Over the last two decades, the now-famous 1993 New Yorker cartoon showing two canines in front of a PC with one saying to the other, “On the internet, nobody knows you are a dog” has become a staple of presentations on internet identity and privacy.
Part of the reason for the cartoon's longevity is that it crystallizes in a single strip the security and trust issues associated with interacting across the web.
The irony is that the current growth and interest in cloud computing has made this cartoon as relevant today as it was in 1993. As organizations assess deploying new cloud services, security is generally acknowledged as the most significant inhibitor to broader cloud adoption. But while there is widespread consensus among cloud providers and organizations that security is a key requirement for the cloud, the question of who is ultimately responsible for security remains unanswered.
The central debate on cloud security is whether the cloud providers or the end-user organization is responsible for security. Based on survey data from the Ponemon Institute, the two sides have surprisingly divergent views on security.
Data shows that, 69 percent of cloud providers believe security is primarily the responsibility of the cloud user; whereas only 35 percent of cloud users believe security is their responsibility. The survey results were not completely binary, as some participants did agree that security should be a shared responsibility between end-users and cloud providers, but these were clearly in the minority.
So who is ultimately responsible for cloud security – the end users or the cloud provider?
The short answer is that it really needs to be both. Part of the reason for this is that while people refer to the cloud as a nebulous monolithic thing, the cloud is comprised of many components (network transfers, firewalls, databases, web browsers, data centers, etc.) and that each of these individual components possesses security vulnerabilities that must be properly secured.
And since some components may reside at the cloud provider's data center or in the end-user's premises, each one has a responsibility to secure them. Expecting the security requirements for all cloud components to be handled by one entity is not a sound strategy.
When it comes to the vendors, one can look back at the emergence of internet commerce in the mid-1990s with companies like eBay and Amazon for guidance.
Some may recall that in its initial iteration, Amazon actually staffed and hosted a call center for end-users to call and place their orders over the phone because of concerns over security. Over time, as Amazon built its reputation and trust, the phone centers went away, but in the initial phases, the call centers were an important tool to help consumers overcome their fears of buying online.
Likewise, eBay introduced its very simple but effective reputation based scoring for buyers and sellers – a great example of security and trust being shared by the provider and the end-user.
Assuming an organization has agreed to deploy some cloud services, what are the issues they need to be thinking about when looking at security in the cloud? Based on the above discussion, finding a cloud provider who agrees that security is a shared responsibility is an obvious important criterion, but what else?
Two words come to mind: vigilance and commitment.
Many cloud providers will throw about the various certifications (ISO, SAS-70, FIPS) as proof of their strong security. And while certifications are an important component, they only tell part of the story, which brings us back to vigilance and commitment.
The online world is an increasingly dangerous place with highly sophisticated hackers, and unfortunately, the attackers can often find ways around your certifications. And while no one is immune from a cyberattack, organizations that demonstrate a real commitment and vigilance against cyberattacks are going to be best prepared to repel them.
End-user organizations should really evaluate a cloud provider's vigilance and commitment. This is tricky because it is a qualitative measurement, but should involve, at a minimum, questions about their underlying security architecture.
What kind of physical security do they have in the data center? What is their policy on deploying new security patches to the operating system and applications? Do they encrypt data, and if so, how are the keys managed and stored? What about disaster recovery?
This is obviously not a complete list, but provides some guidelines. By posing these questions to a cloud provider, one can hopefully sense their commitment and vigilance to security and thus determine whether they are a viable partner or not.
Another consideration is that end-users should not idly stand by and expect cloud providers to automatically adopt strong security.
End-users need to start requiring strong security from providers by explicitly stating it in requests for proposal (RFPs). By doing this, providers will respond to these requirements and start enhancing security. Economics and market forces can be a powerful motivator, and consistent security requirements can definitely influence the market.
Since the market will not react instantaneously to these security requirements, organizations will still need to maintain internal vigilance over their cloud environments in the interim. This means implementing appropriate security controls and auditing as well, as seeking comprehensive aggressive service-level agreements (SLAs) from their cloud provider. These SLAs need to cover not just the usual characteristics such as availability, disaster recovery and performance, but also security aspects such as answers to many of the questions listed in the previous section.
The net result is that the end-user will still be seen as responsible for any data leakage in the court of public opinion, so the end-users must do everything they can to protect data. These security issues should not hold back organizations from deploying cloud services, but it is a strong reminder to work with providers who understand the security issues and demonstrate a commitment to data protection.