This article originally appeared in the Jan. 2012 issue of Cloud Computing.
Cloud has opened up several IT strategy considerations for businesses, with security top of mind for chief information officers as they evaluate the potential benefits of shifting to the cloud for their computing needs. Cloud Computing has taken an in-depth look at the conceivable risks involved by speaking with some of the industry’s leading cloud and security experts on how to overcome these challenges, separating fact from fiction.
But first, a little history to provide some context for today’s security concerns: When the term “cloud” first made its appearance in the tech industry several years ago, skeptics brought up a valid point: Is shifting data to the cloud – off premise, into another location – at all safe? How could it really be? “Cloud security” sounded like an oxymoron, and for some, it still does. Certainly, we know that cloud computing is imposing change to IT strategies, but is security in the cloud a real or perceived threat?
Despite the traction that cloud has gained in the past year, a recent Ovum (News - Alert) study concluded that business barriers to using cloud computing and communications services remain. Fifty-eight percent of respondents claimed security was a critical barrier to adoption, and this is strongly reinforced by their next most significant concerns: data governance (54 percent), use of public internet infrastructure (40 percent), and loss of control (39 percent).
It’s safe to say that the C-suite still needs to get comfortable with the idea of placing their most critical information, into the cloud – especially taking into account some of the more high-profile security breaches that have been so well-publicized, perpetuating the underlying fears that many senior-level decision makers still have about cloud.
“When we look back on a year riddled with high-profile data breaches, it’s fair to say that the C-suite is still very concerned about the security of their corporate data wherever it is stored and used including in the cloud,” says Dave Elliott of the Global Cloud Marketing division at security firm Symantec (News - Alert).
In fact, Symantec’s recent “State of Cloud” survey showed that organizations are conflicted about security – rating it both as a top goal and as a top concern with moving to the cloud.
“Eighty-seven percent of respondents are confident that moving to the cloud will not impact or will actually improve their security,” notes Elliott. “However, achieving security for cloud environments is also a top concern for these organizations, which cited potential risks, including malware, hacker-based theft and loss of confidential data.”
Senior-level executives on the whole are concerned about a myriad of potential risks, including malware, hacker-based theft, data leakage and other risks. In fact, when asked to list their biggest concerns, the real finding was not which fears topped the list, but that so many fears made the list, according to Symantec.
Of the concerns discussed in the survey, all were rated as somewhat or completely significant by 52 to 58 percent of respondents. It’s become apparent that organizations are crossing the cloud chasm with both anticipation and trepidation.
“Organizations continue to be concerned with security in the cloud and security for the cloud. This year, customers have told us their top cloud concerns are data breaches and cloud outages,” says Elliott. “There is a growing recognition that moving to the cloud still requires good data governance and at the end of the day, the enterprise is responsible for protecting and securing information regardless of where it resides. We expect for that maturing to continue in the future.”
The top threats, according to Symantec’s cloud report, are as follows:
· Mass malware outbreak at your cloud provider;
· Hacker-based data theft from your cloud provider;
· Sharing sensitive data insecurely via the cloud;
· Rogue use of cloud leading to a data breach; and
· Data spillage in a multi-hosted environment.
“In addition to these concerns, customers tell us they are primarily concerned with visibility and control of information in the cloud,” explains Elliott. “Emerging use cases that concern IT include ‘rogue’ or ‘shadow IT’ in the cloud, and there is need for IT governance for the public and private cloud, as well as unified information and identity security across cloud providers.”
In reality, security is the only substantive concern when it comes to cloud computing, according to Simon Crosby, the former CTO of the Data Center and Cloud Division at Citrix and current CTO and co-founder of Bromium, a cloud security company.
“In the last year there have been a number of unnerving security exploits, not to do with the public cloud, I ought to add, that have merely reemphasized the fragile state of enterprise security overall. So until we address the broader concerns of application and data security, it will be difficult to get enterprise CIOs to trust third-party clouds,” says Crosby.
While real threats show that security risks are at hand, at the core of security apprehension is the mindset senior-level executives have about giving up control of their data.
“I ought to be clear here: I don’t see any profound security challenges from a technology perspective. The vendors are moving down the right path, and the service providers whose business depends upon security and delivering against SLAs are all embracing and actively pursuing relevant
certifications,” explains Crosby. “The challenge that we face is a human belief system which one might imagine a CIO stating like this: ‘My own enterprise infrastructure is barely secure, and that’s only because I have a team that knows the needs of my enterprise users and my apps and data. They tell me that they can’t trust the cloud, because they won’t be in control, so clearly I can’t.’”
The cost benefits of cloud computing are so significant that even if a company is not in the implementation phase, they are talking about it. This puts company’s IT team in a tough situation in that they must balance their fears – whether those are perceived or real – while grasping a solid understanding of the various cloud technologies available.
“The enterprise IT team are between a rock and a hard place: They need to prove compliance with regulations that mandate practices that are extraordinarily difficult to accomplish in a cloud environment,” says Crosby. “Add to that the rational fears resulting from loss of control, and a lack of understanding of many new technologies, and you see the difficulty of enterprise adoption of anything other than a private cloud.”
Another wrinkle in the security factor is the fact that cloud environments are not necessarily conducive to compliance with many regulatory standards, according to Chris Richter, vice president of security products and services at Savvis, a cloud services provider.
“It’s a growing concern, not because cloud-computing environments are inherently becoming less secure, but because they are being adopted at a much faster pace, and are being used to increasingly process critical data,” says Richter. “Cloud computing’s cost model is extremely appealing, so CIOs are compelled to seriously evaluate it for applications that a year ago would have been considered unsuitable to migrate to that type of virtualized, shared platform. Many of these applications require compliance with various industry and regulatory standards, many of which were not written for cloud environments, which adds to security concerns.”
Cloud Standards – Where Are We?
As the standardization of cloud computing evolves, it’s likely that more enterprises will pave the way for using a cloud model, whether it’s a public, private or hybrid one. Symantec’s Elliott notes several efforts that are underway that will help the cloud landscape mature, and therefore alleviate many of the security concerns held by CIOs today.
“There are many great standards efforts in cloud such as NIST and FedRAMP for public sector cloud initiatives. One of the most mature standards efforts which Symantec has been involved is the Cloud Security Alliance which has published 13 domain area recommendations for cloud computing,” says Elliott. “These robust standards are part of the maturing cloud landscape that helps enterprises figure out how to keep their clouds secures and available.”
The Cloud Security Alliance – a group comprised of industry professionals, corporations and associations – seeks to promote the use of best practices for providing security assurance within cloud computing, and provide education on the uses of cloud computing to help secure all other forms of computing.
But Bromium’s Crosby says the industry has a long way to go in implementing cloud standards and says that what is needed is a thorough reformulation of the regulatory frameworks in a “technology agnostic” fashion.
“It’s difficult to be compliant with data control regulations unless you can point to the hard disk containing the data. That’s not going to fly in the cloud world. We need to evolve our regulatory frameworks just as we evolve our technology base. From a technology standardization perspective, I think there are some key needs in the areas of instrumentation of clouds, SLA management and security management,” Crosby says.
Since standardization of the cloud is still very much in its infancy, many service providers are taking advantage of this interim period to develop better platforms and capitalize on their respective positions in the market.
“What’s interesting is that there isn’t a cloud standards forum in which this work can be done, and much of the thinking is happening in smaller groups within traditional standards groups who don’t really get the big picture,” Crosby says. “And to be honest, the service providers are not strongly pushing standardization at the moment, since their own best interests are served by developing better platforms for themselves. I give the industry a B here.”
However, in June 2011, the PCI (News - Alert) Security Standard Council’s Virtualization Special Interest Group issued an information supplement titled “PCI Virtualization Guidelines,” a step forward for the development of industry standards.
“This information supplement discusses cloud computing and, although it does not augment or alter PCI DSS 2.0, it does provide valuable guidance for enterprises considering building or migrating to a cloud-based platform,” points out Richter. “In addition, NIST issued its guidelines for cloud computing security – Special Publication 800-144. The Cloud Security Alliance has also done a lot to align cloud computing to existing security standards.”
Not All Cloud Providers Are Created Equal
Concerns about cloud security are not simply a case of mind over matter: While some concerns are grounded in reality, others are sheer mindset. But cloud is no longer an “if” for decision makers seeking to reap the many benefits of cloud computing. By 2012, International Data Corporation predicts that IT spending on cloud services will grow almost threefold to $42 billion.
Industry experts contend that to not adopt cloud because of fears is an even bigger risk. Organizations need to closely evaluate potential cloud service models and providers; they must also insist that cloud service providers grant visibility into security processes and controls.
“The biggest risk occurs when humans are running around your data, not when your data is in the cloud. There are top-secret certified public clouds today, so there is no reason not to adopt. So perhaps the biggest risk is not adopting cloud because of your fears. Cloud-based technologies dramatically change IT,” says Bromium’s Crosby. “Service-centric, cost and metrics focused, agile, and dynamically scalable IT infrastructure that is also secure, is available today, for rent. Enterprises should begin to adopt cloud wherever they legally can do so, and where they cannot, they should use private cloud infrastructure.”
The biggest cloud computing security risks for enterprises, concurs Richter, will come when the decision makers fail to ask the right questions or jump in too quickly simply to save costs.
“I believe the biggest cloud computing security risks stem from enterprises not asking the right questions of their service providers regarding security controls. In the rush to lower IT costs, too many try to adapt to a one-size-fits-all approach, assuming that, for example, the level of security that is in place for an informational website is sufficient for highly confidential, or protected, data that is also hosted in the cloud,” advises Richter. “The level of security applied must be in line with the importance of the data. Not all clouds are created equal, and different cloud providers can have vastly different approaches to delivering a secure service. Again, a good place to start is with the list of vendor questions on the CSAs website.”
The biggest cloud security myth, Richter says, is that data stored and processed in the cloud is inherently more at risk than data located in an enterprise’s own data center.
“Many, if not most, cloud computing environments are more secure than those of companies that operate their own, dedicated infrastructures. The reason for this is that most reputable cloud computing providers are held to a very high standard for security controls, and are scrutinized by a multitude of customers who must also adhere to a variety of compliance standards,” he explains. “Again, not all clouds are created equal, so evaluate your requirements, and ask your prospective provider for as much detail as possible about their approach to securing your data.”
Cloudy with a Chance of Greater Transparency
As noted earlier, there are several industry groups working toward standardization of cloud security. Richter predicts greater transparency from cloud services providers, a discourse preached by members of the growing Cloud Security Alliance.
“I think there has been significant progress made in cloud security over the past year. The Cloud Security Alliance has grown its membership tremendously during that time, and has developed a number of programs designed to raise the awareness of cloud security requirements, and has provided a list of questions that every enterprise should ask of their cloud service provider regarding their approach to securing their offerings,” says Richter.
He also notes that many security technology vendors have modified existing, or developed new products such that they work specifically in cloud environments.
“In the next 12 months, I believe we’re going to see much more transparency from cloud services providers with regard to their security controls. Cloud security is growing as a vital concern, so much so that service providers can no longer get away with simply handing a prospective customer a white paper that does nothing but provide a high-level overview of their approach to security,” says Richter. “Customers want, and deserve, full-disclosure describing how everything from the way APIs are secured, to knowing exactly where their data is located. ‘In the cloud’ will increasingly not be an acceptable answer.”
Edited by Stefania Viscusi