Cloud Security

Cloud Security
(This is an extract from the original article appearing in Information Week)

The benefits of cloud computing make it hard to resist for both big and small businesses. However security in the cloud is still a stumbling block for most organisation in considering the adoption of cloud computing.

Some of the benefits for business users from cloud computing are

  • Cloud computing is getting considered because companies and government agencies are keenly interested in the lower licensing and staff support costs that cloud services promise.
  • Faster deployment also works in favor of cloud computing. Gartner Inc. predicts companies will spend about $10 billion this year on two types of cloud computing: infrastructure as a service, where companies buy raw computing power as needed, and software as a service, where they pay a subscription for online access to software, ranging from email to CRM to business intelligence.
  • One reason companies turn to the cloud is to simplify their operations, letting staff focus more on core activities, similar to the rationale that drives many outsourcing decisions.
  • Cost savings are driving cloud adoption more than anything these days, and the recession has accelerated the choices. Cloud computing trades the capital spending model “up-front investments in hardware, networking, and software licenses ” for operating costs that are based on monthly fees.
  • Cloud computing appeals to startups, even well funded ones such as Recurrent, for a list of reasons: They don’t have legacy, on-premises applications; they would rather not invest capital in equipment; and they don’t have the economies of scale that larger companies can get from running their own data centers.

Yet security plays the foil to cost savings, and for many companies, security concerns end up sinking any move to the cloud. However cloud security is still an emerging topic and there are still no standards or guidelines that can be used as a benchmark to carry out security audits of cloud service vendors.

This article discusses some of the key issues in the area of cloud security and way forward in this area.

Security Issues in the Cloud.

Los Angeles City Council gave Google a $7.25 million contract to provide email as an online service for the city’s 30,000 employees, as part of the contract Google was required to comply with the following security requirements:

• Fingerprinting all employees working on the project for Google and Computer Sciences Corp., which will set up and manage the service for Los Angeles

• Encrypting data in transit

• “Sharding” the data at rest, with pieces stored on separate drives, so someone needs an application and encryption key to put the pieces into a readable format

• Storing all of Los Angeles’s data within the United States

• Limiting access to the data to Google and CSC employees who meet the city’s clearance requirements

Google also is offering minimum damage payments for various mishaps, including a confidentiality breach, faults in the network resulting from the actions of Google.

To understand potential security risks, companies must complete a thorough examination of a cloud service — beginning with the networking layer, checking out the provider’s operations, and working up to the cloud application.While there isn’t the same kind of well established, best-practices security checklist for cloud computing that there is for on-premises IT systems, here’s one concept to bank on: It’s still the user organization, meaning the IT teams that contract for cloud computing, that will be held responsible for the security of the data and apps they put in the cloud.

One of the biggest risks of cloud computing is that of the unknown, since many of the providers are relatively young startups or new to offering cloud services.Mark Nicolett, research VP at Gartner, says vendors’ focus is foremost on their core competencies, such as data backup or delivering a human resources application: “Security is usually the last component added to any new technology, and cloud computing is no exception.”
Applications like email that are used by both consumers and businesses often won’t have encryption. Encryption creates a lot of overhead, and suppliers don’t want to degrade application performance or absorb the cost if customers don’t put a premium on it.

Businesses should ensure that potential cloud service providers offer, at minimum, the standard security protections they have on their own premises: intrusion detection and prevention software, firewalls, strong user authentication, and content monitoring.From a security perspective, companies need to think of their networks now extending beyond their own physical environments and into the supplier’s data center. As companies stitch more cloud services together, that challenge multiplies. A related complication comes from the fact that cloud services have been designed in vacuums, with each vendor securing its own connections but not the others.

While security tops the list of worries, it’s also a big selling point for cloud computing, especially for small and midsized businesses that can’t afford to have their own top-flight IT security pros on staff. The thinking goes that since cloud providers are in the IT business, they can afford to devote a lot more resources to security. They should be able to monitor for security patches and apply them more efficiently than most enterprises.
The flip side to that argument is that the more data that goes into the cloud ” and the more valuable that data ” the more appealing it becomes as an attack target. That’s why companies, once they’ve worked their way through the network security issues of transferring data to and from a cloud provider, need to probe the vendor’s data center operations. SAS-70, a set of security controls and business continuity processes from the American Institute of Certified Public Accountants, is fast becoming the closest thing to a benchmark for cloud computing operators.

Development of Security Standards

Cloud vendors, meanwhile, are developing best practices and standards for security and interoperability. Security fears are the biggest drag on cloud computing today, but the benefits look big enough to outweigh the concerns.

There’s general agreement that standards are needed for cloud computing ” so much agreement, in fact, that at least eight different groups have stepped up and are trying to fill the void.

AREAS OF EMPHASIS
Jericho Forum and Cloud Security Alliance cite 14 areas that need standards:
• Application security
• Business continuity and disaster recovery
• Compliance and audit
• Data center operations management
• E-discovery
• Encryption and key management
• Governance and enterprise risk management
• Identity and access management
• Incident response, notification, and remediation
• Information life-cycle management
• Physical security
• Portability and interoperability
• Storage
• Virtualization

In May, the Jericho Forum said it would work with the vendor-led Cloud Security Alliance, to promote best security practices for the cloud. Jericho Forum members include AstraZeneca, Boeing, BP, Eli Lilly, and KLM, as well as IT vendors such as IBM, Qualys, Hewlett-Packard Co. (NYSE: HPQ), Motorola Inc. (NYSE: MOT), and Symantec Corp. (Nasdaq: SYMC).

The two groups are driving development of standards in a wide range of areas including audit, applications, cryptography, governance, network security, risk management, storage, and virtualization.
There are at least six other groups working on cloud computing standards: the Open Cloud Manifesto, the Cloud Computing Interoperability Forum, CloudCamp, the Cloud Computing Use Cases Group, the Distributed Management Task Force, and the Object Management Group.At the Jericho Forum and Cloud Security Alliance, step one is identifying the differences between on-premises security and cloud security, and examining what existing standards mesh with cloud operations.