Cloud of suspicion

When it comes to efficiently managing resources, outsourced computing still is not well understood, reports Karen Epper Hoffman.

More and more enterprises are embracing cloud computing, both through service agreements and private development, to gain greater efficiencies and better scalability in tough economic times. Many industry estimates show that IT costs can be reduced by as much as 85 percent when businesses move software, infrastructure or platforms to the cloud. A recent report from Visiongain, a London-based business information provider, forecasted the worldwide market for cloud servers will generate $40 billion by the end of this year. But, if analyst firm Forrester Research is correct, this market will grow more than six-fold by 2020 – to more than $241 billion in revenues, with software-as-a-service (SaaS) and infrastructure-as-a-service (IaaS) leading the way. 

But the path to this future is not without its hurdles, and security is perhaps the most major concern that stands between many enterprises and their implementation of the centralized computing paradigm. Indeed, Forrester also found that more than three-quarters (76 percent) of IT managers have issues with cloud security and compliance. 

“Our role is breaking down those barriers and allowing enterprises to use private or public cloud,” says Kevin Bocek, vice president of marketing for CipherCloud, a San Jose, Calif.-based provider of cloud encryption gateway technology.

On the road to that acceptance, cloud computing evangelists not only need to deal with the practical issues of security standards and practices, they also must overcome misconceptions about the technology's security. Case in point: A study released in May from Microsoft's Trustworthy Computing Group found that out of the small and midsize businesses which have not yet used cloud computing, about two-thirds (67 percent) said they are concerned with the lack of accepted security standards. 

However, among those surveyed businesses that had already embraced the cloud, more than half said they were able to add products and services to their business faster because they were not as burdened by security management. Also, more than two out of five respondents (41 percent) said they were able to employ larger teams in areas that have a direct impact on business growth, while 39 percent invested more resources into product development, and 37 percent said a cloud increased their competitiveness.

The irony is that, if Microsoft's findings are to be believed, 35 percent of companies in the United States have experienced “higher levels of security” since moving to the cloud. And 32 percent say they spend less time worrying about cyber attacks – in addition to being five times more likely to have reduced their security management expenditure as a percentage of their overall IT budget. 

Critical questions

Knowing whether a cloud solution is a good fit for an enterprise is primarily about knowing which questions to ask. Namely, are the risks worth the rewards? 

At a February security issues session at the RSA Conference in San Francisco, a panel of industry CISOs, moderated by Jim Reavis, executive director of the Cloud Security Alliance (CSA), discussed that very topic. Dave Cullinane, CISO at eBay, defended the cost-effectiveness of cloud, but laid out his concerns for what he believes is its biggest security challenge: how to manage the risk if one is not certain where data is going. 

Indeed, C-level security officers can see the benefits of cloud. But for many, the questions of control and risk management make the decisions around if and how to implement cloud less clear. In many cases, it's not just where the data resides, but who might have access. 

“It's a smart question to ask of cloud providers: ‘What data do you have of mine?',” says David Lingenfelter, information security officer for Fiberlink, a Blue Bell, Pa.-based enterprise mobility management firm. Many IT managers may feel a lack of control of their data if it is not resident on their own in-house systems, Lingenfelter says, so it's important to define early on where the data will reside and who may have access. 

Being able to manage data anytime and anywhere is a key requirement in cloud architecture as is managing its risk, according to the CSA's Reavis. While public clouds may not avoid certain countries, Reavis says geographic identification and a greater use of authentication will help secure data that's in the cloud and verify its location more readily. “Cloud is accelerating this borderless approach to security,” he says. “That's why you will see two-factor authentication [becoming] more pervasive.”

Reavis adds that the rise in the growth of cloud computing will also give rise to the use of “more sophisticated types of authentication,” such as biometrics and secure tokens, often integrated with a mobile device or a card, which would be more difficult to spoof than a password. 

Irfan Saif, a principal with professional services firm Deloitte & Touche's security and cloud practice, based in Silicon Valley, raises another major concern that affects companies employing cloud computing. In these multi-tenancy frameworks, with potentially many companies sharing server space, what happens to one company's data if one of its "neighbors" is hacked? 

“That leaves companies asking, ‘Is my data at higher risk?'” he says. 

Beyond the day-to-day concerns of where the data is residing, who might have access and whether there are any ancillary risks, companies that place computing assets in the cloud also must wrangle with events beyond their control – and even, occasionally, beyond the control of the cloud provider. Exceptional circumstances – like powerful storms, earthquakes or even large-scale attacks – could impact even the most well-secured and protected data centers, says David Albertazzi, senior analyst with the Aite Group, a Boston-based research firm that provides advice on IT, business and regulatory issues for the financial services industry. 

As an example, Springtime storms in the Mid-Atlantic and Southeast regions of the United States knocked out cloud centers temporarily. While events like these can wreck havoc on any data center, users must still ask whether providers have the correct controls in place to protect their data, keep their servers running and provide redundancy if necessary. Typically, service level agreements will guarantee users nearly 100 percent access to their data, says Albertazzi, but nothing is perfect. 

“All the same issues that [companies] are used to dealing with when it comes to vendor management still remain concerns with cloud computing,” he says. 

As the pendulum has swung from a more decentralized architecture and structure to the more centralized style of cloud computing, another great concern is “the risk of creating a single point of failure, with all my data and processing in one place,” says John “Rick” Walsh, chief of technology and business processes in the cybersecurity directorate of the U.S. Army's Office of the CIO. In more distributed architectures, he adds, IT managers have become familiar with tactics for redundancy, data movement and load balancing. But the cloud calls for a different approach. The U.S. Army is in the process of developing its own private cloud, Walsh says, largely for the cost-savings that this new computing architecture can offer. 

Closed-lip on cloud

These are still early days for entering cloud computing. So it's not surprising that many of the companies that embrace it, as well as those considering it, are not completely forthcoming in their own methods for ensuring security. 

For example, to facilitate a better understanding of defense measures, the 36,000-member CSA announced in July 2011 that it would compile its own listing of security approaches from cloud providers. Dubbed the Security Trust and Assurance Registry (STAR), the initiative is meant to offer an easily accessible guide to what providers are doing, along with best practices suggestions. 

“Cloud computing is the next big generation of computing,” says Reavis.

In the year since the registry was established, Reavis says there have been only 10 companies to add entries. “We all thought [cloud] providers would be in favor of this,” he says. “But it has been a little slow going.” The likely reason for the glacial pace in getting together the registry, is the legal departments at many major cloud providers are not sure about the liability of publishing this information, Reavis says. “Legal counsels would not want their companies to publish 10-K statements either if they weren't required to by the SEC.”

Still, Reavis is hopeful that cloud providers will come around, seeing STAR as an opportunity on a voluntary basis to be transparent about their security practices. “This is the type of information that [users] of cloud will typically ask of their IT partners,” says Reavis, adding that the information STAR lists is similar to what an auditor would look for, such as what the provider does in terms of web scans of its infrastructure, whether they allow their customers to perform scanning, and which countries that they might be storing their servers. “It will ultimately save a lot of time for organizations to know all this,” Reavis says. 

Companies that are using cloud systems are more routinely concerned about where their data is stored, whether it's moved and if and when it is deleted, as risk management issues become more paramount to them, Reavis says. At the same time, there are a lot of the “same issues and the same threats” cloud-using companies have always had to deal with, internally and in outsourced relationships. 

“It's really about mapping your existing needs to a new and different architecture,” he says. “The paradigm shift is that it's now more of a shared responsibility…and I don't believe that's fully understood.” For example, among the many emerging iterations of cloud, the customers might be, in one scenario, responsible for the encryption, while the cloud provider is responsible for the data backup. Relationships can be more complicated and require more “intelligent” collaboration and information-sharing. 

Sensitive sectors

Not all enterprises are created equal, and when it comes to managing the risks of cloud computing, some enterprises need to tread more carefully than others because of the sensitive nature of the information they deal in and the regulatory compliance to which they must adhere. Financial services, health care and government services typically fall into this category. 

“Regulatory concerns are a big issue,” says Fiberlink's Lingenfelter. “The deeper you go into cloud services, the more difficult it is to determine the [ramifications] of this different infrastructure.” One of the major issues from a regulatory standpoint is where the data stored in the cloud will reside, he says. Since some cloud providers may house their clients' systems outside of the United States, that can prove problematic, especially for government and financial industry clients, which may be bound by compliance to house their data in the States or at least avoid storing it in certain overseas countries. “This has made more [of these businesses] more hesitant to go to the cloud,” Lingenfelter says. 

Deloitte & Touche's Saif agrees that data residency is one of the biggest emerging concerns. “In general, I don't see companies in regulated industries [embracing] cloud as much,” he says. “This is why many of those have significant investments in place building and leveraging private clouds.”

Similarly, Albertazzi of Aite believes that there is sensitive data that may not be a good fit for cloud if that means it may be stored outside the country or co-located with data stores from other industries. However, he says large cloud providers will resolve this by developing industry-specific clouds structured to meet the needs of some of the more highly regulated companies. 

Mobile sparks growth

The use of cloud to manage mobile devices and infrastructures is likely to ramp up security concerns even further. Reavis says the CSA has already increased its focus on mobile, starting with a “very ambitious mobile computing project.” He says managing smartphones and tablets will provide an entry into cloud systems for companies that are on the fence, as cloud architecture presents the best way to support these devices. 

Meanwhile, Agcaoili says that among other issues, the same bring-your-own-device (BYOD) revolution that has complicated mobile device management for companies and created a plethora of security concerns may further complicate things for cloud. Devices that might have to be managed by corporate clouds can put more stress on these systems, he says. But more impactful, he adds, is that many executives are taking their personal cloud storage use to the office with them. 

As part of mobilizing the U.S. Army's workforce, Walsh says cloud will play a crucial role. It's the connection more than the device that needs to be authenticated because devices will be switched up more frequently, he says. Additionally, it will be important to control access to the information. Here again, corporate users might be bringing in their own mobile devices, but Walsh is hopeful that with controls in place, cloud architecture will create more consistency in security as well as interfaces and access. Although, he adds, the process may take time. 

“The industry is moving out faster than I am,” Walsh says. 

By next spring, Walsh expects access to calendars and email to move to a private cloud, where users can access these applications via PCs or mobile devices. Ultimately, he says, the Army is looking at a three-year plan to move into cloud systems, which will most likely take the format of private architectures. Along with this move will come stronger identity management through new forms of authentication, on which Walsh couldn't elaborate. But he says he's confident the transition to cloud won't result in a breach.

“Just because I put it in the cloud, doesn't mean it's not secure,” Walsh says.