When Protecting the Cloud, Start by Building Walls

NEWS ANALYSIS: Some argue that you can't build a wall around data to protect it, but lessons learned from the past can illuminate a secure path to the future.

Imperial Palace

TOKYO—Time and again, organizations cite security as the biggest barrier to cloud adoption. At the OpenStack Summit that concluded Oct. 30 here, I had a lot of time to think about all aspects of the cloud and especially security, even while sightseeing at the Tokyo Imperial Palace.

Security isn't just something I write about—it's a passion and it's also a lifestyle. I've heard more than one vendor say that in the modern IT world, it's not possible to build a castle wall around applications. It's a euphemism that I too had believed and often restated. But no longer.

When not at the OpenStack Summit, I had the (very) brief opportunity to play tourist and spent one day walking around the perimeter of the Tokyo Imperial Palace, home to the Emperor of Japan. The palace was built in the feudal era of Japan, complete with a moat, castle walls and reinforced large gates.

Today, there are guards at every gate, in addition to lights all around the perimeter and other surveillance mechanisms. There is even a no-fly zone rule, extending even to drones, that protects all the airspace above and around the Imperial Place.

The only way into—or out of—the Imperial Palace is via one of the gates. Even when passing through one of the gates, visitors are required to sign in and out. At all times, security knows who is on the palace grounds.

While the idea of building a castle wall and moat seems anachronistic in the modern world, the simple truth is it works for the Emperor of Japan. No one gets into that palace, as the ancient perimeter is reinforced with modern technology to make a security cordon that works in 2015.

The same basic approach works with OpenStack and, to be sure, any application or IT workflow. The idea of having a moat and castle, in modern IT terms, is the same as segmentation, creating barriers around different elements. At the OpenStack Summit, I saw multiple presentations and spoke with multiple vendors about creating walls around applications using software-defined networking (SDN) methodologies.

In the cloud, micro-segmentation can be enabled by virtual LANs (VLANs) or better yet, by way of some form of (SDN) construct. In that way, each application gets its own "moat," creating a logical separation between it and everything else.

Next up is the wall. For an application or IT deployment, that wall is the next-generation firewall or an intrusion prevention system (IPS).

The IT equivalent of the human guard at the gate checking people in and out is role-based access control. Security Information and Event Manager (SIEM) is the same basic idea as the list the guards keep so if something goes wrong, log analysis can be performed.

The idea that IT security in the cloud is a new problem that needs to be solved is not entirely accurate. The lessons of the past about how to protect, isolate, audit and control a perimeter hold true in 2015, just as they have for thousands of years of human history. Although the tools differ, the basic idea is the same: You can't protect what you can't defend, and defense often starts with a good wall.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.