Accept no substitutes: Why the real cloud matters for your security enterprise
Steve Van Till
Like every new technology marching its way through the hype cycle, cloud computing has fallen prey to unscrupulous marketers. Their basic crime is to borrow the language, but not the substance, of technological innovation, and mis-apply it to their own products in a cynical bid to fool the public.
We’re now seeing this trend spread across the physical security industry, as it belatedly catches the cloud wave that the rest of the IT world has been surfing for about 10 years. In this article, I’ll try to explain the business differences between real cloud technology and the pretenders, and show why that matters to your wallet, your data and your risk management profile.
A model for cloud use in security
Just to establish a frame of reference for the rest of our discussion, the diagram (right?) shows an archetypal model of how cloud applications are used in physical security as a service.
In this model we define three domains of the solution:
Web -- which provides universal access to the functions of the service through a variety of secure, authenticated access techniques;
Cloud -- which is a physically hardened computing infrastructure that provides IP path redundancy, emergency power, geographically-dispersed disaster recovery and several layers of cyber defenses;
Facility -- in which local embedded devices, such as control panels, readers, cameras and other sensors are deployed with software protocols that allows them to “phone home” to the Web applications that manage their data and provisioning.
The cloud defined
First, we should acknowledge that “Cloud computing” is a broad term that refers to many different deployment modes and business strategies. However, they are not all created equal. Some are turn-key, others roll-your-own. Some are highly secure, with audits to prove it, while others are easily exploited. Some are publicly accessible to everyone with a Web browser or mobile phone, while others are highly restricted to just one group of users, such as the government or military. For cloud-based physical security applications, all of these characteristics are important for both costs and risk management.
One of the most oft-cited reference models to sum up these different aspects of cloud computing is provided by the U.S. National Institute of Standards and Technology, and captured in the following diagram:
The cloud and hosting: Not the same thing
One thing no one disagrees about is that “cloud” means “hosted” in the sense that the computing and data storage functions are hosted in a remote data center, rather than on the customer’s premise. This single fact is responsible for both the power and, ironically, much of the confusion about cloud computing. It accounts for the financial power of the cloud model by explaining at least some of its “economies of scale.” It accounts for much of the confusion because being hosted is a necessary, but not sufficient, condition for being a true cloud application.
We see the hosting concept treated as synonymous with cloud computing in the form of vendors placing legacy applications into a data center and christening them as cloud applications -- even though nothing about the application itself has changed. This strategy is simply playing “hide the server” and it does not bring any of the economic efficiencies of a true cloud application. Why not? Because one of the core requirements of cloud computing is software multi-tenancy, which is necessary for supporting the essential characteristics of cloud computing:
- On-demand self-service;
- Measured service;
- Broad network access;
- Resource pooling;
- Rapid elasticity.
Software multi-tenancy is defined in Wikipedia as “a principle in software architecture where a single instance of the software runs on a server, serving multiple client organizations (tenants).” This is important because it is the key to both the economic benefits and cyber security of cloud applications. It is the primary enabler of several of the essential cloud characteristics, including self-service, resource pooling and rapid elasticity.
It is also the core of the economic benefits of cloud computing because multi-tenancy allows the service provider to operate a single instance of the software application and spread that cost of running that single instance over the entire user population. For example, a cloud company that had 1,000 customers would use a single logical instance of the application, the database behind it, the storage system, and would be able to load-balance those 1,000 users across all the physical servers supporting the system. This deployment method results in extremely high efficiency for both computing resources and all of the IT support functions they require.
Contrast this with the “remote server” company that does not use multi-tenancy. They must run individual servers (or at least virtual machines) for each of their 1,000 customers. This means individual software licenses for each, individual databases for each, individual storage for each, individual patch management for each, and a small army of IT personnel to make it all happen. Not to mention the technical support headaches that come up when someone has to figure out which of those 1,000 instances needs attention for a customer complaint. As you can clearly see, this is a very low efficiency model.
Implications for cost
|Event Details||Dates of Event|
|SANS Counter Hack 2013||Nov 7 - 14|
|SANS Pen Test Hackfest 2013||Nov 7 - 14|
|SANS Korea 2013||Nov 11 - 16|
|Military Exports & Compliance Asia||Nov 12 - 14|
|NCT: Counter IED Asia, 12 - 15 November 2013, Bangkok||Nov 12 - 15|
|School Safety Symposium||Nov 13 - 13|
|Southwest Microwave Perimeter Defense Seminar||Nov 13 - 13|
|OWASP AppSec USA 2013||Nov 18 - 21|
|GovSec West Conference & Expo 2013||Nov 19 - 20|
|Southwest Microwave Perimeter Defense Seminar||Nov 19 - 19|
|Oracle 7th Annual Federal Forum||Nov 20 - 20|
|World BORDERPOL Congress||Dec 3 - 4|
|Critical Infrastructure Protection and Resilience Europe||Feb 12 - 13|