IBM SoftLayer vs. AWS cloud security: Choose your tools wisely

IBM and AWS both offer solid cloud security services, but true security is in the user's hands, with many third-party products to choose from.

IT pros considering IBM SoftLayer and Amazon Web Services will find solid security in both clouds, though true...

cloud security should ultimately be something the user controls, experts say.

IBM SoftLayer and Amazon Web Services (AWS) both cater to enterprises with extensive cloud security features, as well as marketplaces full of third-party products to secure the customer's side of the cloud.

Much of AWS cloud security revolves around encryption. It encrypts data at rest in the Simple Storage Service (S3) and Elastic Block Store (EBS). With the AWS Key Management Service, Amazon offers customers a choice of using master keys managed by AWS for encryption or controlling their own keys. The AWS option costs $1 per key version per month. API requests to the AWS Key Management Service cost 3 cents per 10,000 requests, after a free tier of 20,000 requests per month is exhausted.

IBM offers encryption products in its marketplace, including utilities such as IBM Cloud Data Encryption Services: Secure, which costs $20 per server core, and Advanced Multi-Site, which costs $50 per unit server core. Both come with a 30-day free trial.

However, these tools only cover one facet of security in the cloud, and there are many more that are better addressed by third-party products, according to analysts.

"The circumferential security services market for cloud computing speaks for itself," said Carl Brooks, analyst at 451 Research based in Boston. "If any provider truly had a lock on [security], that third-party market wouldn't be necessary."

Users should know their company's security policies going in to any cloud deployment, said Edward Haletky, analyst at Virtualization Practice LLC, who manages a secure environment for a client on IBM SoftLayer.

"If you can't meet your policy with native tools, you need to come up with compensating controls," Haletky said. "And they're not the ones you would normally use in the data center."

Third-party tools may be the best bet for cloud security

Users may find a better encryption deal with software from HyTrust Inc., based in Mountain View, Calif., which enforces access controls at the management layer of the virtual environment and offers encryption of cloud workloads with key management that gets handled at the customer site, thanks to its acquisition of HighCloud in 2013.

CloudLink and HyTrust's DataControl are encryption products that can run on both IBM SoftLayer and AWS, and encrypt both boot and data volumes -- something native EBS encryption doesn't do, Haletky said.

IBM SoftLayer and AWS offer secure private networks on the back end, and both have the option to connect to a private network in the cloud using a virtual private network (VPN) connection. AWS calls this the Virtual Private Cloud and offers it as the default deployment option for its Elastic Compute Cloud service.

All IBM SoftLayer servers, bare metal and virtual, come standard with a connection to the SoftLayer private network, which allows customers to run sensitive services, such as Remote Desktop and private storage systems, without exposure to the Internet. Access is controlled via configurable private virtual LANs; customers can order private-network-only servers with no public connectivity.

However, the secure private networks offered by both providers only account for perimeter security, and the "M&M" model, named for the candy, which is crunchy on the outside and soft on the inside, won't fly in the cloud, regardless of service provider, Haletky said. "In the cloud you have to be crunchy everywhere."

Here once again, third party products can and should fill in the gaps, Haletky said.

CloudPassage Inc., based in San Francisco, for example, offers a layered security approach with its Halo security software. The Halo agent collects status in near real time and enforces security policies at the workload level, and a security analytics engine analyzes information about individual virtual machines (VMs) and the state of the overall infrastructure. Illumio, based in Sunnyvale, Calif., also offers an analytics-based approach at the VM level.

Identity and access management (IAM) is another area where customers may choose to go their own way with third-party products, though both IBM SoftLayer and AWS offer native services.

"Most bigger tenants don't rely on IAM from the cloud provider except, perhaps, for use with the cloud management portal," Haletky said. "They tie into their own Active Directory environment or use other products."

One such third-party product is the province of Adallom Inc., based in Palo Alto, Calif., which offers multidimensional security monitoring and enforcement tools that include granular controls around access, devices and locations.

Where IBM and AWS edge each other out

One IBM SoftLayer customer points to IBM's focus on bare metal as a potential cloud security edge for the platform.

"There's some benefit for bare metal when it comes to security, because you can guarantee your customers' applications are on a dedicated machine, and can even point to exactly where that physical machine lives," said Eric Swayne, director of product and strategy at MutualMind, a Dallas-based software-as-a-service social analytics platform provider.

AWS cloud security has an edge when it comes to cloud governance and security forensics, with its CloudTrail service for auditing API calls, as well as AWS Config, which monitors AWS resources for security and compliance purposes. AWS also boasts many more regulatory compliance assurance programs than IBM SoftLayer, including ITAR, Department of Defense, and FedRAMP certifications for highly sensitive government workloads.

One IBM cloud security feature that AWS doesn't have is Intel's Trusted Execution Technology (TXT), which provides security at the chip level. Intel TXT verifies that hardware and prelaunch software have been vetted and are in a known good state before allowing servers to launch workloads.

Intel TXT hasn't yet been implemented by IBM SoftLayer user Tom Luczak, CTO at Flow Search Corp., a customer and business partner of IBM SoftLayer that makes a data analytics platform and is based in Brooklyn, N.Y. But he says it will become more important as time goes on and more mobile devices connect in to the cloud.

It's important to know, especially on a device IT might not have control over, that the right code is being booted, that it's secure, that the device or cloud server have been initialized with all the proper variables in place, and that there are no backdoor exploits that someone could've hacked into on the device, Luczak said.

"Whether it's cloud servers or devices in the physical world or the fog layer that exists between them, that kind of security is really important," Luczak said.

Amazon, which does not advertise Intel TXT integration, declined to comment on why it doesn't offer the technology.

Beth Pariseau is senior news writer for SearchAWS. Write to her at [email protected] or follow @PariseauTT on Twitter.

Dig Deeper on AWS security