Security in the Cloud: Trustworthy Enough for Your Business?
Everywhere you look today you see The Cloud. Microsoft, IBM, Amazon, Google, Adobe - everyone is rushing to come up with a comprehensive "Cloud Computing" service that will lure businesses. They make a good case for economics and convenience. But before you ditch your in-house IT department and put all your applications and data "out there somewhere," you might want to carefully consider the security implications.
Are security concerns the primary obstacle to adoption of cloud computing?
At the April 2009 RSA conference in San Francisco, cloud security - or the lack thereof - was one of the most popular topics of discussion. Cisco CEO John Chambers called it a "security nightmare." You can read more about that here. Even so, companies such as Microsoft, IBM, Google and Amazon are pushing their cloud solutions hard and the perceived savings - especially the indisputably lower startup costs - are looking very attractive to businesses struggling to lower IT expenditures in a tight economy.
However, reader responses to a recent set of articles I wrote on cloud computing for WXPnews and VistaNews indicate that security is a huge concern, and may very well be the biggest obstacle faced by those who advocate widespread adoption of the technology. Even as they consider the benefits of outsourcing all or part of their IT infrastructures to cloud service providers, many technical decision makers are worried about the loss of control that comes with having their mission critical applications and sensitive data residing "out there" rather than on their own servers.
Companies that fall under regulatory mandates need to be particularly careful when trusting their data to the cloud. In an April 8, 2009 article for cloudsecurity.org, Craig Balding lists numerous concerns regarding Amazon's recent marketing of their Amazon Web Services (AWS) as a HIPAA compliant solution.
One reason given by TDMs who are wary of the cloud is the argument that it is just an old idea with a new name. They remember all the hype surrounding Application Service Providers (ASPs) in the late 1990s and early 2000s. When the idea did not sell, it went away and came back a few years ago as SaaS, which also did not seem to stir up much enthusiasm - until it morphed into part of a bigger idea with a catchier name: cloud computing. This time, not only the name but the timing was right; the worldwide economic downturn had companies desperately seeking ways to cut their budgets. What better way to do that than to slash personnel costs by getting rid of all or most of the IT department and slash capital expenditures by doing away with most of the high dollar hardware and expensive server software to which those folks devote their time? As with the income and payroll taxes that are withheld from your paycheck, you do not really notice the cost of something that you never see.
Nonetheless, there are a number of reasons that many companies do not yet trust cloud computing. One problem is that "The Cloud" covers such a broad range of technologies - web-based storage, online applications, virtualization and so forth. Cloud services are often divided into three categories: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). Regardless of category, all cloud services have a common element: dependency on the Internet or in the case of internal/private clouds, at least on the LAN or corporate WAN. Without a network, the cloud is not possible. That brings up reliability issues in addition to the security concerns.
Cloud computing security concerns
The transparency of the cloud is one of its biggest attractions to companies, but is also the source of their mistrust. The whole point is that the company can focus on its business and leave the IT to someone else. The goal is a seamless experience whereby you do not need to know how it all works under the hood. But if you do not know how it works, how do you know whether it's secure?
The biggest security concerns of companies regarding the cloud seem to boil down to one key factor: lack of control. You may not even know where your data is physically stored, and you do not know what security mechanisms are in place there to protect it. Is the data encrypted as it resides on the disk? And if so, what encryption method is used? Does it travel between your LAN and its destination in the cloud over an encrypted connection? How are encryption keys managed? Exactly who, besides you, has access to your information?
The traditional enterprise security model depends heavily on guarding the perimeter - with firewalls and gateways. The cloud doesn't really have a perimeter and some cloud providers' terms of service agreements (such as the one for Amazon's EC2 services) prohibit you from scanning for vulnerabilities. For more discussion of vulnerabilities specific to the Amazon cloud, see George Reese's Key Security Issues for the Amazon Cloud.
According to the Gartner Group, some of the cloud security issues that companies are worried about include not only the location of the data and what encryption is used at various levels, but also what the provider's protocol (response/recovery measures) would be if a security breach occurred, what type of investigative support could be expected, and whether the cloud provider's security is sufficient to comply with industry and government regulations.
It is difficult enough to ensure that your information is secure on your own systems and network. Cloud advocates argue that putting the security of your data into the hands of experts - big names like IBM, Microsoft, Google and Amazon - provides better protection than hiring or training in-house security experts. However, big names are also big (and popular targets). And anyone who has ever tried to get through to a real, live human being in any large bureaucracy - much less one who cares about your problem and has the expertise to do something about it - knows that size does not always translate into the best service.
Another problem is that a big cloud makes for a big, attractive target for hackers and attackers. Most security experts acknowledge that an important reason Microsoft Windows is exploited more often than Linux or the Mac OS is because of its large market share: the hacker who goes after Windows will find far more systems to take down or break into. Likewise, a hacker who penetrates a major cloud provider's systems will find a huge wealth of data to steal or organizations' operations to disrupt.
Lack of standards poses a challenge
One of the biggest problems is that although each cloud provider implements measures to protect the data stored on its servers, there are currently no globally recognized standards for cloud security. Groups such as the Jericho Forum, a security think-tank, are working on developing a framework to help create such standards and to help companies determine which tasks can be safely entrusted to the cloud. Their recommendations hinge on a standardized, easy to use data classification model with associated standards for management trust levels and standardized metadata to signal what level of security should be applied to each data item. You can read more about it in the paper titled Cloud Cube Model: Selecting Cloud Formations for Secure Collaboration, also downloadable in PDF format.
The National Institute of Standards and Technology (NIST) and the International Organization for Standardisation (ISO) are also working on cloud data protection standards. However, the existence of multiple standards can in itself complicate things - although it is far better to know that your cloud provider complies with some set of standards than to be left wondering.
What's the Solution?
Cloud computing is still in its infancy, but the good news is that - unlike, for instance, with the development of computer operating systems and applications - security implications are being considered and security mechanisms are being incorporated from the beginning. In March, companies including eBay, Intuit, DuPont and ING formed a group called the Cloud Security Alliance, with the purpose of promoting best security practices in the cloud environment. You can find out more about the organization here. Their white paper, Security Guidance for Critical Areas of Focus in Cloud Computing, provides a good overview of cloud computing models and their characteristics, and looks at cloud services from the perspective of governance and risk management, legal issues, electronic discovery, compliance and audit, business continuity and disaster recovery, application security, encryption and key management, identity and access management, storage, and virtualization, among others.
At the same time, a group of tech companies that includes IBM, AT&T, Cisco, Sun, EMC and AMD have signed a document called the Open Cloud Manifesto that supports keeping cloud computing services as "open" as possible. This would mean greater interoperability between providers. The document addresses security in a single paragraph that acknowledges the discomfort of many organizations with storing their data and applications on systems they do not control and states in part that "Consistency around authentication, identity management, compliance and access technologies will become increasingly important." You can read the entire document here.
As security standards are developed, adopted and come to be expected by customers, many of the security concerns surrounding cloud computing will be ameliorated. In the meantime, companies should not necessarily hold off on using cloud services, but they should carefully analyze their cloud adoption strategies and take nothing for granted. Ask hard questions of service providers, and be judicious in choosing which tasks to relegate to the cloud and which to keep onsite and under your own control. Perhaps the most important takeaway from the discussion - and one that has been overlooked in many discussions of this topic - is that the cloud is not an "all or nothing" decision. It makes perfect sense to use cloud services for some tasks but not others. Smart cloud providers will recognize this and offer their services in a "cafeteria menu" that allows you to use the cloud for less security sensitive applications and data and migrate other tasks and data to the cloud later, if at all.