Safe in the cloud?

5 Oct 2010

The issue of security is a contentious one within the whole concept of cloud computing.

While security is often seen as an obstacle to cloud computing, the question most asked about it misses the point. That’s according to Giles Hogben, network security policy expert with the EU’s cyber security agency ENISA. He said many organisations aren’t making a true comparison because their own in-house IT systems may well be less secure than a third-party provider’s infrastructure.

Some industry estimates suggest more than half of all business data resides unprotected on PCs and laptops, begging the question whether organisations are doing a better job of keeping their information safe now.

What are the risks and benefits of going into the cloud compared to what you have already?

Speaking at last month’s Cloud Computing Summit in Croke Park, Hogben said: “The question is not ‘what are the risks and benefits of going into the cloud?’. It’s ‘what are the risks and benefits of going into the cloud compared to what you have already?’. That’s an important distinction.”

According to Hogben, the scale of many cloud providers’ operations is such that they typically spend more on security than any one business could by itself. That’s not to say all providers take the correct precautions that a particular organisation might need. He pointed out that some providers don’t allow penetration testing, which is an IT security technique that checks for any weaknesses in the system that could let an unauthorised user log on. If an incident were to occur, firms might not be able to access the logs afterwards, while the opportunities to use forensic analysis may be limited.

While the City of Los Angeles recently signed a major deal to move some of its applications to the cloud, it only did so after its preferred provider Google gave serious assurances about the security of its systems.

Hogben also highlighted some of the legal and contractual risks involved around data protection. Storing information at a third-party data centre doesn’t shift the obligations away from the company that gathered the information first. “You as the customer of the cloud provider remain responsible for your customers’ data. The buck stops with you, legally speaking,” he said.

Businesses also need to be aware of their obligations under data protection legislation. These rules may specify that information relating to members of the public need to be stored in the same country. However the nature of cloud computing means that providers with multiple data centres may have some data dispersed between those locations to manage the load. “It’s quite possible you don’t know which jurisdiction your data is in,” Hogben cautioned.

To help organisations choose between providers, ENISA is working on a common assurance maturity model [CAMM], which is intended to provide an objective benchmark of a cloud provider’s security capability. This framework is due later this year.

There is a huge variance between what details cloud providers will tell customers about their security programmes. Some, such as Salesforce.com, publish online statistics about its performance but transparency among providers isn’t standardised yet.

David Cullen, a partner with legal firm William Fry, said the most important thing is to ask about possible security scenarios and how the provider would react. The economy’s nosedive over the past two years has taught us that no organisation is too big to fail. He advised businesses to check what might happen if their provider goes bust or is taken over. “You can mitigate your risk by having your data somewhere else – maybe with another cloud provider,” he suggested, adding that contracts should ideally include a provision that allows a company to get its data out in a format of its own choosing in an “exit situation”.

Brian Honan, an independent security consultant and head of the Irish Reporting and Information Security Service, warned that smaller organisations may not have the same negotiating strength as large companies when it comes to agreeing the finer points of a contract with a cloud provider.

Hogben said that provided organisations do appropriate risk assessment and due diligence, security concerns shouldn’t stand in the way of using the cloud. “Cloud security is not about risks in isolation, it’s about comparing risks that the cloud represents compared to the risks now – and in many cases the cloud addresses those.”

Gordon Smith was a contributor to Silicon Republic

editorial@siliconrepublic.com