Amazon Web Services, Google Apps, Microsoft Azure. All new services labelled as cloud computing - the latest buzz in IT. But what are the security implications of entrusting your data to the cloud, writes Lee Newcombe, principal consultant at Capgemini.
I'm going to take cloud computing to mean any service whereby the hosting and/or processing of an organisation's data is outsourced to a provider that offers service via a flexible shared infrastructure or application.
A traditional security response to cloud computing is to just say "no". However, given the cost savings on offer it is necessary to take a closer look at the potential security benefits offered by working in the cloud as well as considering the undoubted risks of moving data outside your familiar security boundary.
So, what may some of the security advantages include?
- Cost-effective datacentre security - always assuming the cloud provider datacentres are secure. In addition, theft of provider equipment is unlikely to include substantial amounts of single customer data but rather fragments of data from across their client base
- Improved resilience - data is distributed and backed up in diverse geographic locations
- Improved availability - add in additional resource as required to cope with capacity spikes (or distributed denial of service attacks)
- Efficient security patching - it's all done in the centre
- Improved security expertise, including application-specific expertise, at the centre (less of an advantage for large organisations that are likely to possess similar expertise in-house)
- Configure your hardened build once and then deploy at will
- Data stored in the cloud is potentially less of a risk than data stored on laptops, USB and other removable media if you trust the cloud.
At the same time, it has to be recognised that there are some downsides:
- Distributed data is fine from a resilience perspective, but how do you meet compliance demands such as a need to keep data onshore? Or simply to know where your data is physically located?
- Your cloud provider may be reliant on other third parties, possibly including other clouds
- Potential intellectual property rights issues - make sure your legal advisors are content
- Shared infrastructure - you and your competitors may be operating on the same physical kit
- Potential data leakage should there be vulnerabilities in the data access APIs or lower level issues - a single vulnerability in a critical service, such as a hypervisor, could render the entire cloud suspect
- Are cloud provider employees appropriately vetted?
- What happens if the provider goes out of business? If you've decommissioned your servers how do you recover service if your provider disappears?
- How can you trust that the security controls promised by the provider are in place and working as advertised?
Organisations need to examine each specific business case where cloud computing is a consideration on its individual merits and contemplate the possible benefits as well as the downsides. Cloud computing is certainly not suitable for all purposes or all organisations. However in these troubled financial times the business case for such services is more appealing than ever and we must be able to recognise and manage the associated risks and benefits.
This was first published in January 2009