IT professionals acknowledge the potential security risks of cloud computing at the ISSE 2009 security conference in The Hague, but most are optimistic.
Cloud computing is attractive to businesses because it promises to deliver IT on-demand through a scalable service at relatively low cost.
But concentrating enterprise data in the cloud makes an attractive target for advanced attacks by cybercriminals. A single point of failure such as the common, underlying software that controls how resources in a cloud are shared could leave businesses exposed.
Most service providers of cloud-based services fail to address the security concerns of enterprises, says Burton Group analyst Gerry Gebel.
"They tend to be vague or evasive when questioned about security," he says.
Enterprises need to be sure their data will be protected properly, that it will not be lost or damaged, that it will always be accessible, and that it will not be transferred to the wrong jurisdiction, he says.
Stuart McRae, executive collaboration evangelist at IBM UK, says that like all other outsourcing, ensuring security in cloud computing is more of a contract issue than a technical one.
"The contract is the only real control you have," he says.
Cloud computing is about managing the risk, says Erik van Zuuren, senior manager, Deloitte enterprise risk services Belgium.
"However, relatively few companies are equipped to do that properly with a dedicated risk manager," he says.
Businesses need to understand the value of all the different types of data they want to store on the cloud, but many do not, says Rick Gordon, managing director Civitas Group, a US national security consultancy.
Public clouds offer the greatest economies of scale but the least amount of control over data, while private clouds offer more control, but without the same cost benefit.
"Understanding the value of each type of data can help businesses decide what type of cloud is the best fit," says Gordon.
McRae says most organisations will probably not go for one type over the other, but instead use a combination of two to form a public-private hybrid.
Still the problem remains of having no standards for cloud computing for handling different kinds of data, especially sensitive personal data such as healthcare records, says Gordon.
Global IT security organisations and governments have a role to play in taking the lead on standards and should intervene rather than leaving it up to the emerging service providers, he says.
"The potential benefits of cloud computing are great, but we will blow it if authorities adopt the same hands-off approach as they did in the early days of the internet," says Gordon.
He believes that by setting guidelines now that will not stifle growth, authorities could tip the balance in favour of making cloud computing highly secure.
Ronny Bjones, security strategist for Microsoft, says cloud-based services can potentially offer businesses a greater depth of defences than they could achieve on their own.
"A simpler, standard environment can be protected more easily and cloud providers can use rights management and encryption technologies to provide an extremely high level of protection," he says.
Gordon agrees. "All the excess capacity could be extremely valuable in helping organisations deal with distributed denial of service attacks, which will be handled like any other surge in demand," he says.
"Patching can be automated and will be done in near real time, improving overall security and dramatically reducing exposure to attacks," he says.
Most IT security professionals agree that in the short term, businesses should be extremely wary of putting sensitive company data in public clouds.
Businesses should also stick to low risk, low volume applications and build internal and private clouds to enable collaboration within the organisation and externally with partners.
"Demand greater transparency from the providers, mitigate risk with clear SLAs and ensure you have an exit strategy," says Burton's Gerry Gebel.
- Although governments and industry groups like the Cloud Security Alliance are working on standards, many businesses are already looking to cloud-bases services to meet their needs. Until cloud-specific standards are produced on interoperability, accountability and audit assessment criteria, businesses should look to existing standards such as ISO 27001 for guidance, says Gordon.