In spite of most companies outsourcing payroll and many companies using external email services to hold delicate information, security is one of the most often-cited complaints to cloud computing. Cloud users face security threats both from outside and inside the cloud. Many of the security issues involved in protecting clouds from outside threats are similar to those already facing large data centers.
In the cloud, however, this responsibility is distributed among potentially many parties, including the cloud user, the cloud vendor, and any third-party vendors that users rely on for security-sensitive software or configurations. The cloud user is responsible for application-level security. The cloud provider is responsible for physical security, and likely for enforcing external firewall policies.
Security for intermediate layers of the software stack is shared between the user and the operator; the lower the level of abstraction exposed to the user, the more responsibility goes with it. While cloud computing may make external-facing security easier, it does pose the new problem of internal-facing security. Cloud providers must guard against theft or denial-of-service attacks by users. Users need to be protected from in another.
The primary security mechanism in today’s clouds is virtualization. It is a powerful defence and protects against most attempts by users to attack one another or the underlying cloud infrastructure. However, not all resources are virtualized and not all virtualization environments are bug-free. Virtualization software has been known to contain bugs that allow virtualized code to “break loose” to some extent. Incorrect network virtualization may allow user code access to sensitive portions of the provider’s infrastructure, or to the resources of other users.
These challenges, though, are related to those involved in managing large, non-cloud data centers, where dissimilar applications need to be secured from one another. Any huge internet service will need to ensure that a particular security hole doesn’t compromise everything else.