In the last few years,
cloud computing has grown from being a promising business
concept to
one of the fastest growing segments of the IT industry. Now,
recession-hit companies are increasingly realising that simply by
tapping into the cloud they can gain fast access to best-of-breed
business applications or drastically boost their infrastructure
resources, all at negligible cost.
But as more and more information on individuals and companies is
placed in the cloud,
concerns are beginning to grow about
just how safe an environment it is.
- Every breached
security system was once thought infallible
- Understand the
risks of cloud computing
- How cloud
hosting companies have approached security
- Local law
and jurisdiction where data is held
- Best practice
for companies in the cloud
Read more about cloud computing and
security: |
Every breached security system
was once thought infallible
SaaS (software as a service) and PaaS (platform as a service)
providers all trumpet the robustness of their systems, often
claiming that security in the cloud is tighter than in most
enterprises. But the simple fact is that every security system that
has ever been breached was once thought infallible.
Google was forced to make an embarrassing apology in February
when its Gmail service collapsed in Europe, while Salesforce.com is
still smarting from a phishing attack in 2007 which duped a staff
member into revealing passwords.
While cloud service providers face similar security issues as
other sorts of organisations, analysts warn that
the cloud is becoming particularly attractive to cyber
crooks.
"The richer the pot of data, the more cloud service providers
need to do to protect it," says IDC research analyst
David Bradshaw.
Read more about cloud computing and security
>>
Understand the risks of cloud
computing
Cloud
service users need to be vigilant in
understanding the risks of data breaches in this new
environment.
"At the heart of cloud infrastructure is this idea of
multi-tenancy and decoupling between specific hardware resources
and applications," explains Datamonitor senior analyst
Vuk Trifković.
"In the jungle of multi-tenant data, you need to trust the cloud
provider that your information will not be exposed."
For their part, companies need to be vigilant, for instance
about how passwords are assigned, protected and changed. Cloud
service providers typically work with numbers of third parties, and
customers are advised to gain information about those companies
which could potentially access their data.
IDC's Bradshaw says an important measure of security often
overlooked by companies is how much downtime a cloud service
provider experiences. He recommends that companies ask to see
service providers' reliability reports to determine whether these
meet the requirements of the business. Exception monitoring systems
is another important area which companies should ask their service
providers about, he adds.
London-based financial transaction specialists SmartStream
Technologies made its foray into the cloud services space last
month with a new SaaS product aimed at providing smaller banks and
other financial institutions with a cheap means of reconciling
transactions. Product manager
Darryl
Twiggs says that the service has attracted a good deal of
interest amongst small to mid-tier banks, but that some top tier
players are also being attracted by the potential cost savings.
An important consideration for cloud service customers,
especially those responsible for highly sensitive data, Twiggs
says, is to find out about the hosting company used by the provider
and if possible seek an independent audit of their security
status.
"Customers we engage with haven't been as stringent as we
thought they would have been with this".
Read more about cloud computing and security
>>
How cloud hosting companies have
approached security
As with most SaaS offerings, the applications forming
SmartClear's offering are constantly being tweaked and revised, a
fact which raises more security issues for customers. Companies
need to know, for instance, whether a software change might
actually alter its security settings.
"For every update we review the security requirements for every
user in the system," Twiggs says.
One of the world's largest technology companies, Google, has
invested a lot of money into the cloud space, where it recognises
that having a reputation for security is a key determinant of
success. "Security is built into the DNA of our products," says a
company spokesperson. "Google practices a defense-in-depth security
strategy, by architecting security into our people, process and
technologies".
However, according to Datamonitor's Trifković, the cloud is
still very much a new frontier with very little in the way of
specific standards for security or data privacy. In many ways he
says that cloud computing is in a similar position to where the
recording industry found itself when it was trying to combat
peer-to-peer file sharing with copyright laws created in the age of
analogue.
"In terms of legislation, at the moment there's nothing that
grabs my attention that is specifically built for cloud computing,"
he says. "As is frequently the case with disruptive technologies,
the law lags behind the technology development for cloud
computing."
What's more, many are concerned that cloud computing remains at
such an embryonic stage that the imposition of strict standards
could do more harm than good.
IBM, Cisco, SAP, EMC and several other leading technology
companies announced in late March that they had created an
'
Open Cloud Manifesto' calling for more consistent security and
monitoring of cloud services.
But the fact that neither Amazon.com, Google nor Salesforce.com
agreed to take part suggests that broad industry consensus may be
some way off. Microsoft also abstained, charging that IBM was
forcing its agenda.
"Standards by definition are restrictive. Consequently, people
are questioning whether cloud computing can benefit from
standardisation at this stage of market development." says
Trifković. "There is a slight reluctance on the part of cloud
providers to create standards before the market landscape is fully
formed."
Until it is there are nevertheless a
handful of existing web standards which companies in the cloud
should know about. Chief among these is
ISO27001, which is
designed to provide the foundations for third party audit, and
implements OECD principles governing security of information and
network systems. The SAS70
auditing standard is also used by cloud service providers.
Read more about cloud computing and security
>>
Local law and jurisdiction where
data is held
Possibly even more pressing an issue than standards in this new
frontier is the emerging question of jurisdiction. Data that might
be secure in one country may not be secure in another. In many
cases though, users of cloud services don't know where their
information is held. Currently in the process of trying to
harmonise the data laws of its member states, the EU favours very
strict protection of privacy, while in America laws such as the US
Patriot Act invest government and other agencies with virtually
limitless powers to access information including that belonging to
companies.
UK-based electronics distributor ACAL is using NetSuite OneWorld
for its CRM. Simon Rush, IT manager at ACAL, has needed to ensure
that ACAL had immediate access to all of its data should its
contract with NetSuite be terminated for any reason, so that the
information could be quickly relocated. Part of this included
knowing in which jurisdiction the data is held. "We had to make
sure that, as a company, our data was correctly and legally
held."
European concerns about about US privacy laws led to creation of
the US
Safe Harbor Privacy Principles, which are intended to provide
European companies with a degree of insulation from US laws. James
Blake from e-mail management SaaS provider Mimecast suspects that
these powers are being abused. "Counter terrorism legislation is
increasingly being used to gain access to data for other reasons,"
he warns.
Mimecast provides a comprehensive e-mail management service in
the cloud for over 25,000 customers, including 40% of the top legal
firms in the UK.
Customers benefit from advanced encryption that only they are
able to decode, ensuring that Mimecast acts only as the custodian,
rather than the controller of the data, offering companies
concerned about privacy another layer of protection. Mimecast also
gives customers the option of having their data stored in different
jurisdictions.
For John Tyreman, IT manager for outsourced business services
provider Liberata, flexibility over jurisdiction was a key factor
in his choosing Mimecast to help the company meet its obligations
to store and manage e-mails from 2500 or so staff spread across 20
countries. The company is one of the UK's leading outsourcing
providers for the Public Sector, Life Pensions and Investments and
Corporate Pensions leading. "Storing our data in the US would have
been a major concern," Tyreman says.
Read more about cloud computing and security
>>
Best practice for companies in
the cloud
- Inquire about exception monitoring systems
- Be vigilant around updates and making sure that staff don't
suddenly gain access privileges they're not supposed to.
- Ask where the data is kept and inquire as to the details of
data protection laws in the relevant jurisdictions.
- Seek an independent security audit of the host
- Find out which third parties the company deals with and whether
they are able to access your data
- Be careful to develop good policies around passwords; how they
are created, protected and changed.
- Look into availability guarantees and penalties.
- Find out whether the cloud provider will accommodate your own
security policies
Read more about cloud computing and
security: External links: |
Photo credit: Dan
Talson/Rex Features