Cloud security: Is it raining in the cloud?
By Chuck Miller
Ask 10 people what cloud computing is, and you will get 10 different answers. But ask those same people about security in the cloud, and they will all agree on one thing: it is critical.
What is cloud computing? To some, cloud computing once involved people sitting at terminals hooked to a mainframe in the basement. Even today, some observers claim that cloud computing is just a buzzword for some form of utility computing. But in its broadest definition, cloud computing generally means software and systems that distribute programmatic elements to multiple computers – typically off premise. Users are charged for computer power and storage as needed.
“Essentially the cloud is the promise that the internet has been holding for many years, where you can draw services dynamically out of another environment,” says Peter Evans, director, security strategy and technology integration at IBM. “From an enterprise point of view, it changes the way you think about the business.”
In another definition, Gartner defines cloud computing as “a style of computing where massively scalable IT-related capabilities are provided as a service across the internet to multiple external customers.”
Cloud computing, as least as a concept, is being driven largely by economics. It is generally less costly to run applications, add capacity and increase storage in the cloud, rather than investing in new hardware and software, and bringing on additional staff and beefing up networking.
“Cloud computing will happen because it has too much of an economic incentive and developer support – applications can be quickly added and developers can have a single place to maintain source code,” says Vatsal Sonecha, VP, business development & product management at TriCipher.
Overall, incentives include application-deployment speed, lower costs and fast prototyping. These are strong drivers. So much so that Gartner predicts that by 2012, 80 percent of Fortune 1000 companies will pay for some cloud computing service, and 30 percent of them will pay for a cloud computing infrastructure.
That is not to say that entire data centers will be moving to the cloud, at least in the largest companies. But for certain solutions, the cost benefits are hard to ignore.
“The driver is economics – companies can spend less capital,” says John Maddison, VP of core technology solutions at Trend Micro. “Cloud-based applications are becoming more appealing, even though there is reluctance in some quarters because the enterprise feels it loses control.”
That loss of control, and consequent security risk, is one of the major arguments that many IT professionals use to avoid making a move to cloud computing in a big way.
The security issues with cloud computing do not vary tremendously from those facing users in any other computing environment. The classic problem can be epitomized by the acronym CIA, representing: confidentiality of data, integrity of data, and availability of data.
Once data is out on the cloud, only people who are authenticated and authorized should be able to see the company data, ensuring confidentiality.
“Information must have confidentiality,” says J.G. Chirapurath, director of marketing, identity & security at Microsoft. “For every piece of information that I deem confidential or sensitive in some way, I need to know where it's stored, who's been looking at it, under what conditions they have been manipulating it, and be provided with an audit trail, so that if something happens, I can track its cause.”
Integrity means that data is changed only in response to authorized transactions. For example, in any given period of time, if no authorized transactions have occurred, the data should not have changed. In the cloud, the data may be controlled by someone else, so the tracking may be trickier. The problem can be obviated through encryption, but that opens a whole other can of worms – including management of keys without involving the cloud vendor.
Availability is just that: The system is there when you need it. An outage can wreck your whole day. The best solution here is strong contractual arrangements that the data is there when you require it.
“Ideally, availability should be better than that provided by yourself,” according to Jeff Kalwerisky, chief security evangelist at Alpha Software.
Cloud computing vendors work hard at providing security. “There is a reasonable amount of security in the cloud these days,” says Trend Micro's Maddison. “The biggest challenge an enterprise would face is if the application requires sensitive data to be stored, how secure is the provider?”
Like many trends, people start doing cloud computing before they think it through. And some solutions can be complex. If you use the cloud across a wide number of providers, the complexity can grow considerably – there are no standards yet with security on the cloud.
In terms of confidentiality, Microsoft's Chirapurath says, “In software and services [one component of the cloud], the challenges have to be solved at the nexus of identity and security. Security keeps the bad guys out, and identity lets the good guys in.”
In other words, hackers look for credentials. When an enterprise suffers a loss of identity, what they have is a security threat.
“All security revolves around identity,” adds Chirapurath. “Enterprises need a bridge around the identity they have built into the infrastructure and the cloud. There must be an on-premises story that is complementary to a cloud story.”
Issues of compliance
Another issue is compliance. Absolute certainty is required for compliance, but you can't find absolute certainty in a cloud, almost by definition.
“The cloud by it nature, is opaque,” says IBM's Evans. “The services could be coming from any source. The compliance regulations may have to be revised to recognize the new world. In most, you can outsource your data, but you cannot outsource your responsibility.”
The cloud is an enabler. In many cases, it can be seamless with existing environments. In the end, the nirvana for end-users would be that if they log on to an email interface, and the email backend happens to be in the cloud, there will be no other logon necessary for the cloud.
The cloud transition is under way, albeit slowly, but it may be a major part of new business arenas. Its security questions are not necessarily unique, but obviously must be addressed as vigorously as security problems anywhere. The question then becomes whether any major security issues, unanticipated, bring down hope for a breakthrough in the cloud. n