Securing Virtual and Cloud Environments
Organisations have to adapt quickly to changes, continuously investigate innovations and be flexible in order to remain competitive. The information technology (IT) landscape has evolved to enable organisations competitive advantage and to meet targets such as reduced costs, scalability, flexibility, capacity utilisation, higher efficiencies and mobility. Many of these benefits are achieved through the utilisation of technologies such as cloud computing and virtualisation. In many instances cloud computing builds on the capabilities of a virtualised computing infrastructure enabling multi-tenancy, scalability and a highly abstracted cloud model. Even though cloud computing and virtualisation provide significant benefits and cost-effective options for IT hosting and expansion, cloud and virtual IT systems are not risk-free. Risks must be understood to ensure adequate security not only for cloud computing, but also for the underlying technologies enabling cloud computing. The focus of this paper is on mitigation for virtualisation and cloud computing security risks as a fundamental step towards ensuring secure cloud computing environments.
KeywordsVirtualisation Cloud computing Security risks
- 1.Avanade: 2009 Global Survey of Cloud Computing, cited 15 June 2010; http://avanade.dk/_uploaded/pdf/avanadethoughtleadershipcloudsurveyexecutivesummary833173.pdf, (2009).
- 2.Baldwin, A., Shiu, S., and Beres, Y.: Auditing in shared virtualized environments, [White Paper], cited 12 February 2009; http://www.hpl.hp.com/, (2008).
- 3.Barrett, L: Virtualization Craze Brings the Bad with the Good, in: What to Expect With Virtualization, edited by, Jupitermedia Corp., (2008), pp. 4–6.Google Scholar
- 4.Berman, M.: Virtualization Audit 101: The top 5 risks and recommendations for protecting your virtual IT, [White Paper], cited 4 February 2009; http://www.wwpi.com/, (2009).
- 5.Boss, G., Malladi, P., Quan, D., Legregni, L., and Hall, H.: Cloud Computing, cited 20 June 2010; http://www.ibm.com/developerworks/websphere/hipods/, (2007).
- 6.C.A. Solutions: Unleasing the power of virtualization 2010: Cloud computing and the perceptions of European Business, cited 30 April 2010; http://www.ca.com/Files/SupportingPieces/ca\virtualisatn\survey\report\228900.pdf, (2010).Google Scholar
- 7.Campbell, S. and Jeronimo, M.: Applied Virtualization Technology: Usage Models for IT Professionals and Software Developers, in, edited by, Intel Press, (2006), pp. 1–272.Google Scholar
- 8.Carroll, M., Kotzé, P., and Van der Merwe, A.: GOING VIRTUAL—Popular Trend or Real Prospect for Enterprise Information Systems, in ICEIS 2010: Proceedings of the 12th International Conference on Enterprise Information Systems. 2010 SciTePress—Science and Technology Publications, City, (2010), pp. 214–222Google Scholar
- 9.Carroll, M., Kotzé, P., and Van der Merwe, A.: Secure Cloud Computing: Benefits, Risks and Controls, in ISSA 2011: Information Security South Africa, (2011).Google Scholar
- 10.Centre for the Protection of National Infrastructure (CPNI): Information Security Briefing 01/2010: Cloud Computing, cited 20 June 2010; http://www.cpni.gov.uk/Docs/cloud-computing-briefing.pdf, (2010).
- 11.Chaudhuri, A., von Solms, S.H., Chaudhuri, D.: Auditing Security Risks in Virtual IT Systems, ISACA Journal, 1, 16–25 (2011).Google Scholar
- 12.Clavister.: Security in the Cloud, cited 13 November 2010; www.clavister.com/resources/, (2010).
- 13.Cloud Security Alliance: Security Guidance for Critical Areas of Focus in Cloud Computing V2.1, cited 20 May 2010; www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf, (2009).
- 14.Distributed Management Task Force: Architecture for Managing Clouds, cited 17 March 2011; http://www.dmtf.org/about/policies/disclosures.php, (2010).
- 15.Enterprise Management Associates: Virtualization and Management: Trends, Forecasts, and Recommendations. Enterprise Management Associates, Inc., (2008), pp. 1–74.Google Scholar
- 16.F5 Networks: Cloud Computing Survey: June–July 2009, cited 8 August 2010; www.f5.com/pdf/reports/cloud-computing-survey-results-2009.pdf (2009).
- 17.Gadia, S.: Cloud Computing: An Autditor’s Perspective, ISACA Journal, 6 (2009).Google Scholar
- 18.Gardner, B.: Planning Data Protection Into Your Virtual Infrastructure, in: Getting Started with Virtualization, edited by, Jupitermedia Corp., (2009), pp. 1–14.Google Scholar
- 19.Gregg, M.: 10 Security Concerns for Cloud Computing, cited 14 May 2010; www.global knowledge.com, (2010).
- 20.Grobauer, B., Walloschek, T., and Stocker, E.: Towards a cloud-specific Risk Analysis Framework, cited 31 August 2010; www.siemens.com/it-solutions, (2010).
- 21.Harauz, J., Kaufman, L.M., and Potter, B.: Data Security: The world of cloud computing, IEEE Security and Privacy, July/August 2009, 61–64 (2009).Google Scholar
- 22.Hoesing, M.: Virtualization Usage, Risks and Audit Tools, Information Systems Control Journal, 3, 1–2 (2006).Google Scholar
- 23.ISACA: Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, cited 15 April 2010; http://www.isaca.org/AMTemplate.cfm?Section=Deliverables\%26Template=/ContentManagement/ContentDisplay.cfm\%26ContentID=53044, (2009).
- 24.Kelson, N.: Cloud Computing Management Audit/Assurance Program, cited 2 September 2010; www.isaca.org, (2010).
- 25.Mell, P. and Grance, T.: The NIST Definition of Cloud Computing, (2009).Google Scholar
- 26.Millard, E.: Virtualization’s Challenges & Benefits, Processor, 30(34), 28 (2008).Google Scholar
- 27.Open Cloud Manifesto: Open Cloud Manifesto: Dedicated to the belief that the cloud should be open, cited 2 September 2010; www.opencloudmanifesto.org, (2009).
- 28.Ormandy, T.: An empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments, CanSecWest Vancouver 2010, cited 10 February 2010; http://taviso.decsystem.org/, (2007).
- 29.Ponemon, L.: Security of Cloud Computing Users: A Study of Practitioners in the US & Europe, cited 29 September 2010; http://www.ca.com/~/media/Files/IndustryResearch/security-cloud-computing-users\235659.pdf, (2010).Google Scholar
- 30.Raval, V.: Risk Landscape of Cloud Computing, ISACA Journal, 1 (2010).Google Scholar
- 31.Rittinghouse, J.W. and Ransome, J.F.: Cloud Computing: Implementation, Management, and Security CRC Press, Florida, (2010).Google Scholar
- 32.Robertson, B.: Top Five Cloud Computing Adoption Inhibitors, cited 1 December 2009; http://www.gartner.com/it/initiatives/pdf/KeyInitiativeOverview_CloudComputing.pdf, (2009)
- 33.Senft, S. and Gallegos, F.: Information Technology Control and Audit, (2009).Google Scholar
- 34.Stratus Technologies: Server Virtualization and Cloud Computing: Four Hidden Impacts on Uptime and Availability, cited 8 August 2010; http://www.status.com, (2009).
- 35.Third Brigade: Cloud Computing Security: Making Virtual Machines Cloud-Ready, [White Paper], cited 21 July 2009; http://resources.thirdbrigade.com/, (2008).
- 36.VMware Inc.: Virtualization Overview, [White Paper], cited 3 July 2009; http://www.nitro.ca/, (2006).
- 37.Weitz, C., Saif, I., White, M., Bailey, S., Sallomi, P., Hagel, J., Humphrey, D.G., Callewaert, P., Hindley, N., Robert, I., Goldstein, A., Chiochios, C., and Dow, Y.: A balancing act: What cloud computing means for business, and how to capitalize on it, cited 31 August 2010; www.deloitte.com, (2010).