Information security concerns consistently rank as the chief barrier to the adoption of cloud computing services – whereby computing functions are sourced from third parties over the web on a highly scalable, utility-billing basis.
A recent survey by IBM is one of many to have reflected this: it found that 80% of CIOs listed security as their chief concern in assessing the viability of cloud services.
And many of those companies that have already adopted cloud computing still have security concerns. A study published by security association ISACA in March 2010 showed that 40% of UK organisations have deployed some of their IT infrastructure into the cloud, but also that a quarter of cloud adopters still feared that information security risks – in the broadest sense, ranging from the danger of data theft through availability and uptime to data protection and compliance issues – may outweigh the potential advantages.
Despite the widespread concern, the issue of cloud security is far from cut and dried. Some organisations even see the cloud as a security benefit: an investigation by standards body The Open Group found that some members had adopted cloud services as a way to overcome the lack of security of their own infrastructure.
Much of the discussion surrounding cloud security is based on supposition; there have been few public examples of cloud computing data breaches. One example is a ‘technical glitch’ at a subsidiary of Microsoft in October 2009 that resulted in the deletion of thousands of users’ mobile phone contact books hosted in external data centres.
But cloud computing services are still young, and high-profile data breaches and privacy scares have made business and public sector IT leaders a cautious breed. The widespread concern surrounding cloud security, combined with often contradictory views and opinions, represents a stumbling block for what many see as the natural evolution of the IT industry.
“There is a lot of fear, uncertainty and doubt surrounding cloud and the risks of security,” says Ray Stanton, head of global business continuity at BT Global Services. He adds that this must be resolved if businesses are to take full advantage of the available benefits: “We have to demystify this.”
Securing the cloud
Many security experts agree that, while it always pays to be cautious, there is nothing inherently insecure about handing data to a third party via the web. Indeed, some argue that the large cloud computing providers are more likely to have developed dependable security procedures than their customers.
“The risk of data theft is fairly minimal,” says John Colley, EMEA director of security professionals association (ISC)2, who explains that it is in a vendor’s best interests to enforce data security. “In terms of protection, the cloud provider has more riding on its services not being compromised than any one individual customer has.”
Page 2 of 3
A risk assessment recently published by the EU’s European Network and Information Security Agency (ENISA) applied a similar logic, stating that cloud computing benefits from economies of scale in regard to security.
“Put simply, all kinds of security measures are cheaper when implemented on a larger scale. Therefore, the same amount of investment in security buys better protection,” the report read. “This includes all kinds of defensive measures such as filtering, patch management, hardening of virtual machine instances and hypervisors.”
However, while cloud computing vendors might be able to handle information security better than the average company, this does not mean that those vendors are themselves inherently secure. In February 2009, Coghead, a service that allowed enterprises to develop and host custom database applications in the cloud, emailed its customers to inform them that it was going out of business and, as a result, they had just over a month to retrieve all of their data.
Coghead was eventually swallowed up by enterprise application giant SAP, but the episode brought home the fact that cloud-based service providers can, and do, go under, or get acquired by larger organisations with a different corporate agenda, raising the question of the future of customers’ assets in such a scenario.
Assessing the viability of a vendor before signing a contract should form part of any IT procurement process, argues Andy Burton, CEO of hosting provider Fasthosts and chairman of the Cloud Industry Forum.
“There are certain things that you should try to find out about an organisation, so you can gauge a real-world comparison of that business,” he explains, “such as doing a credit check or establishing where exactly their data centres are located, if they own them and if they are co-locating.”
Gary Wood, a research consultant at independent advisory the Information Security Forum, argues that, while Coghead’s story serves as a lesson for organisations considering a cheaper, less renowned cloud service, it should not affect a decision to use larger cloud vendors: “Some of the smaller providers are less likely to be stable, but organisations like Salesforce.com and Amazon aren’t going to disappear overnight.”
A common concern among potential cloud customers relates to the location of the data centres that their data might end up being stored in. Recent reports from IT industry analyst Gartner and multinational auditor KPMG both highlighted this issue as a thorn in the side of cloud adoption.
Businesses are subject to a number of laws governing where they can store data. In the UK, the Data Protection Act, which asserts that an individual’s data cannot be stored in a non-EU country without their permission, is the most universally applicable example. However, a characteristic of cloud providers, versus traditional hosting suppliers, is that their underlying infrastructure tends to be highly distributed and highly virtualised; it is not always clear where data might end up, even to the provider themselves.
Page 3 of 3
On-demand CRM provider Salesforce.com and cloud computing supplier Amazon Web Services offer a choice of locations, but others have been less forthcoming. In March, prestigious US university Yale delayed a planned switchover to Google’s cloud-based email and applications suite after faculty expressed legal concerns regarding the search engine giant’s policy of replicating its hosted data across multiple global sites – a strategy designed to maintain service levels in the event of loss or disruption.
According to Fasthosts’ Burton, legally sensitive data is perhaps better suited to private, on-premise infrastructure. Simon Abrahams, head of EMEA product marketing for Rackspace, believes that the desire to manage legally sensitive data in a controlled environment while still making use of the cloud is the key driver for so-called hybrid cloud environments, where traditional hosting and cloud services are knitted together into a continuous environment.
But Burton also reports that in some cases the physical location of IT assets is irrelevant, and customers’ concerns over language and time zone issues can often be trivial.
In cloud, as in any services engagement, the customer’s ability to achieve the assurances it requires from the supplier rests on its power to negotiate an appropriate service level agreement (SLA). Specific considerations to bear in mind for cloud SLAs include acceptable downtime, data protection procedures and the process for transferring data to and from another cloud provider, in the event of a supplier switch.
According to (ISC)2’s Colley, the buying power of larger organisations grants them the upper hand in negotiating SLAs with cloud suppliers: “Large businesses have a lot of clients, and a lot of leverage, so they can insist on things being in the contract like audit requirements and special safeguards, whereas small businesses generally cannot.”
But this does not necessarily tie the hands of the smaller cloud customer. The Cloud Industry Forum has already developed its own certification system for determining the quality of vendors based on transparency, capability and accountability.
The idea is that this leads to a list of quality-approved vendors – something that will become of more importance as less renowned providers continue to enter the market – in order to help smaller customers make the decision to sign an SLA with a cloud vendor. “It’s about trying to get as much transparency about what’s being delivered into the market,” says Burton, “so people will be able to make an educated, rational decision.”
Also, security body the Jericho Forum predicts third-party organisations will offer their own audits of cloud vendors within the next few years. It expects this to increase trust between provider and customer.
Adrian Seccombe, Jericho member and former chief information security officer of Eli Lilly, believes that this development will be particularly beneficial to small to medium-sized enterprises, which typically cannot commit time and resources to effectively auditing prospective cloud providers. “If [small enterprises] buy an audit from a third party, it increases the trust and confidence of these smaller businesses who would never be able to modify the standard terms and conditions,” explains Seccombe.
It is early days for cloud computing, and new concerns may well arise as current difficulties are ironed out. It is clear, however, that organisations cannot abdicate responsibility for information security by engaging cloud computing services.
Quite the opposite, in fact: the most secure cloud-adopters will be the ones who do their best to impose the same assurances on their cloud providers as they would on their own infrastructure.
“The issues of security are fundamentally the same” for cloud as for on-premise infrastructure, says Garry Sidaway, director of security strategy at IT consultant Integralis. “But as an organisation, you’ve got to start extending these principles [into the cloud].”