The dark side of the cloud's silver lining has become apparent
during the past few months. With the Amazon outage, the breach of
marketing service provider Epsilon, and the attack on Sony's
PlayStation Network, companies have significant fodder for concerns
over the security of the cloud.
Cloud providers need to find answers to allay these concerns. These
services can be as secure as keeping data in the traditional
enterprise network is, but the services are not there quite yet,
says Chris Whitener, chief security strategist for Hewlett-Packard.
"When we talk to customers, the first impediment to adopting cloud
is worries over security," he says.
Companies need to realize that cloud providers tend to have
infrastructure that mirrors the DNA of the source of their
computing power, Whitener says. For example, Amazon's cloud
services are based on its experiences providing an available retail
experience. A cloud based on a bank's excess capacity, meanwhile,
might have more security built into it.
Information security teams should spend their time formulating
policies that incorporate the provider's strengths and weaknesses
that come from its specific DNA, Whitener says. If companies figure
out what business risks they have by putting their data in the
cloud and then create policies on how to handle that risk, they
will be much better prepared, Whitener says.
"Look for vendors that can accommodate those policies and route
your more secure requests to those facilities that have security
and have logging and have reporting and have encryption and all the
DNA that you would have in your enterprise," Whitener says. "There
are clouds like that."
Too often companies do not consider the consequences of losing
their data to theft or access to the data because of problems with
availability. There is not enough due diligence done, says Josh
Corman, research director of The 451 Group.
"It's like if you had a date tonight, would you let a random
stranger watch your kids?" he says. "No. There is a whole bunch of
questions you would ask."
The top question is, what data should be put in the cloud? To
answer that, a company should be more concerned about the impact of
the data on its business, says Andrew Hillier, chief technology
officer with data center analytics firm CiRBA.
"Modeling whether your data is low-impact, medium-impact, or
high-impact on your business answers the question of whether you
move it to the cloud," Hillier says.
One shortcoming of current cloud offerings is that customers don't
have much negotiation room or ability to modify the security of
high-level services, says Jay Heiser, research vice president for
Gartner. Larger companies tend to have more negotiating power, but
they also are less likely to put the corporate jewels into a cloud
service.
"If an organization doesn't know how secure they are, then it's
likely that they can buy something that's more secure than what
they've got," Heiser says. "Global financial service firms are in a
better position to know how secure their infrastructure is than to
know how secure their SaaS vendor is. A small mom-and-pop shop is
not."
A final consideration: If online attackers are targeting clouds
because they aggregate so many attractive targets, then putting
your data in the same basket might actually put it at higher risk,
Heiser says.
"It is a huge single point of failure," Heiser says. "Any
individual company has to look at it as what's the risk to my
organization, but attacks, such as the Epsilon thing, suggest that
there is a higher systemic risk to putting a huge, huge basket of
golden eggs out on the Internet."