Security concerns for cloud computing

The trouble with the term cloud computing is that it encompasses such a huge range of technology offerings: software-as-a-service (SaaS), storage on-demand,...

The trouble with the term cloud computing is that it encompasses such a huge range of technology offerings: software-as-a-service (SaaS), storage on-demand, remote server capacity, to name a few. One thing all cloud services have in common, however, is the way in which they deploy or relocate potentially sensitive corporate data beyond the firewall and that causes a serious consternation to information security professionals.

In a recent blog, Amrit Williams, former Gartner analyst and now CTO of security management company BigFix, outlined the inherent dangers: "When we allow services to be delivered by a third party, we lose all control over how they secure and maintain the health of their environments - and you simply can't enforce what you can't control," he writes. "The 'experts' will tell you otherwise, convince you that their model is 100 per cent secure and that you have nothing to fear. Then again, those experts don't lose their jobs if you fail."

Business and IT executives in UK organisations seem to concur with Williams, according to the results of a recent survey conducted by IT consultancy firm Avanade. It found that, by a 5-to-1 ratio, respondents trust existing internal systems over cloud-based systems, due to fears about security threats and loss of control over data. It's an issue that pan-industry security thinktank the Jericho Forum has placed high on its agenda for 2009. Paul Simmonds, Jericho Forum board member sees this as a natural evolution from the group's work on deperimeterisation and collaborative open architectures, which also focuses on computing that takes place outside the protected boundaries of the corporate infrastructure.

The goal, he says, is to come up with a framework that enables companies to determine how cloud technologies can be used securely. "We don't argue for a minute that there are good business drivers for using cloud services, especially in a downturn, where reduced cost and faster time-to-market are so important," he says. "What we are challenging is the notion that the provider will handle security to your satisfaction as a matter of course. You simply haven't got that guarantee."

These efforts, his Jericho Forum colleague Andrew Yeomans hopes, should lead some executives to consider questions that they hadn't previously considered in the headlong rush to adopt cloud computing: When you repatriate data from a cloud provider, taking it back into your own internal systems, how can you be sure that no trace of that data resides on their own systems? What leaks might exist between the cloud service back into our own infrastructure? Does the provider adhere to the same physical, logical and personnel controls that are applied to our own internal systems? What will happen if the provider goes bust?

The results of their work, due to be unveiled in a paper this month, will tackle the high-level security aspects of cloud computing. It takes the form of a three-dimensional cube that attempts to map out in graphic form the key decisions that companies will have to make when deciding which tasks and data can be handled in the cloud, which should be confined to internal systems, and how to tie data residing in both the cloud and internal systems together in a way that is safe and secure. The model takes into account the huge variety in forms that cloud computing services can take: whether they are open or proprietary; perimeterised or deperimeterised; internal or external.

"People need to be aware that the cloud isn't just one thing," explains Simmonds. "You can have internal, proprietary, perimeterised clouds, for example, or external, open and deperimeterised clouds. The trick will be in deciding which model fits the risk profile of your organisation, depending on the task at hand." In the long term, he says, it may be necessary to tag data with metadata describing where it can and can't reside within the wider cloud model.

By the time Infosecurity Europe 2009 rolls around in late April, the Jericho Forum hopes to have drafted a self-assessment methodology to enable companies to ascertain if they are fit and ready for cloud computing, based on its previously published "11 Commandments" for deperimeterisation projects. "We hope this will give organisations a handle on the kinds of nasty questions they need to be asking of providers if they are to proceed with cloud computing in a secure fashion," says Simmonds.

Read more:

Security trends for 2009 >>

Cloud's Illusions: Jericho Forum Future Direction (A paper on cloud computing given by Jericho Forum board member Stephen Whitlock, December 2008) >>

The Jericho Forum 11 Commandments >>

Read more on IT outsourcing