Security and the cloud: building trust
In any conversation about the cloud, the topic of security is never far away. In fact, recent commentary from David Linthicum at Cloud Technology Partners bemoaned the fact that the security industry’s enthusiasm for highlighting the vulnerability of the cloud has made people think that the cloud is less secure than other forms of IT.
If something is said often enough then there is a danger that people will believe it to be true, but all forms of IT can be insecure. The key is what processes and technologies you choose and how well you plan your security. “The truth is that most of the best practices for on-premises security are applicable in the cloud as well,” Linthicum points out.
who can we trust?
Has security PR actually drowned out the message that clouds can be as secure as any form of IT, as Linthicum fears? At the recent RSA Conference in San Francisco, two of the world’s largest IT companies put their considerable mass behind the cloud. Both Google and Microsoft both said that they would be willing to trust their own data to servers operated in the cloud by their competitors.
Also on the panel was long-time security expert Bruce Schneier who said that cloud computing all came down to a question of trust. “Fundamentally, ‘cloud’ means to me your data on somebody else's hard drive. Do I trust that other legal entity with my data on their hard drive?” he asked. The responsibility needs to lie with the cloud provider to put the best practices, technology, processes and legal protection in place for their customers.
growing cloud momentum
So are companies starting to trust their cloud providers? Certainly an increasing number of companies already use public cloud services, according to nearly just about any market report. For example, a new study from IDC says that spending on public cloud services worldwide will reach $108 billion by 2017, up from $47 billion at the end of 2013. This is a growth rate of 24% - nearly five times the rate of the IT industry as whole.
IDC says that enterprises are increasingly choosing public cloud services over private cloud services, which certainly seems to indicate a growing confidence in the model. Frank Gens, Senior Vice President and Chief Analyst at IDC says that the emergence of virtual private cloud (PVC) offerings have been key to this. This is because PVC’s are able to bridge the gap between the security and privacy provided by private cloud and the flexibility of the public cloud.
what should enterprises do?
Modern security is all about managing risk, so enterprises need to understand both the impact a security breach has on any particular data or process – whether managed in the cloud or not. So what are the biggest risk factors for cloud computing? Here are five identified by HP.
1. managing cloud data
If there is a breach at the cloud provider, then the customer is still responsible for the fall-out from the incident. This is true both in terms of brand reputation (although the provider will likely take a hit here as well) and for regulatory compliance. Schneier pointed out at the RSA Conference that credit card use really took off when users no longer were responsible for any losses... perhaps there is a lesson there?
2. lack of cloud security standards
There is little consistency between security standards between different cloud providers. This makes it difficult for enterprises to find a service that meets their requirements. Whether this can be achieved by a questionnaire-based exercise is not entirely clear. But it should not be left entirely to the customer to assess a provider’s level of security from the bottom up. Whatever the standardization approach, enterprises need to ensure that data security is comprehensively covered in the suppliers’ contract – like any other IT service.
3. data location
There are two aspects to data location:
The first is simple disaster recovery: if your service provider has an outage do you still have access to your data and applications? Do they have a business continuity plan in place to mitigate that risk?
The second has more to do with the regulatory requirement for data to be stored in certain countries only. This push has been strengthened recently by the NSA spying revelations, which is being used by European firms to stress the importance of using a European provider.
4. business continuity
Companies should also be prepared if their cloud provider has a more serious problem, such as going out of business or having more significant longer-term outage. Do you have business continuity planning to cope with this and a contractual arrangement in place to get your data up and running elsewhere quickly if required?
5. look at cloud from a risk perspective
Finally, as mentioned above, it is vital to look at security from a risk management perspective. This involves matching the level of security to the value of the data, what applications can be put in the cloud, and the user impact of cloud on security – such as how to use the cloud safely.
So do you trust your cloud provider to handle your data and processes properly, and have you got a risk management process in place to minimize the impact of any breach on your business?
Photo credit: © Maxim_Kazmin - Fotolia.com