With woefully cash-strapped Los Angeles embroiled in possibly its worst budget crisis in history, CTO Randi Levin understands that while her department may empower the digital communications of some 30,000 employees, including police and fire, it is not immune to drastic cutbacks.
Nor is it any less obligated to consider something different, unique even for a city its size, to help a business on the brink of economic disaster.
Over the past three years, the IT department in America's second-largest city has seen its operating budget shrink from $120 million to $80 million – a 33 percent decrease – and its staff size plunge by 38 percent, from 800 employees to about 500.
The cuts happened to coincide with employees' mounting frustration with the city's on-premise email system. Partially due to the way it was implemented, the software provided less-than-ideal storage limits and slow searches, Levin says. In addition, many workers complained that it lacked the bells and whistles of popular webmail programs, and was not compatible with the iPhone.
Then, there was the issue of the city's aging data center, a 30-year-old facility that sits 20 stories below a car wash. Not only would the 600-server data center require a $30 million upgrade to bring it up to modern-day functionality, it also is prone to flooding. In risk terms, that is a major disaster recovery no-no.
“That's like creating a data center and putting it right on a fault,” Levin, 48, says during an interview last month. “It flooded last night.”
So taking its existing budget and infrastructure into account, the IT department decided to embark on a groundbreaking project 18 months ago: Migrate its 90 email servers to the cloud, specifically to the control of Google and its worldwide reach of servers, in the process becoming the first major U.S. city to undertake such an effort.
The decision instantly generated widespread publicity – Levin has done dozens of interviews – mostly because Los Angeles helped to validate the cloud as a viable option for larger organizations.
But when the city signed the five-year, $7.25 million contract to install Google Apps for email, a number of security experts (not to mention some City Council members and police officials concerned over data security) wondered out loud whether Los Angeles had considered all of the ramifications that could come with relinquishing control of sensitive information.
“I think LA is just asking for trouble,” says Ira Winkler, president of the Internet Security Advisors Group. “I think LA is moving to the cloud because it is the only thing they can afford. They don't realize how much control they are giving up. [Until] they have the first incident go public, you're not going to have them acknowledge anything to the contrary.”
Indeed, Levin is not shy about pointing to the cloud's compelling cost model – the city stands to save about $6 million over the next five years.
But, more surprising to some observers may be another one of Levin's justifications for the project. She believes Los Angeles actually might become more secure by offloading its confidential data to the care of someone else.
“There are a lot of myths about people's own security,” Levin says. “When you look at companies like Google and Microsoft, they have 500 or 600 security specialists that all they do is live and eat and breathe this. I'd be hard pressed to find any kind of company or government that has that amount of people to do this.”
Cloud adoption increasing
Los Angeles is far from alone in its quest for cost savings and increased agility and efficiency that the cloud offers. Global cloud services revenue is expected to top $68 billion by the end of this year, up nearly 17 percent from last year, according to Gartner. And according to a June survey released by analyst firm The 451 Group, 37 percent of respondents reported they plan to increase their 2011 IT budget for cloud computing by at least 20 percent.
While software-as-a-service (SaaS), such as what is offered by Google and Salesforce.com, is the most well-known form of cloud computing, two other models – platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) – are growing in terms of adoption.
Under the IaaS model – for example, Amazon Web Services – customers are provided with the underlying hardware and operating systems in the form of virtualized servers. Usually, IaaS adopters want to buy a new data center in a hosted environment. In the PaaS model, subscribers can build applications – for example, Force.com or Google's Apps Engine. Mostly, these are developers who want to write applications, but don't want to invest in their on-premise data center.
Despite the increasing allure, much of the cloud revolution still is being driven by small- and midsize organizations, which are looking past the security concerns that their larger peers are not, says Brian Chess, chief scientist and founder of Fortify Software, a San Mateo, Calif.-based provider of software assurance solutions.
“Let's say you are a smaller business and are going to move your apps to Salesforce.com,” Chess says. “Salesforce has a bunch of good IT people and good security people. They are not going to fail to apply a patch or blatantly misconfigure a system. For smaller organizations, that can get lost on them.”
Gary Wood, a research consultant at the Information Security Forum (ISF), a U.K.-based nonprofit, says that before organizations move toward cloud computing, they should develop a strategy to determine how it works and how it will impact their business. In many cases, Wood says, companies already are leveraging some type of cloud model, but may not even realize it.
“It is probably going to be a good thing for security,” Wood says of cloud computing. “It is going to make organizations think about the risk and how it affects them before they adopt the services.”
Organizations also must ensure they develop robust service-level agreements that detail strong assurances of protection from their providers, experts say.
“You become dependent on what security countermeasures they'll provide or allow,” Winkler says. “They should provide you with the same security operating environment you would supply yourself. You have to be able to tell the cloud provider what security measures you want to implement, and they better be able to say, ‘Yes, we can do that.' If they don't, you should move elsewhere or not move your applications to the cloud.”
Customers typically are beholden to the security offered by SaaS providers, but the responsibility becomes more shared in the IaaS and PaaS models. For example, Amazon provides customers with strong network security and isolation, but customers are on the hook to build in additional host-based offerings – such as file-integrity monitoring, intrusion prevention, encryption, access management and data leakage prevention – to secure their virtual server images.
“The stuff you can't touch directly, you must contract directly in instead of building in,” says Joshua Corman, research director for enterprise security at The 451 Group. “And what your provider will agree to will vary by vendor.”
Some companies, such as Terremark, offer advanced security features compared to their competitors – at a higher price, of course. Eventually, experts predict, most cloud providers will offer more intricate controls.
“The thing about vendors, it is not in their interest to offer an insecure service,” says ISF's Wood.
To help along both sides of the equation, the Cloud Security Alliance in December published its second version of best practices to provide actionable guidance for providers and end-users. The 76-page white paper is based on real-world deployments during the last six months of 2009.
Still, larger organizations remain reluctant to move their most mission-critical applications to the cloud, where the concept of a shared architecture prompts concerns that access to one company's data may open the door to others. According to a May study from CA and the Ponemon Institute, 68 percent of respondents believe that the cloud is too risky a place to store financial data and intellectual property. Many organizations blame trust and loss of control on their reticence to migrate over. A recent U.S. Government Accountability Office report found that 22 of 24 major federal agencies were “either concerned or very concerned” about the possibility of information security risks associated with cloud computing.
However, back in Los Angeles, Levin says she was satisfied by the city's contract with Google. The search giant demonstrated SAS-70 certification, a set of auditing standards that shows a service provider has undergone an in-depth audit of its controls, including information technology and related processes. In addition, Google has received Federal Information Security Management Act (FISMA) accreditation for its Apps portfolio.
Also in the contract with Google: The city of Los Angeles and the California Department of Justice, whose security requirements the Police Department must meet, can audit Google at any time. Meanwhile, Google must encrypt the data and notify the city of a breach “the minute it occurs,” Levin says.
The less publicized concerns
Of all the potential drawbacks of the software-as-a-service model, Christopher Soghoian, a researcher at Indiana University, worries most about the possibility of government surveillance. He points to a major reason why: In nearly all cases, the vendor, not the customer, is the custodian of the encryption keys.
This can lead to two issues, Soghoian says. For one, the customer has permitted the vendor access to the sensitive data. “The hacker just has to get the keys,” he says.
Second, without the keys, a customer likely would be unable to resist a government subpoena or court order to view the data under control of the vendor, Soghoian says. “We have so little in the form of legal protection with data stored with third parties,” he says. “That is a big concern.”
Compliance in the cloud also is a significant hurdle not often addressed, say experts.
“It is not scalable from the perspective of responding to auditors,” admits Jim Reavis, founder of Cloud Security Alliance.
For some of the largest retailers subject to Payment Card Industry Data Security Standard (PCI DSS) audits, an annual on-site assessment is required for compliance. However, a number of cloud providers, such as Amazon, won't let auditors into their data centers, says Corman of The 451 Group.
And for those merchants wanting to store or process cardholder data in a public cloud, the PCI Security Standards Council, which manages the guidelines, is not expected to provide guidance specific to the cloud anytime soon.
“Once you're past fear, there are very legitimate reasons to not get into the public cloud,” Corman says. “If you could demonstrate auditability in a consistent manner, people would put more workloads into the cloud.”
He predicts that as the cloud generates more interest from larger organizations, providers will enhance their architectures to allow for compliance.
Kris Lovejoy, vice president of security strategy at IBM, a leading cloud computing provider, says the technology and controls exist to prove compliance in the cloud – but the burden rests on both the provider and the customer to make it happen.
“There is no such thing as a compliant cloud,” Lovejoy says. “Are there such things as a HIPAA-ready cloud? Yes, but is there a HIPAA-compliant cloud? This is up to you, the subscriber, to work with the provider to mutually understand your responsibilities and obligations and agree to that.”
One industry initiative may help. Launched in January, CloudAudit, also known as A6, is an application programming interface (API) that seeks to help cloud providers automate the audit, assertion, assessment and assurance of their environments. The working group behind the effort hopes to get CloudAudit adopted and used as a common standard.
With all of the concerns about the public cloud, it should be no surprise that many people are turning to the private cloud, an infrastructure that is operated exclusively for a particular organization and sits behind the firewall. The cost runs much higher, but organizations can garner the benefits of cloud computing without losing control of their data. A recent survey from The 451 Group showed 60 percent of respondents planned to use some form of the private cloud in 2011. That number grows to 85 percent when considering only those companies with annual revenue above $10 billion.
Still, experts say organizations shouldn't give up on the public cloud.
“You have to burn your hand on the stove to learn,” Corman says. “But burn your hand on very tolerable failures.”
Corman presents one example of a bank that placed its image servers in the cloud. “The cloud provider had an outage and the boss called screaming, saying that there were no images on the website,” Corman says. “But isn't that infinitely better than the boss screaming at you because customers can't do transactions for six hours?”
And in the city of Los Angeles, where budgetary pressures trump most anything else these days, Levin says she can foresee moving other enterprise applications to the care of a third party if the email project is successful. (The Police Department won't fully migrate until the fall).
She continues to have no regrets.
“I think you have to look at what vendors do well,” Levin says. “At the end of the day, you know what, what controls do people really have? Is it an illusion of control? [With on-premise servers], you're still relying on products from other companies to keep you secure. There's a lot of risk in that.”
Abuse and nefarious use by cybercriminals, such as spammers
Insecure interfaces and APIs, used to manage and interact with cloud services.
Malicious insiders, through poor hiring practices or lack of policy
Shared technology issues due to lack of isolation in multitenant environments.
Data loss or leakage, a larger risk in the cloud due to its unique characteristics.
Account or service hijacking, if credentials are shared or compromised.
Unknown risk profile because IT only considers benefits, not risks, of cloud.
Source: Cloud Security Alliance
A number of initiatives are underway in the cloud computing space. Here is a sampling.
Trusted Cloud Initiative: A vendor-neutral effort between the Cloud Security Alliance and Novell, the effort seeks to help providers develop secure and acceptable access and compliance management configuration and practices.
Cloud Cube Model: A framework from the Jericho Forum that helps organizations decide which type of cloud model is best suited for them.
The Certificate of Cloud Security Knowledge: Launched by the Cloud Security Alliance, the credential attests that those with cloud computing responsibilities are aware of the security threats and best practices for securing the cloud.
Cloutage: The all-volunteer Open Security Foundation has launched a project to track incidents involving the cloud. The metrics generated could help organizations consider areas of risk they may have overlooked.
A number of organizations, large and small, have embarked on cloud computing projects. Here is a sampling, courtesy of technology-industry analyst company The 451 Group.
Company: Amylin Pharmaceuticals
Headquarters: San Diego
Deployment model: Known for its drug candidates for the treatment of diabetes and obesity, the company is leveraging Amazon Web Services to run enterprise applications; Google Apps and Force.com for development; and software-as-a-service for email.
Company: Eli Lilly and Co.
Deployment model: The global pharmaceutical giant is running clinical optimization and 10 other
internal applications, such as bioinformatics and trial design, in Amazon's Elastic Compute Cloud (EC2).
Company: General Motors
Cloud deployment: The auto goliath still is in the planning stages of a cloud implementation, but is considering all of its options, especially because it requires resource/license pooling, remote access to resources, and multisite redundancy, which lend themselves to virtualization.
Company: SAS Institute
Headquarters: Cary, N.C.
Deployment model: The software manufacturer has opted for a private cloud from Platform Computing to offer infrastructure-sharing across its research-and-development units, while allowing for an interface that can be used by customers and field sales reps.