs you may want to ask if you can manage parts of the security policy governing access on your own. This way you can adjust VM access to quickly meet time-sensitive business objectives.
An ideal model is one where the security experts of the cloud service provider deliver a properly configured VM that they secure and isolate but you are offered the option to make adjustments to your policy in concert with their security administrators.
4. How do you ensure maximum availability of my VMs?
No business can afford downtime. That's why your cloud services providers should be able to offer SLAs of three- to four-nines (99.9% and 99.99%) availability per individual VM workload that is inclusive of fault-tolerant, continually enforced security. In other words, you want maximum availability and security for your VMs -- as opposed to one delivered at the cost of the other.
To be sure that the IaaS provider has the latest and best technology you'll want to ask if the virtualization security solution incorporated within is fault-tolerant. What happens to business flow and security enforcement if the firewall module that enforces security policy fails? What happens if that same module loses communication with its management system? The answer to both should be -- business as usual. Traffic and security continues with a hot-standby mechanism providing the required protections.