Cloud Security

Before the Los Angeles City Council gave Google (Nasdaq: GOOG) a $7.25 million contract to provide email as an online service for the city’s 30,000 employees, it put Google through the wringer over information security.

The Los Angeles Police Department and the city attorney’s office were concerned that any confidential information in email messages might be exposed if it were stored in the cloud, meaning on Google’s servers instead of the city’s own data center. The City Council echoed a concern heard in business boardrooms around the country as they consider cloud computing: “Security was one of the leading issues,” says Eduardo Hewitt, legislative deputy for City Councilman Tony Cardenas.

To win over the council, Google had to meet a laundry list of special security provisions, including:

• Fingerprinting all employees working on the project for Google and Computer Sciences Corp., which will set up and manage the service for Los Angeles
• Encrypting data in transit
• “Sharding” the data at rest, with pieces stored on separate drives, so someone needs an application and encryption key to put the pieces into a readable format
• Storing all of Los Angeles’s data within the United States
• Limiting access to the data to Google and CSC employees who meet the city’s clearance requirements

Google also is offering minimum damage payments for various mishaps, including a confidentiality breach, faults in the network resulting from the actions of Google or CSC, or the personal injury of a city employee or contractor caused by Google or CSC. The amount of the damages payable in such instances is still being worked out, says Kevin Crawford, LA’s assistant general manager of IT.

Why did the city need such measures, some of which exceed enterprise cloud computing deployments? “It was because of the newness of the product for the public sector,” says Crawford. Various city agencies and constituents simply weren’t convinced of the safety of cloud computing, so they demanded the additional stipulations. But Crawford says the city didn’t pay extra for them, and in fact negotiated discounts off Google’s list prices. “We’re still getting 40 percent off retail,” he says.

Jitters over the security of cloud computing, including concerns about its “newness,” are by no means limited to the government sector. When InformationWeek Analytics asked 547 business technology pros what worries them about cloud computing, security concerns grabbed the top three spots, far outpacing issues of performance, disaster recovery, or vendor lock-in:

Cloud computing is getting considered because companies and government agencies are keenly interested in the lower licensing and staff support costs that cloud services promise. Faster deployment also works in cloud computing’s favor. Yet security plays the foil to cost savings, and for many companies, security concerns end up sinking any move to the cloud.

Gartner Inc. predicts companies will spend about $10 billion this year on two types of cloud computing: infrastructure as a service, where companies buy raw computing power as needed, and software as a service, where they pay a subscription for online access to software, ranging from email to CRM to business intelligence.

While companies can subscribe to an ever-widening array of cloud services, IT departments don’t have the same long history that they do with on-premises software, so they aren’t as confident of where pain points such as security flaws may be. What new intrusion points are introduced? How can a company be sure that its data sitting in the vendor’s data center is safe? When should information be encrypted? In our survey, 57 percent cited “security defects in the technology itself” as a top concern with cloud computing, more than any other concern.

Standards and best practices for cloud security are just emerging. “Security is and always should be a top consideration when companies are examining cloud services,” says Steve Cakebread, former president and chief strategy officer at Salesforce.com, who’s now on the board of eHealth, an online health insurance reseller, and Solarwinds, a network management vendor.

To understand potential security risks, companies must complete a thorough examination of a cloud service – beginning with the networking layer, checking out the provider’s operations, and working up to the cloud application.

While there isn’t the same kind of well established, best-practices security checklist for cloud computing that there is for on-premises IT systems, here’s one concept to bank on: It’s still the user organization, meaning the IT teams that contract for cloud computing, that will be held responsible for the security of the data and apps they put in the cloud. “In the end, regulators will come after our IT department, not the cloud service provider, if security problems arise with our data,” says Ash Patel, global CIO at Aon Consulting, one of three business units within Aon Corp., a $7.4 billion-a-year insurance consulting and service provider.

Table of contents:

• Page 2: Lower Costs, Simpler Operations

• Page 3: Identifying the Problems

• Page 4: What About the Application?

• Page 5: Enterprise Customers Still Wary

• Page 6: Cloud Standards Are a Work in Progress

• Page 7: All the Flavors of Cloud Computing

• Page 8: The Appeal of Cloud-Based Email

— Paul Korzeniowski is a freelance writer who has been dissecting technology and business issues for two decades.

— Mary Jander, ThinkerNet Editor, Internet Evolution

Next Page: Lower Costs, Simpler Operations