Concerns over data security may prevent companies from storing sensitive information in the cloud, but there are safety measures which can be put in place, as Adrian Bridgwater reports
Cloud computing offers some serious benefits over traditional computing. So why are firms occasionally reluctant to embrace the cloud?
The answer lies in privacy, security and also data location governance.
If we don’t physically hold our own data, then which other parties could possibly get access to it? If we push our application usage to the cloud model where software is supplied as a purchasable metered service, then will our data be stored alongside that of our competitors?
It comes down to a question of what type of cloud we are talking about. Cloud-hosting companies sell a defined portion of space in what can be called a “multi-tenant” instance of public cloud or they will offer private cloud servers to reside physically “on premise” enriched with the management software and maintenance that a public cloud service would offer.
But it is the third way, the so-called “hybrid cloud” combination of both public and private severs that appears to be the smart choice. In the hybrid-cloud world, customers can keep their sensitive mission-critical data safe on private clouds and push highly replicable workloads to the engine room of the public cloud.
Our basic truth here is that pure-play public cloud computing is no more or indeed less secure than proprietary hosting or any other form of technology. Security controls still need to be put in place whether we are talking about home users or a multinational enterprise. The cloud model exists to provide flexible and managed computing power, not to form some new layer of protection or indeed to create new vulnerabilities per se.
Data is likely to be much more secure in the hands of professionals than if left up to in-house administrators with little or no IT background
“Cloud security, like any outsourced solution, is only as good as how well the customer and outsourcer work together. The best security measure you can take on cloud is to actually talk to the cloud provider. No one should think that just pressing a few buttons, after entering your credit card, is all that is needed – it is about how it all works as a partnership,” says Nigel Beighton, vice president for technology at cloud-hosting company Rackspace.
“Public cloud will still be well suited to what we could call standardised and easily configured software applications that are subject to fluctuating demand. From this point we can then use the power of a hybrid-cloud format to keep our most precious digital assets on premise, while using public-cloud resources to strategically compute at the lowest cost where a defined risk assessment allows.
To put it simply, risks may arise if you don’t use cloud for what it is best at in the right place, that is controllable capacity computing with support services on data that be hosted publicly without concern.”
But best-practice advice aside, cloud computing has opened another door to hacking, data breaches and the dissemination of malware. However, we need to be careful before we lay the blame at the feet of the cloud providers themselves. If anything, moving to the cloud should be an education for companies so they realise which portions of data are the most sensitive and vulnerable. Despite these truths, firms are confused about cloud security.
Mike Foreman is general manager for SMB at anti-virus security company AVG. He explains that the most common cloud security concerns he encounters are: “Where will my data be stored and how easy will it be to get it back? Or what if my internet goes down; will I still be able to operate my business without my e-mail, anti-virus or back-up if it’s all in the cloud?
“In the real world, small to medium-sized businesses (SMEs) and many larger firms too should recognise their data is likely to be much more secure in the hands of professionals than if left up to in-house administrators with little or no IT background,” says Mr Foreman. “Cloud service providers are run by IT professionals whose security policies and procedures have to be a lot more watertight than most businesses could afford or construct on their own.
“If you are about to migrate a reasonable chunk of data to a cloud-hosting provider, then kick the tyres first. Ask for references, go and visit the data centre and ask a series of rudimentary questions about the type of infrastructure or technology platform they use. Ask how data security is managed and then ask how back-ups are performed. If you want to be really thorough you might also want to find out which regulatory compliance standards a service provider adheres to, how often they are audited and how compliance is enforced.”
So essentially, cloud security is all about not making assumptions. Don’t assume that a cloud- hosting provider has supplied a layer of security in the way that a traditional IT hosting provider might do in a wider outsourcing package. Don’t assume that your public-cloud data won’t be sat next to that of a competitor, because it might be. Cloud is cloud; cloud is not cloud plus security – think bread and butter, but without the butter.
“By far the biggest danger to cloud security, by a very significant margin, is user behaviour. The issue here lies in password security. Users are still shockingly casual when it comes to password security, often using common names or very simple or short passwords that are easy to crack,” says Gary Barnett, principal analyst at Ovum.
“In terms of whether a provider would ‘snoop’ on your data, sure this is something you should consider, although most reputable providers have policies in place that are designed to limit the ability of rogue employees to gain access to your data. And anyway, leading providers have a huge vested interest in not snooping because of the reputational damage that would be caused if they were caught.”
There is some hope for us yet. An overwhelming majority of users in the Spiceworks 2013 SME cloud application adoption report rank security, compliance and accessibility over ease of use and price, when it comes to cloud-based file-sharing tools. That said, there still seems to be a considerable perception problem in wider terms.
“Cloud security architecture needs to be turned inside out. Start securing from the centre (your data), not from the edge (the perimeter is a shared resource after all). We hear a lot of talk of ‘de-perimiterisation’ in the cloud, but it’s not a helpful term at all. It’s more about ‘re-perimeterisation’,” says Rik Ferguson, vice president of security research at Trend Micro.
“Discover where your boundaries of control lie and begin to apply security there, inside out. In order to increase the acceptability of cloud to the enterprise executive, we need to design tools that ensure control over the security of key underlying technologies. It is only when a CIO [chief information officer] has control that they can reasonably be expected to accept accountability.”
So cloud computing isn’t confusing or bewildering after all. It is simply a means of purchasing data storage and application processing power down a pipe. It doesn’t come with additional layers of security, nor does it represent a new security risk. Cloud-hosting providers have a higher view of higher-level IT architectures and can help companies tread firmly on the cloud if they so wish. So are computing clouds solid enough to walk on? Yes, but don’t start bouncing around until you know the moisture content of the data beneath.
Where in the world is cyberspace?
John Colley is managing director, Europe, the Middle East and Africa, for (ISC)2, a professional body for cyber-security. He says that control is a major concern with cloud because it is so easy to access and use. As a result, complete oversight of IT operations by the IT department can be difficult to achieve and an organisation might end up not knowing where all their IT assets are.
“Many organisations are concerned about data protection legislation,” says Mr Colley. “In particular, if you are holding personal information in the cloud, you might not be sure where, geographically speaking, it is hosted. Different countries have different access rights that could, in principle, see it being handed over to authorities without your permission or even knowledge and make you in breach of local legislation.”
An (ISC)2 workforce study found that 56 per cent of UK cyber security employers see their security team as understaffed, a figure which rises closer to 65 per cent when you are talking to chief information security officers (CISOs). A further 70 per cent believe that a new skill- set is required for cloud computing. The top security concerns for cloud computing are confidential or sensitive data loss or leakage (86 per cent) and exposure of confidential or sensitive data to unauthorised systems or personnel (81 per cent).