April 21, 2011

The Challenge: Securing the Cloud

The acceptance of cloud computing by the corporate world is one of the fastest growing Information Technology (IT) trends today. By 2011 around 20% of all infrastructure-related services will be cloud orientated with fees levied on a pay-as-you-go basis, say industry watchers.

On-demand cloud services, including online collaboration tools and social networking platforms, are able to deliver speed, efficiency and marketing advantages to businesses over and above the obvious cost benefits which are said to be as high as 20 to 30% of total IT expenditure.

By moving the focus of IT applications beyond the confines of traditional corporate infrastructures, business processes are also simplified and streamlined.

Regrettably, cloud computing also has a dark side. It has been accused of exposing organisations to unnecessary security risks. It’s a charge that cannot be taken lightly, or go unchallenged.

According to information technology research and advisory company firm Gartner (www.gartner.com) ‘smart customers’ should ask tough questions (about security) before committing to a cloud vendor. It counsels potential cloud computing converts to avoid vendors who refuse to provide detailed information on security issues.

What exactly are these security issues?

Privacy heads the list. Organisations need to ensure their privacy needs are met by a service provider. These include secure access when connecting to cloud services and they encompass authentication/ authorisation and endpoint security validation.

Outsourced or hosted cloud services often bypass the physical, logical and personnel security controls of traditional in-house systems and services. So it’s best to take Gartner’s advice and adopt a ‘belts-and-braces’ approach to security by gaining as much information as possible about the service provider and its staff who come into contact with sensitive information before contracts are inked.

The next logical step must be to have a clear understanding of the location of corporate data. One of the strategies being driven by cloud computing is to lower the cost of inactive data (which is often stored in costly high-end storage repositories) by archiving it to lower cost storage.

There is a strong possibility it may be reside in a repository outside the country where the host is able to take advantage of economies of scale and other cost benefits.

While this is not necessarily an adverse situation, as suggested by cloud computing skeptics (as cost breaks are most likely passed on to the user), decisions should not be taken by the service provider alone, but in concert with the customer.

Data segregation is another security challenge. Because the cloud is a shared environment, there is concern that one company’s data might not be effectively segregated from others’. In the U.S. there is a call for the reformation of the Electronic Communications Privacy Act and the modernizing of the Computer Fraud and Abuse Act.

These actions will surely have repercussions in my home country South Africa’s legal system in due course. In the mean time it is best to deploy only exhaustively tested and proven encryption schemes within the cloud. Gartner states the obvious when it warns that encryption accidents can make data totally unusable.

Should a disaster occur and data is lost for whatever reason, cloud computing detractors maintain that hosts are not in a position to replicate the lost data – or even the application infrastructure – because their security offerings are no better than traditional backup solutions.

While this may have been true a few months ago, today there are many traditional backup system vendors who have stepped into the breach, designing comprehensive backup and recovery solutions for use in the cloud by cloud hosts and cloud computing users.

One of their primary target markets includes companies planning disaster recovery scenarios. They point out that compared to a physical off-site disaster recovery center – characterised by costly servers, storage and networking infrastructures – a cloud computing solution is an obvious low-cost alternative.

Despite the uncertainties surrounding many aspects of security in the cloud, in reality overall security provided by cloud computing hosts and their associates is often as good as – if not better than – the security barriers common to most traditional computer systems.

This is because security is actually enhanced when data is distributed over a wider base, multiple sites and a large number of devices.

What’s more, cloud computing hosts and service providers generally devote more resources in terms of man-hours, effort and money to identify security challenges and resolve issues than most customers for whom security is not a core business activity.

What has been your experience with securing cloud deployments?

About The Contributor:
Martin MayRegional Director, Africa

Martin came to South Africa in 1992, relocated by Cabletron Systems to begin operations in Africa. May has driven Extreme Networks forward in Africa and is a leading advisor in the areas of infrastructure security utilizing technologies such as NAC, IDS/IPS and network-based security.

See My Other Posts