ANALYSIS: Head in the clouds – how secure is the new IT?

30 Jul 2010

Bring up the subject of cloud computing at any boardroom discussion and you can be sure the topic of security follows quickly behind. The reasons are understandable; to many people, giving a company’s IT infrastructure to a cloud provider puts data physically out of sight and, some believe, out of control, too.

No doubt there’s an element of perception at work here, but the fires of this particular debate seldom need much stoking. To pick the most recent example, the City of Los Angeles has delayed the adoption of Google’s cloud-based email and productivity tools. The US$7.25m project would have involved migrating more than 30,000 city employees to the new infrastructure. Now it’s nine months behind schedule and security concerns are being given as the reason. 

In particular, the LAPD’s stringent data protection requirements have helped to stall the move, as it’s not convinced Google’s security controls are sufficient.

This is not an isolated incident. A recent survey of 500 IT decision makers, conducted for Mimecast, found 74pc saying a trade-off between cost and security exists, while 62pc said storing data on servers located outside the company always carries a risk.

Mimecast CEO Peter Bauer called cloud security issues “myths”. At the same time, there is no shortage of people ready to declare the future lies in the clouds. Another survey, this time by Savvis, polled 600 IT and business executives and it found 96pc of people are confident that cloud computing is ready for business use. What’s more, 68pc said this ‘elastic IT’ would help their businesses recover from the recession.

Security issue at cloud computing conference

A cloud computing conference organised by Calyx earlier this summer saw the subject taken apart in great depth and security issues were never far from the agenda.

Conor Flynn, technical director of the information security firm Rits, acknowledged the perceived loss of control. “You can’t see the servers and someone else can,” he said. “Security, privacy and compliance are preventing widespread adoption. People have all these questions and service providers are still coming up with the answers.”

John Ryan, general manager of Calyx Security, summed up the issue around cloud computing as a move from infrastructure security – that is, protecting the hardware – to data security.

Taking virtualisation as a first step on the road to cloud computing, Check Point’s channel manager Andy Clark said security remains a concern even at that stage. “Security isn’t the reason you virtualise but we do need to consider it,” he said.

Clark acknowledged the “visibility gap” – the fact that servers don’t physically exist can mean it’s hard to keep track of them and server sprawl is a possible outcome. “That’s a potential risk if you don’t patch virtualised servers they could be compromised and could lead to a vulnerability across your virtualised network,” he said.

“Without security, information can pass from one virtualised server to another with no check on them.” One option is to implement controls where packets are inspected before passing from one virtualised machine to another, he suggested.

Service providers, vendors address security concerns

Service providers as well as vendors are upping their game in the face of security concerns. Google has worked to overcome the risk raised by LA by formally releasing a version of its applications specifically for the government sector. It was the result of a year’s work behind the scenes, reviewing some 200 security controls.

Now, according to the company’s blog, Google Apps is “the first suite of cloud computing applications to receive Federal Information Security Management Act (FISMA) certification and accreditation from the US government.”

Other providers like seek to reassure customers by regularly publishing performance statistics on their websites. Senior company figures point out that several leading banks have extensively vetted the company’s controls to satisfy themselves that the security comes up to scratch.

Just like low-cost airlines stand or fall by their safety record, cloud providers have to invest heavily in security because their business model relies on eliminating the risk of data breaches. “In one respect, the cloud is more secure because companies investing in cloud infrastructure are putting more into security than any one enterprise could. In essence, a cloud provider’s business is dependent on keeping your information secure,” said Ryan.

However, he cautioned that transparency is not yet industry-wide and the openness differs from one provider to another. Some vendors don’t disclose where their data centres are located and while some will allow internal audits under certain circumstances, others will only reveal what region a customer’s data is stored in. “You might have part of your data in a European data centre and another part in an Asian data centre,” said Ryan.

“In some perverse way, that’s actually more secure in many respects, because if the data centre is hacked, they won’t get all of your data, but from the point of view of compliance and data protection, and knowing where your data is and what regulations it comes under, you’re completely stumped,” he said.

“As the cloud becomes more pervasive, there’s going to have to be a lot of work done by the service providers to assure you as a user that your data is secure, is held in the right locations and is coming under the appropriate data protection laws.”

Regulatory requirements and moving to the cloud

A white paper from Enisa, the European Network and Information Security Agency, has also raised the problem of possibly failing to meet regulatory requirements by moving to the cloud. Being unable to audit the provider would probably breach compliance rules, the agency said.

Ryan urged businesses to familiarise themselves with the risks before moving to the cloud, to create compliance plans and to look closely at service level agreements and contracts with providers. “It means you have to become more of an auditor than a technologist,” said Ryan, who added: “It’s best to get security in early rather than trying to retrofit it later.”

Software vendors are also chipping in with offerings. Current intrusion detection and prevention systems can’t track malicious activity in communications between virtual machines; Trend Micro has a product to address this concern.

The conference didn’t succumb to the kind of hard sell that often accompanies these kinds of events. There was a healthy scepticism among many of the speakers about the extent of security threats and whether some virtualistion and cloud security products are, in the words of one delegate, “a solution for a problem that doesn’t exist”.

Some concerns may be real and others perceived, but many are sure to recede over time. All speakers at the event challenged the IT sector’s conventional wisdom that cloud adoption is close to a tipping point on the way to going mainstream. Jimmy Kehoe, then of VMware, now of reseller Datapac, summed up the sentiments neatly: “You’re not just going to take everything and shift it to the cloud. It’s going to be gradual.” At least that should give security professionals plenty of time to prepare.

Gordon Smith was a contributor to Silicon Republic