This article can also be found in the Premium Editorial Download "IT in Europe: Cloud computing: Data security outlook."
Download it now to read this article plus other related content.
Cloud computing appears to be taking off fast in the UK, and while data suggests the vast majority of enterprise customers are becoming increasingly comfortable with cloud-based services, many are uncomfortable with the security ramifications of data in the cloud.
Not only are businesses saving capital expenditure on in-house IT equipment thanks to cloud computing, but they are also benefitting from the extra agility and flexibility that cloud services can deliver. It means they can pay for services when they need them, and save money when they don’t.
The evidence of this comes from an attitude survey conducted in January and February by market research firm Vanson Bourne on behalf of the Cloud Industry Forum, a trade body for the emerging industry. The researchers asked 450 senior managers who have responsibility for making IT purchasing decisions what they thought about cloud services.
The survey sample included a broad spectrum of organisations from both the public and private sectors, and ranged from small companies to large enterprises. It found that 48% of organisations already use some cloud-based services, with the greatest use coming from private companies with more than 200 employees, where the figure was 53%. Of those not currently using cloud, 31% said they were planning to do so within the coming year.
of liability, indemnity, insurance and ownership of content stored in the cloud.
Vanson Bourne survey
The initial driver for most cloud customers had been the flexibility offered, often to cover a short-term lack of resources or meet a tight deadline. But, once companies got a taste for the cloud, the survey results suggest they liked it and started to crave the longer-term economic benefits. The survey found 94% of cloud users were satisfied with the experience, and 85% said they expected to increase their use of cloud services in the coming year. Growth focused on three core applications: email, disaster recovery and data storage.
But, when it comes to extensive implementation of cloud computing, UK adoption is still patchy, limited mainly to a few specific applications. And it seems many companies are still hesitant about entrusting any valuable information or mission-critical systems to a cloud service provider (CSP).
When asked about their main concerns, 64% cited data security, followed by data privacy (62%), dependence on Internet access (50%), doubts over supplier reliability (38%) and contract lock-in (35%).
The physical location of data held in the cloud also proved to be an important factor. Some insisted it should be kept in the UK, while others were happy as long as it remained in Europe. This seemed to be of most concern to smaller companies with fewer than 20 employees, and also the public sector. Larger enterprises, which often have greater resources to help them manage the risk, seemed to be more relaxed about the issue.
Despite these stated concerns, the survey responses revealed a general willingness among customers to sign up for services without question and to accept whatever the provider had to offer. Barely half (52%) of the companies using cloud services said they had negotiated the legal terms of their contract, rather than simply signing the contracts the providers handed them.
The report comments: “Some of the most striking results from the research show users are often in the dark over questions of liability, indemnity, insurance and ownership of content stored in the cloud; and that while users have certain expectations in these areas, they often do not know if they are being met in their contracts with CSPs.”
It also reveals only 45% said their provider offered them a chance to agree to changes to their contract (38% answered ‘Don’t know’), and 46% of customers allowed their supply contract to be renewed automatically.
Thus, while the market is clearly expanding fast, and some customers are still holding back because of doubts over security, others are committing themselves to standard contracts with little thought given to how any future problems might be resolved.
This mixed picture is to be expected in an immature marketplace, but, as SearchSecurity.co.UK reported recently, even large companies can overlook basic security provisions when committing to a cloud service provider. In that instance, a major company had signed up for a service with no real up-time guarantee, no controls over which of the provider's users could access the service, and little idea of where its data was being held. Furthermore, the provider had insisted on transferring the company’s own Active Directory servers to its own data centre, thereby exposing its non-cloud applications to the risk of snooping.
Can today’s enterprise customers, in order to avoid that kind of situation and prepare for problems and disputes that will inevitably arise in any contract relationship, learn what kinds of cloud computing security questions to ask in the first place, and negotiate contract terms that can be properly enforced?
Fortunately, a lot of helpful information is being produced at a rapid rate by a variety of security-focused organisations, in order to raise the level of professionalism and confidence in this nascent industry.
The Jericho Forum, a think-tank devoted to information security matters, has produced a simple model to help companies decide which systems are best suited to the different flavours of the cloud: public, private, community or hybrid.
Jericho has also joined forces with the Cloud Security Alliance (CSA), which has produced the freely downloadable Consensus Assessments Initiative Questionnaire (CAIQ), a list of key questions any customer should consider when adopting a cloud service.
In addition, the professional body ISACA has just published a book on the subject for its members, called IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud, which provides readers with extensive checklists and advice about managing a cloud service contract. (The first two chapters are freely downloadable.)
For its part, the Cloud Industry Forum (CIF) has created a code of practice for its members and has produced a series of white papers offering help and support for customers, including how to write a good contract. According to CIF Chairman Andy Burton, the aim is to get providers to be open about how they work, and to provide clear and relevant information about their services, such as whether they aggregate services from other companies, whether they can guarantee round-the-clock operation, and also where they store data.
As part of the code of practice, providers are encouraged to complete the CSA’s CAIQ document, thus providing the prospective customer with all the answers they are likely to need. If the supplier does not complete the questionnaire, customers can draw their own conclusions. “It’s essential to provide transparency so customers can compare vendors and make a rational decision,” Burton said. “That is why we are seeing a lot of private cloud adoption rather than public, because customers are still taking a cautious approach.”
In many ways, the current cloud market is reminiscent of the early days of IT outsourcing, when many organisations rushed in thinking they could find a quick fix to a problem. Many of those early contracts later turned sour, and customers found it hard to back out of arrangements and switch to alternative providers. If the CIF survey is to be believed, some customers may have already laid themselves open to similar experiences later on with their CSPs.
Nevertheless, if the cloud trend is as unstoppable as the march of the PC in the mid-80s, well-defined contracts and service-level agreements may help to mitigate some of the risks.
But to exploit the full economies of scale the cloud has to offer, companies still need to do more, says Paul Simmonds, a founding member of the Jericho Forum. “A lot of companies are going into the private cloud because they cannot guarantee the security of the public cloud,“ he said. Simmonds sees two barriers blocking more extensive cloud use: the lack of viable encryption for data residing in the cloud, and the problems of identity management.
The other barrier, identity management, is one of convenience, he explained. “At Astra Zeneca [where Simmonds was CISO until recently] I had 66,000 users. The last thing I wanted to do was give users another username and password. It’s hard enough in any corporation to keep users synchronised, and to keep up with joiners, leavers and movers, even when you own both ends of the problem,” he said.
“The cloud service should not be holding usernames and passwords" Simmonds said. "They should be leveraging the appropriate SAML assertions from your existing identity system to apply a set of rules that say: If this is an Astra Zeneca password with an Astra Zeneca certificate backing it, and it is an assertion I can validate, then let them into the account.”
He said a handful of providers understand the requirement, but “99% of cloud service providers, such as Salesforce.com, require a unique username and password for their service. They don’t want something different for every customer, which is why we need new some standards for how you do this stuff.”
In the meantime, it is down to the vendors and standards bodies to educate the market and help companies understand what they are buying. For example, many customers still have unrealistic expectations, according to Paul Lightfoot, managed services director for The Bunker, a hosting company running two data centres in former nuclear bunkers in Kent and Berkshire. “They come to us and say, ‘We see you’re PCI DSS compliant, so if we store all our credit cards with you and there’s a problem, it’s your responsibility’,” he said. “We have to explain that it’s a shared responsibility, and depends as much on their applications and practices as on what we do.”
Even so, he said today’s customers are better informed and many insist on talking to other customers before committing to a service. The best solutions come when customers are well informed and carefully consider the relative risks associated with different types of systems and deploy them according their level of sensitivity in an organised way, Simmonds said.
Lightfoot recommends putting non-sensitive data on low-cost shared systems, more crucial data on a dedicated blade in a shared system, and mission-critical systems on a dedicated server. Customers of the Bunker, like those of many large cloud providers, can also choose to pay more for a completely redundant service, to ensure a failure at one data centre will not affect them.
Regardless, say the experts, the customer must come to the process from a position of knowledge rather than blindly hoping to save money. That means doing some research and using the free advice offered by groups, such as the CSA and CIF, and learning to ask the right questions before signing any contract.
Ron Condon is UK bureau chief for SearchSecurity.co.UK. Send comments on this column to editor@SearchSecurity.co.UK.
This was first published in September 2011