IT professionals acknowledge the potential security risks of
cloud computing at the ISSE 2009 security conference in The Hague,
but most are optimistic.
Cloud computing is attractive to businesses because it promises
to deliver IT on-demand through a scalable service at relatively
low cost.
But concentrating enterprise data in the cloud makes an
attractive target for advanced attacks by cybercriminals. A single
point of failure such as the common, underlying software that
controls how resources in a cloud are shared could leave businesses
exposed.
Most service providers of cloud-based services fail to address
the security concerns of enterprises, says Burton Group analyst
Gerry Gebel.
"They tend to be vague or evasive when questioned about
security," he says.
Enterprises need to be sure their data will be protected
properly, that it will not be lost or damaged, that it will always
be accessible, and that it will not be transferred to the wrong
jurisdiction, he says.
Stuart McRae, executive collaboration evangelist at IBM UK, says
that like all other outsourcing, ensuring security in cloud
computing is more of a contract issue than a technical one.
"The contract is the only real control you have," he says.
Managing risk
Cloud computing is about managing the risk, says Erik van
Zuuren, senior manager, Deloitte enterprise risk services
Belgium.
"However, relatively few companies are equipped to do that
properly with a dedicated risk manager," he says.
Businesses need to understand the value of all the different
types of data they want to store on the cloud, but many do not,
says Rick Gordon, managing director Civitas Group, a US national
security consultancy.
Public clouds offer the greatest economies of scale but the
least amount of control over data, while private clouds offer more
control, but without the same cost benefit.
"Understanding the value of each type of data can help
businesses decide what type of cloud is the best fit," says
Gordon.
McRae says most organisations will probably not go for one type
over the other, but instead use a combination of two to form a
public-private hybrid.
Still the problem remains of having no standards for cloud
computing for handling different kinds of data, especially
sensitive personal data such as healthcare records, says
Gordon.
Global IT security organisations and governments have a role to
play in taking the lead on standards and should intervene rather
than leaving it up to the emerging service providers, he says.
"The potential benefits of cloud computing are great, but we
will blow it if authorities adopt the same hands-off approach as
they did in the early days of the internet," says Gordon.
He believes that by setting guidelines now that will not stifle
growth, authorities could tip the balance in favour of making cloud
computing highly secure.
Ronny Bjones, security strategist for Microsoft, says
cloud-based services can potentially offer businesses a greater
depth of defences than they could achieve on their own.
"A simpler, standard environment can be protected more easily
and cloud providers can use rights management and encryption
technologies to provide an extremely high level of protection," he
says.
Gordon agrees. "All the excess capacity could be extremely
valuable in helping organisations deal with distributed denial of
service attacks, which will be handled like any other surge in
demand," he says.
"Patching can be automated and will be done in near real time,
improving overall security and dramatically reducing exposure to
attacks," he says.
Most IT security professionals agree that in the short term,
businesses should be extremely wary of putting sensitive company
data in public clouds.
Businesses should also stick to low risk, low volume
applications and build internal and private clouds to enable
collaboration within the organisation and externally with
partners.
"Demand greater transparency from the providers, mitigate risk
with clear SLAs and ensure you have an exit strategy," says
Burton's Gerry Gebel.
- Although governments and industry groups like the Cloud
Security Alliance are working on standards, many businesses are
already looking to cloud-bases services to meet their needs. Until
cloud-specific standards are produced on interoperability,
accountability and audit assessment criteria, businesses should
look to existing standards such as ISO 27001 for guidance, says
Gordon.