Cloud computing can seem like “Cloud Nine” when IT departments use the technique to cut costs, boost profits, increase efficiency, bolster computing capacity, shrink carbon footprints and free up time to concentrate on core pursuits. But these benefits don’t come without risk, security experts warn.
Dangers of cloud computing include criminal hacking, inappropriate access by rogue administrators, and the uncertainty of where data resides in a world where notions of privacy differ and regulations vary across national borders, cautions Nico Popp, vice president of product development, trust services, for Mountain View, Calif.-based VeriSign Inc. Others cite the possibility of online terrorism or even an all-out cyber war.
“With cloud services the network perimeter is gone,” says Popp, whose company provides Internet infrastructure, authentication services and secure sockets layer certificates. “All customers are concerned about security.” On his blog Popp has referred to cloud computing security as “dicey.”
Identifying users is also a concern. “As enterprises shift their IT infrastructure and information to the cloud … CIOs need to federate corporate identities with cloud service providers,” Popp explains. “For cloud resources, the corporate directory becomes the identity providers and the cloud services are the relying parties.”
As more information is placed in the cloud, such as health care information, there is a need for federated identity and strong authentication in the cloud to protect against fraud, Popp says. “These transactions are complex and risky,” he adds. “They are complex because they involve multiple independent, sometime competing organizations. Federation is needed. These transactions are also too risky because the current Internet authentication system based on name and password is too weak. High assurance identity is needed.”
To keep data safe in these early days of cloud computing, security experts advise IT departments to study definitions, commit their companies gradually and insist vendors explain how they are operating in the cloud. Those steps require IT executives to do their homework.
Cloud computing refers to the storage and manipulation of data on servers operated outside the four walls of a company or handling data internally in a way that emulates an external cloud. The cloud works like a utility that users can turn on when they need it and turn off when they do not. Users pay when the “spigot” is open but not after closing it, so it can be an efficient way to maximize computing resources across the organization.
“You can reach up into this fluffy thing and grasp a service up there and say this is tangible and I can rely on it to be there–that’s what the cloud is about,” says Sam Curry, chief technologist at Bedford, Mass-based RSA, the Security Division of Hopkinton, Mass.-based EMC Corp.
Besides increasing computing power without adding in-house capacity, companies find the cloud can help them run greener operations. “You’re running less hardware, burning fewer electrons and not having to cool that whole data center,” says Curry. “That’s a big concern for companies in this day and age, and it’s compelling in terms of savings.”
The origin of the cloud dates to virtualization in the late 1990’s, says Jeff Spivey, president of Security Risk Management Inc., a Charlotte, N.C.-based consulting firm. Between 2003 and 2006, cloud computing gained technological maturity and won wider acceptance, Spivey says, noting that the movement has now reached the early adoption phase.
Closer examination reveals a multiplicity of clouds, typically broken down into public, private and hybrid, Curry says. Large companies or those with a high degree of risk often choose to create a private cloud to keep their data secure, he says. Small companies with lower risk might feel safe enough using the public cloud, he notes.
Other businesses choose a hybrid version that stores data in the public cloud but relies on a proprietary platform. Another way of viewing clouds comes from Popp and Spivey, who list the differing approaches as software as a service (SASS), platform as a service (PAAS) and infrastructure as a service (IAAS).
As cloud computing becomes a fact of day-to-day life, some users may begin to recognize that the technique’s seemingly new qualities actually parallel more familiar situations. Companies were exposing data to the outside world even before the cloud by hiring an increasing number of contractors, Spivey says. The due diligence required of IT departments as they join the cloud movement does not differ so much from the caution required in any outsourcing deal, he notes.
“We are telling them that they need to place security requirements on their cloud providers,” agrees Popp, citing the need for access control and data encryption. Trust also comes into play, he continues, which vendors and their customers can establish through audit trails, monitoring and reporting. “But it is a steep slope because there is no industry framework or best practices,” Popp continues. “So they are pretty much on their own to define all this and capture the fine points in a contract.”
To help IT departments evaluate vendors, Popp advocates establishing a certification process that could resemble the Payment Card Industry Data Security Standards. “Customers should be able to require that their cloud providers meet the Cloud Compliance Trust Level 1 or whatever it gets called,” he says of a PCI-like set of standards. “Knowing that a cloud provider is already up to that level and that the same cloud provider is regularly audited to meet these requirements would accelerate the process and increase peace of mind.”
Companies can begin their cloud experience by picking a piece to try out instead of “betting the farm” by immersing their companies in the cloud, Spivey says. “Stick a toe into the water, see what surprises come out of it, get confirmation of how things operate, see what kind of vendors you’re dealing with and start building relationships with cloud providers,” he advises.
Popp agrees. “I advise a ‘crawl, walk, run’ cloud strategy,” he says. That could entail starting with large SAAS vendors to become familiar with what it means to shift IT to the cloud. “That is the crawling part,” he notes. “If you are a fortune 50, you are large enough to walk into experimenting with private clouds. Otherwise, take a look at a hybrid cloud. I would only advise public clouds to those who already know how to cloud walk.”
IT departments should think of the cloud in terms of journeys and processes, Curry advises. “Be leery of anyone who says we’re done and it’s wrapped up and here’s a bow,” he says. “You still have to think about the risks associated–just as you would with any business decision.”
And these risks certainly include the ability to securely identify users before granting access to data and resources in the cloud. Strong authentication will be mandatory as the shift of valuable corporate data and sensitive private customer information is housed further and further beyond the physical walls of the organization.