Secure cloud computing: a contradiction in terms?

Cloud computing implementation is on the rise despite any worries that security professionals may raise about the technology.

Organisations around the world are rushing to adopt all flavours of cloud computing, including Software as a Service, Infrastructure as a Service and Platform as a Service, despite the arrangement's security concerns. According to new research commissioned by enterprise consulting company Avanade Inc., the economic attractions of cloud-based computing are outweighing the worries that security professionals might raise.

The figures suggest that the rate of adoption is turning from a trickle to a stampede. Since the last similar survey in January, the new research (carried out in August and September) shows that three times as many organisations have adopted the technology. In January, 61% of organisations were not using any cloud-based services, but by autumn, that figure had dropped to 36%.

More than 70% of global companies said the economic downturn had either helped (13%) or had no effect (58%) on cloud computing implementation, but in the U.K., 62.5% of organisations said the recession had slowed down their efforts.

More than half of respondents said they had adopted a hybrid deployment of cloud-based systems (with some applications working as virtual machines, but on in-house servers) as they become more acquainted with the new technology.

Although security remains the main concern, 40% of global companies using cloud computing reported that their IT staff had gone through a steep learning curve to adapt to the new ways of working.

And while cloud computing is often presented as a bulletproof option, more than 35% of respondents said they had experienced an outage in their service, and more than 30% of Software as a Service (SaaS) customers had experienced an outage of 10 or more hours. The survey was based on interviews with 502 senior managers in 16 countries around the world.

The responses from U.K. companies show an even stronger change in attitudes to cloud services. In January, just 6% of U.K. organisations were planning to test cloud computing, but eight months later, that had risen to 25%. And while 50% said they had no cloud plans in January, that group has now dropped to 25%. Half of those adopting cloud technology said the main driver was to cut costs, as cloud computing often reduces the need to buy and manage in-house IT systems, and can be charged on a pay-as-you-go basis rather than a big up-front investment.

Meanwhile, the debate goes on about the reality of secure cloud computing. For instance, a recent report by the Information Security Forum suggested that many of the current cloud service offerings are immature, and that their security efforts are focused on securing their own infrastructure, rather than helping customers manage their data.

The forum advises caution and says companies should avoid putting their most important systems into the cloud until they are sure of their supplier's reliability. The report's author Gary Wood said: "Some business-critical systems may be eminently suitable to put out into the cloud, but you have to think about it. You [security professionals] need to work with the business to make those decisions. If you don't do that, it will happen anyway without you. You'll just be the 'no' people doing fire fighting rather than acting as a business advisor."

Wood added that many of the lessons that companies have already learned through outsourcing are equally applicable when it comes to cloud computing. For instance, companies need to plan for any service disruptions, and they also need to ensure that when a contract comes to an end, they can retrieve all their data and make a smooth transition to their new supplier.

On the other side of the debate, some people argue that security can actually be improved by putting services into the cloud. A report due to be published on Nov. 20 by the European Network and Information Security Agency (ENISA) will highlight the economies of scale that accrue in the cloud for activities such as traffic filtering, anomaly detection, patch management and federated identity management.

Giles Hogben, who has led the eight-month study by ENISA, added that cloud-based services would also be better able to withstand denial-of-service attacks. "The ability to scale these resources on demand, scaling up only those which are most scarce in the face of an attack or natural disaster, has obvious advantages for resilience," he said.

But one of the biggest challenges facing organisations is how to monitor how their suppliers operate, and how well they protect their systems and data. Smaller companies may have little clout in negotiations and may have to accept whatever assurances the provider gives. But larger corporations are unlikely to be satisfied with that, especially if their own security certifications demand they audit their suppliers thoroughly.

The ENISA study found that many cloud suppliers are already struggling to meet the auditing demands of multiple clients, and so the upcoming report will recommend a new standard auditing document that could cover frequently asked questions, and thereby streamline the auditing process. Hogben said that some professional bodies had already shown interest in developing this into a common standard.

Any decision to switch to the cloud should be made based on risk and the organisation's appetite for risk, according to Nick Bleech, head of information management at St. Andrew's Healthcare in Northampton. "Figure out your risk appetite, including legal obligations you will face, and which any solution provider will have to indemnify you against, read the fine print for the solution provider's offering and define your options rationally. Nothing new, really," he said.

For further guidance, Bleech recommended the Jericho Forum's Cloud Cube Model, which aims to help companies identify which applications are suitable for cloud operations, as well as architecture papers from the Cloud Security Alliance.

He also made three predictions based on discussions with other security professionals:

  • Your financial director will demand you compare your proposal for your next in-house IT project with the cloud alternative.
  • Hybrid clouds will look to ease some of the security concerns.
  • SMEs will go for cloud in a big way -- anyone with less than 1,000 computers ought to prefer cloud over in-house IT.

Read more on Cloud security