One of the biggest risks of cloud computing is that of the unknown, since many of the providers are relatively young startups or new to offering cloud services.
“Each cloud company is different as to how much they invest in security, based on size and stage of growth, and also on sophistication of the management team,” says Cakebread, the board member and former Salesforce executive. Mark Nicolett, research VP at Gartner, says vendors’ focus is foremost on their core competencies, such as data backup or delivering a human resources application: “Security is usually the last component added to any new technology, and cloud computing is no exception.”
It’s notable that the Los Angeles City Council made encrypted email a requirement with Google. One can’t assume that encryption is available in all cloud services. Applications like email that are used by both consumers and businesses often won’t have encryption. Encryption creates a lot of overhead, and suppliers don’t want to degrade application performance or absorb the cost if customers don’t put a premium on it.
CIO Patel took a conservative approach in deciding how to secure Aon Consulting’s data links and how much data would reside in its service provider’s cloud environment when it contracted with Echopass, a contact center supplier that had been helping Aon field customer inquiries for two years. Aon Consulting opted for a private T1 line from Verizon Communications Inc. (NYSE: VZ) from its data center to Echopass’s service.
“We didn’t feel comfortable sending our information over the Internet,” Patel notes. In addition, Aon had Verizon layer encryption on both ends of the connection, so that data is protected as it moves off its site to the Echopass data center. “We feel that our information is secure once it leaves the corporate network and enters the cloud,” says Patel.
Businesses should ensure that potential cloud service providers offer, at minimum, the standard security protections they have on their own premises: intrusion detection and prevention software, firewalls, strong user authentication, and content monitoring.
One of the checks Sleek made before moving to 3Tera’s service was the strength of the perimeter network around the vendor’s data center. “In deploying our application, we wanted to make sure that no one would be able to get direct access to our data,” says Sleek’s Threet. When users connect to 3Tera’s data center, a proxy server processes the requests and forwards them to the back-end servers, thereby restricting visibility into those systems.
From a security perspective, companies need to think of their networks now extending beyond their own physical environments and into the supplier’s data center. As companies stitch more cloud services together, that challenge multiplies. A related complication comes from the fact that cloud services have been designed in vacuums, with each vendor securing its own connections but not the others.
While security tops the list of worries, it’s also a big selling point for cloud computing, especially for small and midsized businesses that can’t afford to have their own top-flight IT security pros on staff. “We don’t want to get into the security business and instead want to hand that over to someone else,” says Paul Wyatt, chief operating officer at Recurrent Energy, a 45-person solar energy systems startup with $275 million in venture capital, which has placed all of its IT infrastructure in the cloud.
The thinking goes that since cloud providers are in the IT business, they can afford to devote a lot more resources to security. They should be able to monitor for security patches and apply them more efficiently than most enterprises. “The level of security available in the cloud can be better than that available in the traditional data center,” says Nils Puhlmann, VP of risk management at Qualys Inc. , an online provider of security software.
The flip side to that argument is that the more data that goes into the cloud – and the more valuable that data – the more appealing it becomes as an attack target. “Cloud computing attracts hackers because so much corporate data is concentrated in one place,” says Gartner VP Nicolett.
That’s why companies, once they’ve worked their way through the network security issues of transferring data to and from a cloud provider, need to probe the vendor’s data center operations. SAS-70, a set of security controls and business continuity processes from the American Institute of Certified Public Accountants, is fast becoming the closest thing to a benchmark for cloud computing operators.
An InformationWeek Analytics report this year looked at 12 infrastructure-as-a-service providers and found that nine of them had SAS-70 certification. That requires testing and an audit of the company’s controls. Cloud provider Rackspace Managed Hosting , for example, provides SAS-70 reports for each customer to show how their data is secured and backed up, says Adrian Otto, cloud developer at Rackspace.
Companies should also ask if cloud vendors undergo security assessments by third parties or internal security teams. Most do, though our research found that only five of 12 made those assessments available to potential customers.
Next Page: What About the Application?
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
