Amazon Web
Services,Google Apps,Microsoft Azure. All new services
labelled ascloud computing- the latest buzz in
IT. But what are the security implications of entrusting your data
to the cloud, writes Lee Newcombe, principal consultant at
Capgemini.
I'm going to take cloud computing to mean any service whereby
the hosting and/or processing of an organisation's data is
outsourced to a provider that offers service via a flexible shared
infrastructure or application.
A traditional security response to cloud computing is to just
say "no". However, given the cost savings on offer it is necessary
to take a closer look at the potential
security benefits offered by working in the cloud as well as
considering the undoubted risks of moving data outside your
familiar security boundary.
So, what may some of the security advantages include?
- Cost-effective datacentre security - always assuming the cloud
provider datacentres are secure. In addition, theft of provider
equipment is unlikely to include substantial amounts of single
customer data but rather fragments of data from across their client
base
- Improved resilience - data is distributed and backed up in
diverse geographic locations
- Improved availability - add in additional resource as required
to cope with capacity spikes (or distributed denial of service
attacks)
- Efficient security patching - it's all done in the centre
- Improved security expertise, including application-specific
expertise, at the centre (less of an advantage for large
organisations that are likely to possess similar expertise
in-house)
- Configure your hardened build once and then deploy at will
- Data stored in the cloud is potentially less of a risk than
data stored on laptops, USB and other removable media if you trust
the cloud.
At the same time, it has to be recognised that there are some
downsides:
- Distributed data is fine from a resilience perspective, but how
do you meet compliance demands such as a need to keep data onshore?
Or simply to know where your data is physically located?
- Your cloud provider may be reliant on other third parties,
possibly including other clouds
- Potential intellectual property rights issues - make sure your
legal advisors are content
- Shared infrastructure - you and your competitors may be
operating on the same physical kit
- Potential data leakage should there be vulnerabilities in the
data access APIs or lower level issues - a single vulnerability in
a critical service, such as a hypervisor, could render the entire
cloud suspect
- Are cloud provider employees appropriately vetted?
- What happens if the provider goes out of business? If you've
decommissioned your servers how do you recover service if your
provider disappears?
- How can you trust that the security controls promised by the
provider are in place and working as advertised?
Organisations need to examine each specific business case where
cloud computing is a consideration on its individual merits and
contemplate the possible benefits as well as the downsides. Cloud
computing is certainly not suitable for all purposes or all
organisations. However in these troubled financial times the
business case for such services is more appealing than ever and we
must be able to recognise and manage the associated risks and
benefits.