There may have been slow movement in getting there, but cloud computing is a reality that is already starting to hit home for IT professionals. One explanation for this is that company executives are thrilled about its positive effect on the bottom line. Others are shunning the evolution to the cloud because of what they perceive to be risky security breaches just waiting to happen. Of the two dissenting views, which is right?
When it comes to protecting an organization’s data and assets from holes in the cloud, the answer likely falls somewhere in the middle under current circumstances. Except the onus is on IT professionals to better understand how to manage and protect those assets in anticipation of a move to the cloud.
Security in the Cloud
For the executives, it’s hard to argue with the potential for a huge reduction in costs, the possibility of managing all network security from a single point, real-time protection without any impact on the systems, as well as the option to outsource the service.
"As companies move to the cloud they must verify everything to ensure that their cloud-based vendors meet the same or higher standards. In many cases, the cloud-based application may be far more secure, but this still has to be verified first" |
Dennis Hurst, CSA |
Even with all that in mind, those who must worry about such things are already moving to assess what must be done. In order to do that, however, they need to be clear on the distinction between ‘cloud computing’ and ‘cloud security’, says Luis Corrons, technical director at PandaLabs, the virus research arm of Panda Security, which develops cloud-based security solutions for enterprises.
“Cloud computing is related to the databases, customer relations management (CRM) software and more, based in the cloud”, Corrons says. “[This] means that the major sensible information of the company – that related to their customers – is based in the cloud. To do this, they must upload everything in the system they are using, as in the case of a CRM or enterprise resource planning (ERP), for example.”
Corrons goes on to say that IT managers used to be worried about the security of the company’s main data and the threat of being intercepted when using communication protocols. However, he says that implementing a cloud security solution that encompasses these concerns and more can be done regardless of the type of application, platform or infrastructure the organization is using.
"There are no worries about using cloud security because companies don’t need to move any data to the cloud" |
Luis Corrons, PandaLabs |
“In the case of cloud security, that means all the core security processes are in the cloud, keeping systems free of resources for any other activities”, he says. “Every single file that needs to be checked against the cloud remains in the machine, and we are only analyzing some traces of it. So, there are no worries about using cloud security because companies don’t need to move any data to the cloud.”
While security services and protocols will no doubt evolve to meet the needs and assuage the fears of clients, there is much to think about when it comes to developing a strategy around deployment, says Mark Darvill, director at AEP Networks. He breaks down the issue of access management, as in who can access what and from where, into three core fundamentals.
The first is that once every device is deemed fully compliant with security standards, there should be an authorization fingerprint that defines its security posture and grants access thereafter. The second is that organizations must protect their most critical data with tamper-proof encryption while being held in the cloud, and if highly sensitive, sourcing the network traffic should be done as well. The final element is ensuring endpoint and application access controls, while protecting cloud-based data in a seamless end-to-end policy-based solution can prevent unauthorized data leaks from the cloud. This includes ensuring compromised data is not placed in the cloud from an endpoint, he says.
"Some are looking into polymorphic encryption, which shows promise at being able to process encrypted data, but that technology isn’t available yet" |
George Thomson, KPMG |
“IT departments must look beyond their own corporate borders and double check what security measures third parties have in place to protect their sensitive data”, Darvill adds. “Data protection is no longer just about protecting data when it is on your premise, so IT departments need to keep in mind exactly who is looking after their data in both its physical and virtual forms, and how it is being secured.”
Money Matters
Darvill adds that cloud computing reinforces some existing challenges for IT departments, but it doesn’t actually present any unique ones unless companies decide to outsource it. “Traditionally, service providers have struggled to acquire the latest security defenses due to a lack of flexible pay-as-you-go pricing models. Although this is slowly changing, it still presents a challenge for businesses looking to migrate to the cloud”, he says.
Part of that challenge also includes the separation and segregation of data issues, because resources are shared rather than dedicated in the cloud, says George Thompson, director at KPMG performance and technology based in London. Data assurance and processing will be a cause for concern, despite the cost-benefits associated with moving to the cloud.
"IT departments must look beyond their own corporate borders and double check what security measures third parties have in place to protect their sensitive data" |
Mark Darvill, AEP Networks |
Thompson feels that organizations planning to go with a private cloud for their apps may not re-engineer them for security in the public space, thereby running the risk of not being able to take advantage of those potential cost benefits.
“The more challenging aspect is how customers can be assured that the mechanisms and processes behind the scenes are effectively securing their data”, Thompson says. “Once you get into the cloud, you don’t really know where it is, and you are really relying on the access control preferences being 100% effective, so those access control preferences need to be highly matured.”
He adds that processing sensitive data should be done in the private cloud, except that IT departments have to re-engineer their applications, so they can weave them into the public cloud once any issues are cleared up. “Some are looking into polymorphic encryption, which shows promise at being able to process encrypted data, but that technology isn’t available yet”, he says.
Thompson is quick to point out that IT professionals understand the technology, but pushing data in the public space is not something they are particularly experienced in. This is why they should make sure that the right data governance and processing is put in place, including provisions that ensure this is done properly.
Cloud Security Essentials
Dennis Hurst is an applications and security specialist at HP, as well as leader of the educational working group at the Cloud Security Alliance (CSA), a non-profit umbrella organization promoting security assurance and education on the uses of cloud computing. He believes cloud-based security concerns are fundamentally the same as they are for non-cloud systems, except the environment, architecture and level of control change significantly.
“As an example, security audits are a normal part of a traditional security process, but as companies move to the cloud properly, a vendor audit is essential to security”, Hurst insists. “Also, service level agreements with vendors regarding uptime, disaster recovery and responses to security events are critical in a cloud-based environment, while they are typically not part of a non-cloud based environment since these are internal issues.”
He adds that because most of the relationships between a customer and vendor are governed by these agreements, it’s arguably one of the most critical parts of any cloud initiative. This is vital to understanding the inherent risk associated with managing and storing data in a cloud-based application. A similar one running in a data center holds certain security measures put in place by virtue of being inside the corporate firewall and physically located in a building.
“As companies move to the cloud they must verify everything to ensure that their cloud-based vendors meet the same or higher standards”, Hurst says. “In many cases, the cloud-based application may be far more secure, but this still has to be verified first.”
On the other hand, regulations don’t usually prohibit or promote the use of cloud technologies, only what must be done regardless of where a system is located. What matters most is that liability for regulatory compliance still lies with the organization deploying a cloud-based service, including assurance that it is also compliant. This will almost certainly require an explicit evaluation of the security controls in place in a company’s data center.
“Many companies are offering services and products specifically targeted at cloud-based systems and others are offering their products in a cloud-based model”, Hurst continues. “However, there are no ‘silver bullets’ – addressing security in the cloud requires a holistic approach that not one product can fully address.”