Further, in public clouds, the inherent characteristics of multi-tenancy (i.e. multiple, separate, customers) introduce risks that are not always present in private networks (although many companies are forced to deal with multi-tenancy even on their private networks). Cloud vendors must create functionality that separates each customer's data, even as they exist on shared resources.
Cloud traffic control
As cloud computing matures, vendors are being forced to create processes to track an individual customer's data, using homegrown methods of data tagging. Some customers need to know where their data is physically located. Some customers can't send their data outside their home country, and others can't do so without ensuring additional mitigations are present. Again, this problem can be more difficult because often the cloud provider doesn't really know where the data is in the cloud, especially as virtualization automatically shunts loads back and forth between different data centers.
If encryption is also required, data tagging becomes more difficult to accomplish without creating new side channel attacks. Data tagging requires the creation of (unencrypted) data indexes that are useful enough to find the encrypted data but not so transparent that they reveal too much information (which has always been one of the main challenges in enterprise encryption). And as I've often stated before in this column, virtualization adds additional security risks that are not present in physical systems, including guest-to-guest and guest-to-host vulnerabilities.
A lack of good SLAs (service-level agreements) and security policies runs pretty rampant throughout the cloud industry right now. You've got a few major players offering performance and availability commitments, but they often don't share their internal security policies (e.g. how often they patch the underlying host systems, whether customers will be informed of known security vulnerabilities, what internal security policies they have in place, etc.). If the vendor allows old and unpatched software on their internal company's network, that can impact the security of the cloud service (one example being the Chinese Google hack). Have the cloud vendors done thorough security review and vulnerability testing on their clouds? Are they sure one tenant can't see another tenant's offered resources? Several recent studies show that it might not be all that difficult for one tenant to encroach on another's resources, using newer angles of attack that we haven't previously faced.
