The Macrosite for News, Analysis and Opinion about the Future of the Internet
DISCUSS   PRINT   Digg   Del.icio.us   Reddit   Email This   TWEET THIS

Cloud Security

Introduction
11/7/2009 3 comments

Before the Los Angeles City Council gave Google (Nasdaq: GOOG) a $7.25 million contract to provide email as an online service for the city’s 30,000 employees, it put Google through the wringer over information security.

The Los Angeles Police Department and the city attorney’s office were concerned that any confidential information in email messages might be exposed if it were stored in the cloud, meaning on Google’s servers instead of the city’s own data center. The City Council echoed a concern heard in business boardrooms around the country as they consider cloud computing: “Security was one of the leading issues,” says Eduardo Hewitt, legislative deputy for City Councilman Tony Cardenas.

To win over the council, Google had to meet a laundry list of special security provisions, including:

  • Fingerprinting all employees working on the project for Google and Computer Sciences Corp., which will set up and manage the service for Los Angeles
  • Encrypting data in transit
  • “Sharding” the data at rest, with pieces stored on separate drives, so someone needs an application and encryption key to put the pieces into a readable format
  • Storing all of Los Angeles’s data within the United States
  • Limiting access to the data to Google and CSC employees who meet the city’s clearance requirements

Google also is offering minimum damage payments for various mishaps, including a confidentiality breach, faults in the network resulting from the actions of Google or CSC, or the personal injury of a city employee or contractor caused by Google or CSC. The amount of the damages payable in such instances is still being worked out, says Kevin Crawford, LA’s assistant general manager of IT.

Why did the city need such measures, some of which exceed enterprise cloud computing deployments? “It was because of the newness of the product for the public sector,” says Crawford. Various city agencies and constituents simply weren’t convinced of the safety of cloud computing, so they demanded the additional stipulations. But Crawford says the city didn’t pay extra for them, and in fact negotiated discounts off Google’s list prices. “We’re still getting 40 percent off retail,” he says.

Jitters over the security of cloud computing, including concerns about its “newness,” are by no means limited to the government sector. When InformationWeek Analytics asked 547 business technology pros what worries them about cloud computing, security concerns grabbed the top three spots, far outpacing issues of performance, disaster recovery, or vendor lock-in:

Cloud computing is getting considered because companies and government agencies are keenly interested in the lower licensing and staff support costs that cloud services promise. Faster deployment also works in cloud computing’s favor. Yet security plays the foil to cost savings, and for many companies, security concerns end up sinking any move to the cloud.

Gartner Inc. predicts companies will spend about $10 billion this year on two types of cloud computing: infrastructure as a service, where companies buy raw computing power as needed, and software as a service, where they pay a subscription for online access to software, ranging from email to CRM to business intelligence.

While companies can subscribe to an ever-widening array of cloud services, IT departments don’t have the same long history that they do with on-premises software, so they aren’t as confident of where pain points such as security flaws may be. What new intrusion points are introduced? How can a company be sure that its data sitting in the vendor’s data center is safe? When should information be encrypted? In our survey, 57 percent cited “security defects in the technology itself” as a top concern with cloud computing, more than any other concern.

Standards and best practices for cloud security are just emerging. “Security is and always should be a top consideration when companies are examining cloud services,” says Steve Cakebread, former president and chief strategy officer at Salesforce.com, who’s now on the board of eHealth, an online health insurance reseller, and Solarwinds, a network management vendor.

To understand potential security risks, companies must complete a thorough examination of a cloud service – beginning with the networking layer, checking out the provider’s operations, and working up to the cloud application.

While there isn’t the same kind of well established, best-practices security checklist for cloud computing that there is for on-premises IT systems, here’s one concept to bank on: It’s still the user organization, meaning the IT teams that contract for cloud computing, that will be held responsible for the security of the data and apps they put in the cloud. “In the end, regulators will come after our IT department, not the cloud service provider, if security problems arise with our data,” says Ash Patel, global CIO at Aon Consulting, one of three business units within Aon Corp., a $7.4 billion-a-year insurance consulting and service provider.

Table of contents:

— Paul Korzeniowski is a freelance writer who has been dissecting technology and business issues for two decades.

— Mary Jander, ThinkerNet Editor, Internet Evolution

Next Page: Lower Costs, Simpler Operations

Channel:
Tags:
DISCUSS   PRINT   Digg   Del.icio.us   Reddit   Email This
Page 1 of 8 Next >
Current display:       newest comments first       display in chronological order
Paul Korzeniowski
Thinkernetter
Monday November 30, 2009 12:28:15 PM
no ratings

There is no doubt that cloud computing will become more popular in the coming years, but it does raise some new security concerns. Unlike traditional outsourcing, cloud moves parts of company's IT infrastructure off site via a network connection. Because of that, new vulnerabilties are introduced into a company's computing infrastructure, so corporations first need to understand what those vulnerabilities and then put security checks in place to make sure that their data is protected. A company can take those steps but some work is needed to identify where the new potential vulnverabilities may lie.

aum007
Rank: Cyborg
Monday November 30, 2009 10:18:54 AM
no ratings

Paul,

 

I must commend you on the effort you put into writing this report.Unbelievable insight here.I have already forwarded it onto half my contacts in the IT Space.

As far as Large enterprises go,it makes more sense for them to deal with these issues slowly and steadily and as they get more comfortable with these issues move  more Data to the cloud provider.

As for SMBs,I dunno how long they will take to make the move.After all many of these still operate in a total Siloed environment.And the prefer the patches to moving everything to the cloud.

After all you have to think of all this investment that has already been made.

Ashish.

rjacksix
IQ Crew
Tuesday November 10, 2009 6:11:39 PM
no ratings

I fail to see how the issues around cloud security are any less (or more for that matter) than the concerns of outsourcing any aspect of IT.  Perhaps it's the name.  "Cloud" really doesn't sound stable does it?  And yet Amazon, Google and even Microsoft have far more experience in keeping their infrastructures running, and secure, than most other organizations, especially SMB's.

What is the hang up?  Granted, I think any organization should walk before they run into this arena, but we've been outsourcing computing resources and storing data on computers of such companies for years.  Certainly you have to make sure that the outsourcing company is reputable and that they have resonable hiring and security practices.   But who is more capable of doing this right, an organziation with the size and experience of Google or Amazon, or even a 200 person SMB (or 14,000 user state government for that matter)?

I'd put my money on the Google (who, if it isn't obvious by now, I do not think of as evil) Amazon or any other large well funded well managed IT innovation company.

I would be cautious about putting my data on Cloud-R-Us (can you say Internet bubble?) but I don't have any reservations about moving to the cloud, or the security of it.

The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
a moderated blogosphere of internet experts
Tom Nolle
Tom Nolle   2/9/2010   2 comments
If you’re a slightly gray, mid-level manager who travels a lot, you may be on the way up and worthy of professional respect, but one thing you most definitely are not is “cool.” Still, while today’s youth may think you just crawled out of a paleolithic cave, there may be hope. The iPad from Apple Inc. (Nasdaq: AAPL) (supreme arbiter of coolness) just might make you older guys (or actually old guys like me) cool.
Rob Leathern
Rob Leathern   2/9/2010   5 comments
As we well know, the online echo chamber and its increasingly viral and social components can magnify the propagation speed and distribution of stories and rumors, whether true or false.
Rob Salkowitz
Rob Salkowitz   2/9/2010   5 comments
A remarkable event in world affairs is taking place this week in London, as the first One Young World conference is set to convene.
Ira Winkler
Ira Winkler   2/8/2010   15 comments
In his recent Congressional testimony, Dennis Blair, the U.S. director of national intelligence, stated that the U.S. is "severely threatened" by cyber attacks and that the recent Google (Nasdaq: GOOG) attacks should serve as a wake-up call.
Jart Armin
Jart Armin   2/8/2010   14 comments
Fatal System Error, the book just released by West-coast-based journalist Joseph Menn, is really a public policy statement written as a thriller for a wider reading public. UPDATED 2:45 PM
IETV: the thinkerNet on film
5
of
2pm EST
Tue
Feb 23rd
2pm EST
Thu
Mar 4th
3pm EST
Tue
Mar 9th
an IBM information resource
sponsored content
big blue blog
Todd Watson
IBM is announcing today the first of its Power7 processor-based systems and the Power7 processor itself at an event in NYC.
white papers & case studies
an IBM information resource
sponsored content
Smarter Collaboration: How to Thrive in a Challenging Business Environment
Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success.

READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!

REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?

Please email: moderators@internetevolution.com
CMP Media LLC
Internet Evolution – not for thickies
Congress Hits the Snooze Button With China
Ira Winkler
In his
recent Congressional testimony, Dennis Blair, the U.S. director of national intelligence, stated that the U.S. is "severely threatened" by cyber attacks and that the recent Google (Nasdaq: GOOG) attacks should serve as a wake-up call.

CLICK FOR MORE
Lee H. Berke
The Decline & Fall of Broadcast Television

2|9|10   |   1:00   |   No comments


Want to know the future of broadcast television? Take a look at broadcast radio’s past.
Tom Nolle
Everything New Is Old Again

2|9|10   |   2:13   |   6 comments


Research shows that the youth of today like Facebook – but not blogging or Twitter. Does that mean Facebook has won, or just that it's not yet out of favor? Will all the services we see today fade into Ovaltine-or-Wheaties status in just a few years?
what.the.ferraro
Email Marketing Gets Desperate

2|8|10   |   2:31   |   4 comments


Promotional emails will use just about anything timely to get people to buy things. Seriously, anything.
Steve Saunders' Outernet
America, Truck Yeah!

2|8|10   |   1:42   |   5 comments


Steve likes his new Dodge Ram 1500, but hates Chrysler's Web non-sales strategy. Rant on, li'l buddy.
what.the.ferraro
Twits Go Wild for Resignation Tweet

2|5|10   |   1:48   |   4 comments


Jonathan Schwartz is the first Fortune 200 CEO to resign via Tweet. Can he walk on water, too?
Full Nelson
Go With the FLO, Part 2

Part 2 of 2   |  
See complete series
2|5|10   |   2:17   |   3 comments


Fritz and his sweater continue their review of Qualcomm's FLO TV.
Singer at C-Level
Goldilocks & the Data Center

2|4|10   |   3:39   |   2 comments


What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
Full Nelson
Go With the FLO, Part 1

Part of 2   |  
See complete series
2|4|10   |   2:39   |   1 comment


Qualcomm's FLO TV gizmo streams live TV shows. Tragically, they include the O'Reilly Factor
Eurotrash
High & Dry in Barcelona

2|3|10   |   1:08   |   No comments


Ray’s heading to Barcelona for the Mobile World Congress, and he’s not happy about it, the miserable git.
Sweeney Blog
No Sex, Please... It's the Super Bowl

2|3|10   |   2:24   |   2 comments


The Super Bowl ads that CBS rejected are turning up online, generating lots of attention but zero revenue for the broadcaster.