By NEIL ROITER
Cloud computing is attractive, seductive and perhaps irresistible. The benefits are compelling, particularly the pay-as-you-go model that has been likened to buying electricity (or, if you, prefer, buying your drinks by the glass rather than the bottle).
There's a powerful business case for buying computational power, disk storage, collaboration, application development resources, CRM, on demand. Rather than buying more servers and disks or expanding or deploying expensive infrastructure and programs, cloud computing is flexible and scalable. It can meet short-term initiatives and requirements and deal with peaks and valleys in business cycles.
But where does security fit into all this? Security analysts and practitioners generally say proceed, but proceed with caution. All the risks to sensitive corporate data associated with outsourcing apply to cloud computing, and then some. Enforcing security policy and meeting compliance requirements are tough enough when you deal with third parties and their known or unknown subcontractors, especially on a global scale. Add the blurry characteristics of the cloud and the entry of non-traditional vendors into the technology market, and some red flags go up.
In an IDC survey of 244 IT executives/CIOs published last fall, 75 percent of the respondents cited security as a significant or very significant challenge with cloud computing. Compare that with 63 percent cited for the next two concerns--performance and availability. So, you'd better get ahead of the risks of cloud computing before your business colleagues get ahead of you.
"I recommend security people get some exposure to it," says Craig Balding, technical security lead for a Fortune 500 company. "Because the CFO, attracted by the numbers, or the CIO who is told by the CFO, is going to come knocking on the door and ask 'What's this cloud thing all about? What can we do in the cloud?'"
Let's examine some of the risks versus the benefits of cloud computing, and what your company can do to mitigate those risks and reap some of its benefits.
|Cloud Blurs Auditors' Vision|
Satisfying auditors that data is properly
isolated can be a problem.
Compliance presents cloud providers with a business problem: Meeting particular compliance requirements of each customer takes away some of the economies of scale that allow them to offer inexpensive services and still realize nice profit margins. But it's one they need to address if they want large, heavily regulated companies as customers.
"There are conflicting requirements," says Forrester analyst Chenxi Wang, "between specific compliance regulations, between specific security requirements of a client and the need to amortize resources and amortize consumption across different clients. Achieving compliance becomes a little more difficult."
Since your data can be anywhere, data location can be particularly tricky, especially when it spans international borders. For example, says Gartner analyst Mark Nicolett, European privacy laws restrict movement and cross--border access of certain types of data.
"You have to be aware of any restrictions in this area," he says, because cloud providers typically don't provide any type of location gating or guarantees about compliance on your behalf with privacy laws of that sort."
Nevertheless, don't assume that you can't outsource regulated data and operations into the cloud. You'll need to work with auditors and prospective service providers to determine if cloud computing supports your compliance requirements.
"It depends on the regulations," says Craig Balding, technical security lead for a Fortune 500 company. A lot of people waving the regulation flag and saying, I can't do this in cloud."
Much depends on what type of audits are required to satisfy the data and process control requirements. Does the auditor need to see change control logs; do you need to run security tools against the cloud computing provider's infrastructure (which is, as a practical matter, everywhere)? Is a paper audit sufficient or does it need to be more hands-on?
"Those are questions that will get fleshed out over time," Balding says but it's not terribly clear right now."
Security Isn't A Vendor Priority
Not surprisingly, cloud computing providers are not talking much about security today. That's pretty typical whenever "The Next Big Thing" in technology bursts upon the business landscape.
Most of the public discourse is coming from security experts and analysts pushing vendors to take the initiative. Amazon, for example, doesn't have much of a security presence on their Amazon Web Services (AWS) Web site, and the same is true for Google Apps, says Balding. There's no obvious procedure or clear commitment, for example, to deal with a researcher who wants to report a vulnerability.
"Google and Amazon have very smart security people," Balding says. "But, when you talk to the Amazon evangelists who are prominent at every cloud conference about security, there's not much of a conversation. It would be great if they put people into the community who could talk about security."
The question is not whether cloud computing vendors are indifferent to security--clearly, they are not. Rather, how important is strong security to their business models and how far they are willing to go and how much are they willing to spend? Does the business model, for example, support a security program that is not only strong but flexible enough to meet unique customer security and compliance requirements, especially large multinational companies?
"Cloud computing is optimized for performance, optimized for resource consumption, and optimized for scalability," says Forrester analyst Chenxi Wang. "It's not really optimized for security."
At this early stage of the market, you have to be concerned with where security is now and whether vendors can bake it into their services from the start or try to bolt it on under pressure from customers. It's a new market in which companies have to be especially diligent about security before jumping in.
"Right now, it's not cut and dried," says Gartner analyst Mark Nicolett. "It's an early adopter type of situation. You can't assume any level of security practice any more than you can assume a certain level of security practice with a traditional outsourcer."
Cloud's Heightened Risks
What you can assume with cloud computing is that you have to deal with all the risk factors you expect to face in "normal" outsourcing. But cloud computing also brings its own inherent set of security problems, which make it not only difficult for your company to get the assurance it needs to meet its obligations, but in some cases difficult for the service provider to meet all your requirements.
"What's different about cloud is control," says Balding. "To have control implies visibility. You can't control something if you can't see."
Consider three cardinal requirements of data security: availability, integrity and confidentiality.
The first is core to your business and your service provider's business. A data breach is bad enough, but if the service goes down, the business is down. Amazon's Simple Storage Service (S3) went down twice last year for several hours, for example. If your first requirement is near-100% uptime, then it's a good bet that almost every vendor will make that its number one priority.
Data integrity and confidentiality are another matter. Integrity requires that only authorized users make authorized changes. Confidentiality means that only authorized users can read the data. One would expect to apply strong controls to enforce policies over authorized user access, authentication, segregation of data etc. With traditional partners and service providers who handle your sensitive data, you can extend those controls. But with cloud computing, you don't know and, as a practical matter, can't know where your data is. You don't know what server is computing for you, where it's transiting over which network, even where it's stored as the providers' systems respond dynamically to your rising and falling requirements and those of thousands of other customers. The flexibility and scalability that makes cloud computing attractive makes it unpredictable.
"Going to Amazon, or IBM or Dell or Microsoft in cloud isn't much different than outsourcing to AT&T," says Jeff Kalwerisky, chief security evangelist at Alpha Software. "The difference now is you literally don't know where data is."
Furthermore, it's difficult to assure data segregation, because those networks and servers are sharing data from thousands of customers. So you have to be concerned that your service provider's personnel and someone from another organization may be reading it because of improper authorization or authentication.
A related issue, says Forrester's Wang, is transitive trust because cloud computing vendors have to rely on third-party suppliers to provide computational and infrastructure resources. So, how can I extend that trust even if I have a trusted relationship with my provider?
"These third-party infrastructure resources touch my confidential data," says Wang. "Do I allow this trust I've established with, for example, Amazon, to be carried over to a third party, and how do I even evaluate that? The transitive trust question does not have clear answer."
So, your vendor doesn't know where your data is going to be at any given time, and that makes it difficult to determine if your data is being handled in a way that assures confidentiality and privacy.
Building your own cloud guarantees
Large companies are heavily invested in data centers already, he says, so business agility and new business initiatives may be more compelling drivers for cloud computing than saving on hardware costs, at least at this stage. Hence the notion of private clouds, which can be completely internal for really large companies (call that an "enterprise cloud"), but would more likely involve third-parties, such as one of the hosting providers that are trying to move into cloud-based services.
The difference is the private cloud wouldn't be open to the public. The enterprise customer reaps most of the on-demand benefits of cloud computing, but can exert the same security and compliance controls they do with more conventional outsourcing. Since hosting providers typically segregate data by sector--defense, financial services, for example, and are accustomed to maintaining strong access controls over each customer's information, they would be well-positioned to support this type of cloud.
"With a private cloud, there's less of an attack surface," Balding says, because not everyone in the world can sign up with a credit card."[END MARK]
Ascend to the Cloud with Caution
None of this means that your company should dismiss the idea of doing business in the cloud; nor should you compromise security.
"The only thing you can do now is good contractual thinking before you go in," says Alpha Software's Kalwerisky. Large customers can leverage major cloud providers to assure better security and transparency, he says. After all, there are choices.
"If one provider won't play ball, I can go to others," he says. "The market will drive it."
Gartner recommends that you adhere to strong security requirements for engaging outsourcers, even though the cloud computing environment is more problematic. The risks to your data are still there.
In its report, "Assessing the Risks of Cloud Computing," Gartner strongly recommends engaging a third-party security firm to perform a risk assessment. It cautions that even large and sophisticated organizations, such as major financial institutions, which are used to conducting their own assessments, are better off hiring a third party to evaluate cloud computing partnerships.
The distributed nature of cloud computing makes this kind of assessment more difficult. And, unlike traditional outsourcing partners who have come to view good security as a competitive value, cloud computing providers may be more reticent about outsiders auditing their operation, or at least limit their access. They may be less likely to allow auditors and assessment teams to lay hands on their data centers, but performing log reviews and reviewing audit trails should be negotiable.
"Obviously, auditing cannot be as detailed," says Forrester's Wang. For example, a vulnerability assessment scan of Google [is not reasonable]. They won't let you do that. You have to see if it is possible to do some level of external auditing. Today, that is very difficult."
Large enterprises certainly shouldn't settle for the providers' standard service level agreements, but smaller companies are another story. They typically lack the expertise to adequately assess the security of the services, so they are more apt to rely on providers who have that expertise.
"Most small companies I talk to, unless they are highly regulated, tend to put performance, reduction of resource overhead ahead of security," says Wang. "But that doesn't mean that cloud computing vendors shouldn't do more to satisfy their needs and be more transparent."
The most important consideration, regardless of company size, is the sensitivity of the data that's exposed to the service provider. If the service does not put sensitive data at risk or jeopardize your operation, security requirements for the vendor can be less stringent. On the other hand, companies shouldn't compromise security if confidential customer information, intellectual property or other sensitive data is at risk.
"What companies need to do is evaluate risks against business benefits, identify workloads where business benefits are high relative to risks," says Gartner's Nicolett. "Those workloads are the ones that are most appropriate for cloud computing at this time."
Companies can also insist on encrypting data, both in transit and at rest. Encrypting data in motion is pretty much a given; all service providers are using SSL or some other strong encryption. Data at rest is more complex, and you may have to rely on your own resources to encrypt it. The key question is…who holds the keys?
Encryption is less reassuring if the provider controls the keys. It gets back to a question of trust and verification that the provider is following strict policies regarding who has access to the keys and under what circumstances. The mechanics are more intricate if your company holds the keys, but the security is obviously in your hands, since only your personnel can decrypt the data.
Gartner's Nicolett cites vulnerability management service provider Qualys as a good model. Customers' data is commingled, but it is encrypted, and the customer controls the decryption keys.
"It is the capability that makes companies feel comfortable to have their sensitive security data hosted externally," he says.
Stick to Policy
Easy accessibility is one of cloud computing's strengths--and also one of it's risks. It's trivial for a department, workgroup or even an individual to jump onto the cloud on their own. Just whip out that corporate credit card.
It's the downside of democratization from security point of view," says Balding. "Unless you have fantastic DLP in place, you may not even know cloud is being used."
Consider a group of developers who can circumvent their company's policies and processes--maybe things move a little too slowly for their liking. They're not the bad guys; they're just trying to get their jobs done and do what they love doing: creating first-rate software for their company.
Or a business unit can make the decision to contract for application development or perhaps CRM, such as salesforce.com. They get the job done, but bypass all the policy controls they should adhere to.
"It's probably a valid business decision, but the worry is it's an unconscious decision," says Gartner's Nicolett. "Then there is no evaluation of security, compliance and risk level, because the people that understand those risks aren't involved in that decision."
There are operational risks as well, he says. Workflows can be damaged or disrupted because the links between the applications moved into the cloud and internal processes aren't clear, and process integration may be degraded.
You can still migrate the application to the cloud, he says, but you need to make a conscious, well-planned decision that addresses these kinds of potential problems up front.
The solution is straightforward. If your company has good governance in place, employees follow policy and procedure for risk assessment, planning and review before signing on for services. The message from the top should be that yes, outsourcing policies apply to cloud computing. So, put the credit card back in your wallet, at least until you've thought this through.
Standardization -- the Next Step?
One of the major impediments to evaluating cloud computing providers is the lack of standards by which you can compare them. There are no standards for how data is stored, access controls, performance metrics, etc.
This raises business and security issues. For example, if I outsource my sales system to one provider, but want to contract another for accounts receivable, how do I share data between them? Is it even possible?
Vendors, analysts and security leaders are discussing the need for standardization, for example, for SLAs.
"My clients have trouble understanding one SLA against others because the language is different; the properties they promise are different," says Forrester's Wang. "You really have to spend a lot of time making sure you are comparing apples to apples."
The next step might be agreement by an industry consortium, and eventually by some recognized standards organization. Getting competitors to agree on standards is historically a tough sell, and this probably will be no exception.
"None of the vendors will want to change to some other vendor's standard," says Alpha Software's Kalwerisky. "But once we have standards about how data is stored and security issues and many other things, then cloud computing becomes an unstoppable option, because you'll have everything you have in your data center with a lot less hassle and less capital investment."
Neil Roiter is senior technology editor of Information Security. Send feedback on this article email@example.com.
This was first published in March 2009