Is data as secure with cloud computing as it is in a traditional outsourced environment? Lee Newcombe, a principle consultant at technology consultancy Capgemini reports
So you've seen the hype, attended the conferences, spoken to satisfied customers and have decided that this cloud computing stuff is for you. But, at the back of your mind you still have a little voice muttering about security risks. What do you do next?
Let's assume that you've done the groundwork: you have a good idea of the types of services and data that you believe would benefit from a shift to a cloud service and you've read both the Jericho Forum paper describing their Cloud Cube model and the guidance paper from the Cloud Security Alliance.
Cloud computing presents information risk - but probably not significantly more than in a traditional outsourced environment.
Start with the legal and commercial aspects - will your data remain within the geographical constraints of your legal and compliance obligations? Will it even remain your data? How can you securely get data into and out of your chosen cloud? How straightforward, costly and efficient is it to get data back from the cloud? Can you have multiple connections between yourself and your provider?
Now, consider the mechanisms you will use to control access to both your data and the services that process your data. Consider whether you will use single sign-on between your on-premise and cloud-based applications. Examine the security services provided by your cloud provider by default. Never forget that you can encrypt data in transport and in storage, but at some point in memory your data will be in the clear on shared physical kit if you're processing in the cloud.
Examine the evidence that stated cloud provider security practices have been implemented; look for ISO27001 certification and examine the statement of applicability to see the scope of the certification.
Then there is the other oft-touted problem with cloud computing: availability. Ensure that the service availability offered by the cloud provider is sufficient for your requirements and that the cloud provider's availability figures are both recent and regularly updated.
Consider the risk of provider lock-in. Lock-in can arise from proprietary software stacks or proprietary data formats or both. It would be problematic to move from a Force.com application coded using Apex on to a service hosted on an Amazon Web Services image should your requirements change. Lock-in is more of a risk the higher up the stack you go as the scope for proprietary mechanisms increases. Aside from traditional lock-in implications, what would happen if your provider goes out of business or stops offering service? Look at the fate of Coghead customers when Coghead was closed following its purchase by SAP.
Cloud computing now has the momentum that its forbears - utility and grid - were never able to achieve.
We are all likely to be using cloud-based services in the future, even if we are not always going to be aware of the fact. It is now the role of risk professionals to make sure that we manage this move to a new way of working in a manner that preserves the security, operations and best interests of those we work for and of those whose data and service we are entrusted to protect.
This was first published in August 2009