Securing the cloud is much like securing the enterprise, says industry analyst

Security is widely cited as the single biggest reason for not embracing cloud computing, but security is really made up of several aspects says Quocirca.

Security is widely cited as the single biggest reason for not embracing cloud computing, but security is really made up of several aspects, says Bob Tarzey, analyst and director at Quocirca.

"There is securing the cloud, using the cloud securely, and using the cloud to deliver security," he said.

Tarzey is to lead a panel discussion on securing the cloud at Infosecurity Europe 2011, which takes place at Earls Court, London, from 19-21 April, with Neira Jones of Barclaycard and Jason Witty of the Bank of America.

Securing cloud services

To secure public cloud services, providers need firewalls, intrusion protection, content security and so on, just as those configuring private IT infrastructure do, says Tarzey, but there are some differences, mainly around scalability.

The fast-growing number of users of public cloud services means providers need highly scalable and reliable products to be able to keep growing and maintain service levels. There are also some specific issues with regard to virtualised infrastructure and multi-tenancy platforms that they need to address.

"On the whole one should expect, given the stakes and the effort put in, that public cloud services will in many cases be more secure than privately owned and run IT infrastructure," said Tarzey.

He says this is mainly due to the fact that service providers are using enterprise-class datacentres deployed and run by people whose business it is to manage, secure and ensure the availability of IT infrastructure.

"It is not in their interests to run something that is insecure," said Tarzey.

Apart from scalability, the other main difference in cloud computing from private IT infrastructure is that businesses are sharing it with other organisations, but even that, he says, is not that different from what goes on internally.

Each department within an organisation is not able to see the files of other departments because they are secured and protected. The cloud is not inherently insecure and there is no reason why it should be less secure than internally managed infrastructure, says Tarzey.

Using the cloud securely

The second issue is secure use of the cloud, Tarzey says, where there is more risk because it involves making sure the communication between an organisation's users and the cloud services they are expected to use is secure.

"But this is really no different to making sure remote workers can safely access privately owned IT applications and infrastructure. Cloud service providers know what they are doing here too. For them, everyone is an outsider, so the default is to authenticate access and communicate securely," said Tarzey.

Secure use of the cloud also involves making sure the services employees invoke themselves are secure. These include social networks, web mail and collaboration tools.

"Much of this is about content filtering - preventing bad stuff coming in and good stuff getting into the wrong hands - and the secure transmission of data. The endpoint is exactly the same for cloud as it is for data or applications coming from internal systems," he said.

Tarzey believes that by getting the right messages about holistic IT security across to organisations and presenting the cloud in the right way, security issues and concerns can be addressed.

Using the cloud to deliver security services

The final issue is using the cloud to deliver security, which is an established and growing practice, says Tarzey.

One of the first use cases was to deliver anti-virus updates over the internet rather than distributing them on diskettes, he says, with the best example being the Microsoft update, which delivers patches to hundreds of millions of PCs on a regular basis.

E-mail filtering, web content filtering, security management and a range of other requirements are also being delivered as on-demand services by security suppliers and the managed security service providers (MSSP) they partner with, says Tarzey.

"They also rely on the cloud to gather most of the information they have on known threats through their protection networks," he said.

According to Tarzey, businesses can get more out of discussions about the cloud if they establish exactly what angle suppliers are taking.

"Don't cloud over, be cloud aware," he says.

Read more on Antivirus, firewall and IDS products