Listen to the podcast
KB: Can you please provide us with a brief overview of your company?
MO: Sure. Vordel is a vendor in the area of cloud and SOA. What we do is we provide product, our Vordel Gateway and the Vordel Cloud Service Broker, which help our customers deploy cloud and SOA. What we do is we provide the performance, security, and interoperability for customers who are using cloud and SOA and they want to take advantage of them in their businesses.
KB: Today's topic is Cloud Security and the Ongoing Problems with API Keys and How Vordel Can Help. So Mark, what security issues do IT managers face regarding cloud computing?
MO: There are a number of security issues which IT managers must face if they want to take advantage of cloud computing. One issue is around audit trails. Many of the cloud providers such as Google will provide a refund if you can prove that there is an issue with their service. In order to do that, you need an audit trail of your own so it's not just a case of your word against the cloud provider's word. So an independent audit trail ideally digitally signed is important for this as one of the security considerations around making use of the cloud.
Another issue is around the fact that API keys are used to manage access to the cloud. What an API key is, for listeners who aren't aware of the term, is simply is a string of data that's used to identify the customer to the cloud provider. So for example, keys are used to access accounts and services with Amazon Web Services, with Google, Google Apps, Force.com, and others. These keys are ultimately linked to credit cards often and to the accounts of the users so the keys must be protected.
What we're seeing is a certain amount of carelessness in terms of managing these keys and not yet, a realization on the part of CISOs and other IT managers, that these keys must protected. So here at Vordel, we recommend the use of brokers such as our own Vordel Cloud Service Broker to manage these keys and put the same of amount of control on the keys as you would with credit card numbers that have been sent on the wire or private keys that are being used for SSL or for authentication.
KB: What can enterprises to do to protect the API keys?
MO: So API keys that I just mentioned, these can be protected, for example, with hardware, with hardware security modules where the keys themselves are protected within hardware so the only way that an attacker could get them would be by physically getting ahold of the device itself. This is proven technology that's existed before for protecting SSL keys.
Another approach is to encrypt the keys and to make sure they cannot be decrypted without knowledge of a pass phrase and then to protect access to that pass phrase. We also recommend that if an organization is making use of a cloud service provider such as the Amazon Web Services, for things like storage-as-a-service, that the keys that are used are not going to be sitting on the hard drives of the application that's connecting to Amazon but instead are being managed by a piece of infrastructure such as broker so that the developer is making use of the cloud services. It doesn't need to be the same person who is managing the keys. So the developer isn't keeping the keys on their hard drive, or the hard drive with the application server. Instead, it's the IT infrastructure manager who's managing the keys as part of a broker.
KB: Are there any standards for cloud computing?
MO: At the moment, there are more industry standards than open standards. What I mean by industry standards is that the various different players in the cloud area, Amazon, Google, Salesforce, Force.com, they all have different ways in which they have clients authenticating to them. These are all different ways of doing authentication, so different ways of presenting identity up to them. The fact that these are different means that there isn't any one standard right now. So if an organization wished to make use of cloud computing, they must navigate this world in which there are different standards for identifying yourself to the cloud providers.
And on the question of cloud standards, we see that if an organization was to wait for standards for authentication to cloud providers, they may be waiting a long time and there's an opportunity cost to that. It makes more sense to strike now to make use of the cloud services notwithstanding the fact that there isn't any one open standard for connecting to them. So the requirement then is for mediation for, again, a broker to provide the ability to broker the connection and deal with the fact that you're using different ways to authenticate to different providers and the broker then can smooth across those until such time as there is a standard.
KB: What is the future of cloud computing?
MO: We see a very exciting future where there can be a kind of marketplace between the cloud providers. For example with storage-as-as service, we see a future where an organization which, wishes to store data can choose between providers who can effectively bid on prices for the data. In this case, the first mover is Amazon where they have their spot pricing. So with Amazon's Web Services, they now have a service whereby they provide you a spot price, which is the current price for using infrastructure which Amazon provides as part of its cloud offering. At different times during the day, different days during the week, this price goes up and down.
Amazon is the first mover in this area but we see a future, the organizations to make use of the cloud service in the market environment whereby they can place bids and they can choose based on the cost. Bids also links to the use of a broker where the broker can broker the usage of a cloud service and choose between them based on the cost. It makes sense in terms of cloud storage-as-a-service and also just raw computing power as well and allows a kind of marketplace and then a cloud economy to develop as part of that.
KB: What industries are adopting cloud computing?
MO: Here at Vordel, we're seeing a number of our customers being early adopters in the area of cloud computing in certain industries. So just very recently, I was with a pharmaceutical company, which is a Vordel customer, and their requirement is to spin up large amounts of computing infrastructure quickly to work through large datasets for clinical trials. And then once the datasets have been computed, they no longer need that infrastructure so they can spin it down in terminate it. In the past, this would've meant a lot of capital expenditure in terms of buying the infrastructure and then perhaps not using it afterwards. Now this can be part of operational expenditure. When they need to do a clinical trial, they can instead process the data based on infrastructure that they effectively are renting. So in this case, it's no longer a situation where it's coming from operational expenditure, from company expenditure but instead it comes from operational expenditure.
We're also seeing other use cases in the area of government where government departments don't want to have to share data amongst other departments or other organizations but still they want to make use of cloud computing. So in this case, it makes sense for them to create so called community clouds where multiple government organizations can come together to reduce the cost by themselves making use of a community cloud solution but also making sure that confidential and sensitive data which is social security numbers in the US are not shared. So pharmaceuticals and government are big early adopters of cloud computing which we've seen in the Vordel customer base.
Get HelpContact Us
Follow Us on: