Corporate concerns over data security are holding back cloud computing.
Security experts, software suppliers and cloud service providers alike see the cloud as a once in a lifetime opportunity to make information security better than ever. The US government's cybersecurity adviser Howard Schmidt says cloud computing will enable businesses to catch up on security issues and ensure they have the right mechanisms in place going forward.
His enthusiasm offers a sharp contrast to typical cloud computing security debates, which tend to focus on enterprise concerns about cybercriminals exploiting a single point of weakness to steal sensitive information.
Mark Lewis, partner and head of outsourcing at law firm Berwin Leighton Paisner, says that usually the biggest concern with cloud computing is that it puts all a company's data and applications in one place.
"If you look at the massive data breaches at what are supposed to be some of the most secure organisations in the world, you would be concerned if everything were in one place,e_SDRq he says.
He points out that in the traditional outsourcing model the all-in-one-place scenario rarely happens because financial services firms package their contracts with different outsource suppliers.
It is unclear how businesses will follow this strategy in cloud, but Schmidt believes that, if handled properly, the shift to cloud-based computing could lead to better security.
"This is an opportunity to build in security best practices missing in many pre-Web 2.0 applications in use by the enterprise," he says.
A reliable security infrastructure, says Schmidt, is essential if business is to get the full value out of cloud-based computing.
"Because cloud platforms are still developing, we now have the opportunity to build in best practice around things like authentication, data protection and data disposal from the start," he says.
Does cloud computing need standards?
Users require service level agreements from cloud providers. They also need a standard for handling different kinds of data, especially sensitive personal data such as healthcare records, says Rick Gordon, managing director of US national security consultancy Civitas Group.
Gordon says that global IT security organisations and governments have a role to play in taking the lead on standards and should intervene rather than leaving it up to the emerging service providers.
Anthony Golledge, head of technology consulting at Detica, questions whether any specific cloud standards will be developed in the time frame they will be needed given the increasing number of cloud-based services becoming available.
"I am not convinced we need anything new," he says. "I would rather use the things we are familiar with and move cautiously into the cloud way of working."
Golledge points out that not all security necessarily needs to be within the cloud infrastructure, and could reside instead on the devices used to access cloud services.
"Users of cloud-based services can exercise some control through security policies on all end-point devices, fixed or mobile, that connect to the cloud," he says.
End-users could adopt this as an interim approach to security until the infrastructure matures into this vision of something that is inherently secure by design, says Golledge. It may also be a longer-term way of enabling secure access for a single end-user device to services running on different cloud infrastructures.
But even if that vision of an inherently secure infrastructure is achieved, end-user organisations will not be able to avoid having to decide what information is allowed to be shared, which a secure infrastructure alone will not solve, he says.
The role of virtualisation
Virtualisation has also matured and will be a key enabler for security in the cloud, according to Eric Baize, senior director of the product security office at RSA.
"Virtualisation will be the engine that drives cloud computing, and I am pleased to see security conversations are happening at the same time as the cloud is evolving," he says.
Eugene Kaspersky, chief executive of security firm Kaspersky Lab, says virtualisation will help to a degree but will not deter master cybercriminals.
He predicts that just as viruses moved from floppy disks to the internet, so any new technologies or methods that come with cloud computing will be scrutinised by cybercriminals in search of ways to exploit them.
"Virtualisation will enable better security, but there is still the human factor," says Kaspersky. "People make mistakes and cybercriminals will find a way to exploit this."
RSA is working with virtualisation supplier VMware to embed security technologies into the virtual operating system.
Initiatives such as this will make security controls in the cloud automatic, and more efficient and transparent to end-users than can be achieved in any physical infrastructure, says Baize. "Cloud computing is a great opportunity to do security right," he adds.
Most IT security professionals agree that, in the short term at least, businesses should be extremely wary of putting sensitive company data in public clouds.
Businesses should also stick to low-risk, low-volume applications and build internal and private clouds to enable collaboration within the organisation and externally with partners.
Users of cloud-based services should always make sure they know who has their data, where that data is held, what they are doing with it and how they are protecting it.
"Demand greater transparency from the providers, mitigate risk with clear SLAs and ensure you have an exit strategy," says Burton Group analyst Gerry Gebel.
According to Gartner analysts, investments in private cloud will make it easier for organisations to increase their use of public cloud services gradually as they mature and security improves.
Jumping directly into a public environment safely is probably too difficult an operation for most companies, says Golledge.
Gartner analyst Tom Bittman says that many of the investments in private clouds will prepare the enterprise for public cloud computing.
"These investments are not just technology changes," he points out. "They are also process, cultural and business interface changes."
The changes will include the virtualisation of services and operating shared services, but still with robust gateways that connect with other clouds, says Golledge.
"This will deliver some of the benefits of cloud computing, but you also have enforcement points where you can apply traditional security policies," he explains.
Making these changes sooner rather than later will help enterprises to take better cloud sourcing decisions and potentially make an easier shift to public cloud computing, says Bittman.
The benefits of cloud are undisputed, but security remains a key concern and will be one of the most important factors in determining the speed and success of the world's transition to this business model.
It will, however, be some time before enterprise know whether cloud is the best thing to happen in security or merely offers a host of new opportunities for cybercriminals.
BOX: UK businesses responsible for the data they collect
The European Network and Information Security Agency (ENISA) acknowledges that large service providers typically have the resource and expertise to deliver higher levels of security than many companies, particularly smaller enterprises.
But in its November 2009 report on cloud computing, the agency warns that companies remain responsible under UK law for safeguarding their customers' information even if that data is stored by a service provider.
As data controllers, as defined by the Data Protection Act, UK companies are responsible for the security of their data, says Bridget Treacy, partner at law firm Hunton Williams.
Businesses need to be educated that technologies exist and under development to address concerns about access controls and data leakage prevention.
BOX: No single point of failure
Instead of the cloud being a single point of failure, Art Coviello, RSA president, says it can become a centralised way of controlling data and enforcing best security practices.
He sees it as an opportunity to embed security technologies such as data loss prevention into the core systems that will run the cloud, which is one of the most exciting developments for a decade.
Cloud computing could provide more granular security control than previously possible and one that is invisible to the end-user, says Philippe Courtot, chairman at security firm Qualys.
According to Courtot, cloud computing has the potential to achieve this higher level of security by simplifying everything.
Synchronising mobile devices will no longer be necessary, and by removing infrastructure and software concerns, the enterprise will be able to focus on the data and sharing it securely, he says.
Once data is in the cloud, says Courtot, enterprises will have much greater control over data access, distribution and modification than would otherwise be possible.