Can cloud providers be trusted with your most sensitive data? Deb Radcliff finds out.
A spate of recent high-profile outages and intrusions into cloud networks demonstrates the real risk of using these services for critical operations.
In April, a problem in Amazon's data center caused outages for its Web Services customers. Also that month, Epsilon, the world's largest “permission-based” email marketing provider, announced that the address lists belonging to its customers had been exposed through a successful hack of its systems. And the highly advanced breach into security company RSA announced in March led to the compromise of information about its SecurID products, which include hardware token authenticators, software authenticators, authentication agents and appliances supported over the web.
“If you put your critical data in public clouds and anything happens in the cloud...you no longer have control of that data.”
– Joe Wulffenstein, department chair at Northwood University
Before these events, technology research firm IDC predicted that public and private clouds will drive 15 percent of IT spending in 2011, while Gartner forecasted that cloud computing will grow to become nearly a $150 billion market in 2014. However, these recent cases have experts questioning more than ever the ability of cloud providers to protect their data.“If you put your critical data in public clouds and anything happens in the cloud—whether an attack from outside or system failure or any type of disaster—you no longer have control of that data,” says Joe Wulffenstein, department chair at Northwood University in Midland, Mich. “That's what I think is the biggest threat to cloud computing.”
Standardizing in the cloud
Despite the latest setbacks for some highly public cloud providers, Jim Cavalieri, chief trust officer of salesforce.com, contends that cloud providers are maturing into what he believes will be bellwethers of security and compliance.
For example, he points to the security and compliance guidelines for public clouds put out by the National Institute of Standards (NIST). These guidelines tout several security benefits that public clouds can provide, including having specialized staff that agencies can't usually afford on their own, and providing and maintaining stronger platforms, better availability of resources, more robust backup and recovery, and more.
The Force.com platform from salesforce.com encourages organizations to build auditable processes, which enable faster spin-up of more reliable, trustworthy clouds for organizations putting together their applications. Cavalieri explains how using standardized applications properly managed by the cloud services provider can give better overall security for all customers of that cloud provider.
“When running a single copy of the application for multiple tenants, any single security update is immediately in place for all customers in the multi-tenancy,” he says. “Security is democratized – all security features and fixes are available to all customers and users when they are implemented.”
Instead of enterprises trying to get this right on their own by building their own clouds and porting them to a provider, Cavalieri predicts that new applications will be easier to create in this well-run cloud, where all these services are offered.
Others concur. “This is where the cloud model presents its strengths,” says Chris Stark, founding CEO of Cetrom IT, a cloud services provider in Vienna, Va. “Partner with a provider and let them worry about the configuration, compliance and security problems. Access and security requirements should be plug and play.”
Cetrom IT has standardized about 150 commonly used customer relationship management (CRM), accounting, office, database and other applications commonly used in today's enterprises.
New security layers required
Cloud.com is another example of a web-based software and IT company that offers cloud builds with security policies and control options that buyers can choose as part of their configurations.
“As customers build their applications, we build in security policies around user access, application controls and data isolation,” says Peder Ulander, chief product officer at the Cupertino, Calif.-based company. “What we can't do is help with multicloud access. So far, however, not many of our customers are using multiple clouds at this time.”
When moving to public clouds, most organizations will need to layer on additional cross-platform access control management capability that preferably integrates with existing access control dashboards and user directories, such as Active Directory or LDAP (lightweight directory access protocol). The setup will also need to support federated identity models. Like other leading cloud vendors, salesforce.com provides these access management options for its applications.
To support multicloud and internal authentication management that goes beyond its boundaries, Cloud.com refers customers to management platforms RightScale or enStratus, the latter of which supports 17 separate public and private clouds through management and scaling.
Fortunately, there is no shortage of federated-type unified access vendors that also can integrate with consumers' existing identity infrastructures to manage them together with access to cloud applications. Along with the vendors mentioned above, companies like Symplified, Ping Identity, ActivIdentity, SecureAuth and Accenture showed up en mass at the RSA Conference in San Francisco last February.
“The number one issue IT security professionals have with the public cloud is they can't see into it.”
– Peter Schlampp, VP of product management for Solera Networks
The other cloud issue, the one of visibility, is a little harder to manage, many say. Mature providers offer customers dashboards to see into their own systems. These dashboards also can be made to hook into existing management dashboards if desired. What they can't do is show the organization that the cloud vendor itself is compliant, reliable and secure enough to prevent breaches and outages, such as what occurred at Amazon, Epsilon and RSA.“The number one issue IT security professionals have with the public cloud is they can't see into it,” says Peter Schlampp, VP of product management for South Jordan, Utah-based Solera Networks, a vendor of network forensic tools and services. “You literally have no idea what's going on between the hosts running within the cloud or with the provider at large, so threats are beginning to take advantage of that.”
Vet your provider
So, experts say, use diligence vetting the provider. Look for vendors with evidence of strong information security practices – such as ISO 27001 and SysTrust certification, regular SAS 70 Type II reports, and others – which leading providers, including Verizon (see sidebar), offer annually to customers.
An example of controls to audit would be those presented by salesforce.com's Cavalieri during a cloud summit at the RSA Conference. He discussed the main risk management pillars embedded in the company's internal culture, including physical, network, application, access and mobile security policies.
During this time of market transition, consuming organizations should move forward with their plans carefully, say experts.
Another consideration is that security responsibilities vary across different cloud computing models, says Carson Sweet, CEO of CloudPassage, a software-as-a-service (SaaS) provider.
“Customers move to the cloud for flexibility and control,” he says. “Just remember that with more flexibility comes more responsibility for security.”
To cloud: Or not to cloud
When developing cloud strategies, decide first what data will be interacting in the cloud and whether it should even be out there, experts say. Also, consider the connection. For example, rather than risk going over the web to their applications and infrastructures, Verizon's most risk-adverse users are asking for access into their cloud applications over dedicated connections, says Michael Clark, Verizon's cloud computing security strategist.
Verizon provides several types of services, its most popular being Verizon Computing as a Service (CaaS) Enterprise (above), an infrastructure-as-a-service offering launched in June 2009.
The bottom line, say experts, is not to stampede to the cloud just because it is the new trend in technology. “I tell people at this stage of cloud computing, ‘If it ain't broke, don't cloud it,'” says Michael Cote, founding senior analyst with RedMonk, a cloud analyst firm based in Austin, Texas. “Cloud your new applications or some part of IT that's problematic. Then build those from the ground up, securely.” – DR