Amazon says VPNs, ACLs and subnets provide almost-private-cloud security within a public one.
Amazon announced this morning an aging but well proven remote-access technology that might help fudge the difference in security between the two major classes of service external cloud providers like Amazon can offer: public and private.
The Amazon Virtual Private Cloud goes a long way to make a cloud-computing architecture look like a network of LANs, using traditional VPNs for secure access and common security approaches to add more granular control over who has access to what information in the cloud, when and how.
Both private and public clouds run a customer's workloads on virtual servers, on top of hypervisors (usually VMware's) and management, load balancing and security services or software -- mostly proprietary in Amazon's case.
The difference is that public clouds run all a customer's VMs on physical machines that also run VMs from other customers, relying on encryption, firewalls and other security built in by the customer to keep the VM secure.
Hosted private clouds (running on a service provider's site, not inside a customer's data center) run the customer's VMs on physical machines devoted only to them, and often include blocks of storage and links to the Internet the customer doesn't have to share, either.
The new service, Amazon Virtual Private Cloud, is a VPN that encrypts all the communication between VMs running on Amazon's EC2 and the customer's home network and creates a series of controls over the VMs running on Amazon's services.
That, theoretically, convinces both ends they're actually part of the same physical network, rather than being linked through the Internet. It also isolates each customer's network traffic from that of other customers, reducing the potential for leaks in transmission as well as between VMs on a shared physical server.
The configuration tool lets customers put all its VMs in a single subnet, create multiple private subnets, or make some subnets private and leave others open to the public, so they can back-end web sites or other online services.
Amazon presents the IPSec connection between EC2 and data centers as a secondary feature compared with the ability to subnet the VMs, but it should be more important to many potential customers than the ability to subnet a bunch of VMs running in someone else's data center, to which they can talk only through relatively insecure connections.
Customers can set up their own routing tables, Internet gateways and access control lists to get more control over who can access what VMs within the Amazon infrastructure.
They can also assign their own IP addresses, link through network address translators (NAT) that usually anonymize IP addresses behind them, run their own security or network management apps on the virtual nets, and use a variety of VPNs to make their own connections.
It doesn't deliver every configuration option or function of an in-house or private network, and does nothing to make the VMS sitting on shared physical servers more secure (those are covered by other features), but it does go a long way to secure the "data in motion" part of the equation.
Outsourcing, virtualization and cloud computing security all depends on three points of security, according to Gartner analyst Chris Wolf: securing data in place (in storage), data in motion (moving across a network) and data in use (in an application).
This set of options will not automatically secure the data in motion portion of that equation. It does go a long way toward giving customers the tools to do it themselves.
It also goes a long way to turn the kind-of alien-looking "cloud" IT architecture into a normal network. That makes it far easier for applications, network management software and IT staffers to understand, monitor and control information assets that live outside all the normal security built up to protect them.