This article can also be found in the Premium Editorial Download "Information Security magazine: Best practices for securing virtual machines."
Download it now to read this article plus other related content.
If you needed any more confirmation of how big cloud computing has become (not that you really did), you didn't have to look any farther than last month's RSA Conference 2011. This year's conference featured an entire track devoted to cloud security issues. Plus, the Cloud Security Alliance had a half-day summit at the conference, which attracted four times as many people as last year.
There's no doubt that cloud computing is far from a passing fancy. Jim Reavis, CSA co-founder and executive director, says he's hearing about a lot of successful pilot cloud computing projects and roadmaps that include cloud adoption within the next year. M&A activity is helping drive cloud adoption, he says. IT leaders at large enterprises tell him they're looking to the cloud to satisfy the new IT needs that come with an acquisition or if a division is spun out into a separate company.
Security professionals, however, remain deeply concerned -- and rightly so -- about the compliance and security challenges cloud computing brings. According to the TechTarget Security Media Group Cloud Security Survey, 61 percent of 1,091 respondents cited regulatory compliance/audit as a top security concern with cloud computing. Sixty-eight percent said they're concerned about data protection/encryption in the cloud and 45 percent are worried about identity management/access control.
Transparency continues to be a big problem with cloud service providers. One survey participant --
Groups like CSA are working to address the security issues with cloud computing, but Reavis acknowledges CSA's research isn't as technically detailed as it will need to be. CSA is making progress, he says, but rapid cloud adoption driven by the global economy makes it a challenge to keep up.
Vendors, of course, also are weighing in. They're seizing the opportunity to exploit the cloud trend and falling over each other to pitch their products as "cloud" solutions. The hype is tremendous, muddying the real issues. However, some interesting new technologies are making their way through all the noise.
CloudPassage, for instance, touts its server vulnerability management and firewall services as the first purpose-built for elastic cloud environments. CEO Carson Sweet says the technology tackles the problem of managing server security in a cloud environment, where servers are rapidly created through cloning and bursting. CloudPassage's platform, which consists of the Halo Daemon, a small software component on each cloud server and the Halo grid, an elastic compute grid that analyzes data collected by the Daemon, works to automatically secure cloud servers when they're burst or cloned.
Another new company, CipherCloud, offers a Web proxy that provides encryption and tokenization for enterprise data as it's sent to a cloud service provider. Encryption keys remain with the customer, data formats and functions are preserved, and latency is less than two percent, executives say. The technology supports Salesforce.com, Force.com -- Salesforce.com's Platform as a Service, and Google Apps, and is offered as a hosted service or virtual on-premise appliance.
CSA's Reavis says cloud computing is reinventing every part of IT, and he expects it will do will do the same with the information security industry. CSA is researching how cloud computing can be used to secure everything -- not just cloud but other forms of IT.
Interesting times, indeed. We'll be tracking developments in the cloud security space on our new sister site, SearchCloudSecurity.com. Check it out.
Marcia Savage is editor of Information Security. Send comments on this column to email@example.com
This was first published in March 2011