Cloud could improve data security

Security is widely seen as an inhibitor to enterprise adoption of cloud computing.

Security is widely seen as an inhibitor to enterprise adoption of cloud computing, but could it be a chance to achieve better security?

Cloud computing as an opportunity to right the security wrongs of the past emerged as a strong theme at RSA Conference 2009 in London.

This is not only the view of security and cloud suppliers, but also security experts such as Howard Schmidt, president of the Information Security Forum (ISF).

Cloud computing offers an opportunity for businesses to catch up and ensure they have the right security mechanisms in place going forward, he says.

Schmidt is among those identifying the expected shift to cloud-based computing as an opportunity to build in security best practices missing in many pre-Web 2.0 applications in use by the enterprise.

A reliable security infrastructure, says Schmidt, is essential if business is to get the full value out of cloud-based computing.

"We now have the opportunity to build in best practice around things like authentication, data protection and data disposal from the start," he says.

Art Coviello, RSA president, says instead of the cloud being a single point of failure, it can become a centralised way of controlling data and enforcing best security practices.

This is an opportunity to embed security technologies into the core systems that will run the cloud, such as data loss prevention, which is one of the most exciting developments in 10 years, he says.

Cloud computing could provide more granular security control than previously possible and that is invisible to the end-user, says Philippe Courtot, chairman at security firm Qualys.

According to Courtot, cloud computing has the potential to achieve this higher level of security by simplifying everything.

Synchronising mobile devices will no longer be necessary, and by removing infrastructure and software concerns, the enterprise will be able to focus on the data and sharing it securely, he says.

Once data is in the cloud, says Courtot, this will enable enterprises to have much greater control over data access, distribution and modification than would otherwise be possible.

Cloud computing will shift power from suppliers to end-users, who will no longer be restricted by supplier lock-in, as no capital investments in hardware and software are required.

IT security professionals will also benefit as they will be able to play a much more strategic role in supporting the business by helping to build secure cloud services, says Courtot.

The security industry needs to unite and collaborate, he says, to develop the technologies for more secure browsers, stronger authentication, secure communication and better malware detection.

Courtot also acknowledges that there is still work to be done on refining the cloud computing model, including ways of implementing and managing service level agreements.

But RSA's Coviello sees enterprise ignorance as a major obstacle. There is a lot of misinformation and uncertainty, he says.

Businesses need to be educated that technologies exist and are in development to address concerns about access controls and data leakage prevention. They need to be told that the kinds of controls that companies are using in their internal environment can be applied more effectively in a cloud environment, he says.

Virtualisation will be a key enabler for this, according to Eric Baize, senior director of the product security office at RSA.

"Virtualisation will be the engine that drives cloud computing, and I am pleased to see security conversations are happening at the same time as the cloud is evolving," he says.

RSA is working with virtualisation supplier VMware to embed security technologies into the virtual operating system. Initiatives such as this will make security controls in the cloud automatic and more efficient and transparent to end-users than can be achieved in any physical infrastructure, says Baize.

Cloud computing is a great opportunity to do security right, he adds.

Governments see this opportunity too, says Schmidt, with both US and UK authorities consulting industry experts on how best to secure data in private cloud infrastructures.

Where government leads, enterprise is sure to follow, and the much anticipated shift to cloud computing may not be as far off as sceptics have predicted.

Read more on IT risk management