June 7, 2010

By James A. Martin

Cloud computing offers many compelling benefits to organizations, such as reduced capital and operating costs and as-needed scalability. So why aren't more businesses taking advantage of the on-demand computing resources services collectively known as 'the cloud'?

Security concerns are easily the number one inhibitor to deploying the cloud," says Zeus Kerravala, senior vice president of Global Enterprise and Consumer Research, Yankee Group. "It just gives some people cause for concern."

Although no form of computing is entirely risk-free 100 percent of the time, cloud computing isn't necessarily any more or less secure than non-virtualized or non-cloud environments, says Christofer Hoff, director of cloud and virtualization solutions for Cisco's Security Technology Business Unit and author of the Rational Survivability blog.

"It's how organizations deploy and manage cloud computing that makes the difference," Hoff explains.

Fortunately, Cisco, its service provider partners and others in the cloud computing industry are collaborating to provide ever-greater security, visibility and control to consumers of cloud services, Hoff adds. And there are plenty of things enterprises can do to take advantage of cloud computing's benefits without compromising security.

The Origins of Cloud Computing Security Concerns

Along with its many benefits, cloud computing can disrupt an organization's established security protocols and procedures, says Hoff.

Consider a mature enterprise that wants to move applications to a public infrastructure as a service (IaaS) to reduce costs and increase flexibility and scalability. (A public cloud service makes the same software applications or other resources available to multiple customers over the Internet.)

IT security at such an enterprise has likely evolved into 'a well-oiled machine,' Hoff explains. Network monitoring, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), firewalls and other security measures are firmly in place. In addition, change control processes, auditing procedures and other security measures are often clearly defined and as transparent as possible. 

"It's understood at these organizations how data gets from point A to B and who's responsible for what" in terms of protecting the network and the organization's data, Hoff says.

But most public cloud services can't provide customers with the same level of visibility and control those customers have with their own networks. That's because the public cloud service provider has likely built its security foundation to apply to potentially millions of different users. And so in a public cloud environment, it's unlikely there will be "a like-to-like equivalent to any given organization's firewall or IPS appliance or data leakage prevention application," Hoff says.

And that's where the 'uncertainty and fear' can begin, says Hoff.

This lack of 'like-to-like' equivalence can force an organization to adjust its existing security procedures and practices to continue to protect the entirety of its data resources and IT environment.

"Different cloud service delivery models offer markedly unique security, compliance and visibility to the consumer," Hoff says. "So where do you draw the line between your responsibility and the cloud provider's responsibility, and what does that mean in terms of overall security?"

What You Can Do About Cloud Computing Security

Fortunately, organizations can take steps to get beyond the uncertainty and fear to take advantage of cloud computing's many benefits.

First, develop a "graceful roadmap" that clearly defines the types of information, applications or services you want to move to the cloud along with a timeline for migrating, says Hoff. The roadmap will help you determine if a public cloud, private cloud or virtual private cloud is the best match for your organization's security requirements as well as its cost reduction/efficiency enhancement needs.

Private clouds, which typically involve virtualization, give enterprises some benefits of cloud computing such as on-demand provisioning and scalability, but provide greater control over data and computing resources and security. Virtual private clouds use a public cloud infrastructure in private or semi-private ways and can provide more balance between cost efficiency and security, says Hoff.

Before deploying a cloud service, take a close look at your organization's existing IT security processes, practices and technologies, advises Hoff. Get as much visibility as possible into the cloud service provider's security, with the goal of trying to identify (and secure against) variations between the two.

Find out how the cloud service provider segregates and isolates multiple tenants," Hoff explains. "When they say 'delete,' what exactly does that mean? Is your data really gone? Who will be administering your data? And exactly where will your data reside? This last question can be really important. German companies, for instance, aren't allowed to store their data relating to German citizens outside the country."

Ask the cloud provider for the results of recent security testing or audits it has performed related to its own infrastructure, such as SAS 70 audits, says John Oltsik. You should clearly understand what the service provider's responsibilities and guarantees are as described in its service level agreement, he adds.

Get as many specifics from the cloud provider regarding the IDS, IPS, firewall, and other security appliances and technologies they have deployed, advises Kerravala. Make sure the service provider's infrastructure is protected as much as possible from threats such as Denial of Service (DoS) attacks, which can degrade the performance of a cloud service.

If possible, perform an in-person inspection of the cloud service provider's location where your data will reside, says Oltsik. "Look at the physical security at that location, such as how secure access is to the data center. I've even seen some cloud computing facilities surrounded by armed guards and barbed wire."

Moving to cloud computing is a "crawl walk run" migration, Oltsik adds. "Start off with a cloud service that doesn't require you to store critical or highly confidential data offsite. Measure performance and security as you go. When you have both performance and peace of mind, proceed to the next step carefully."

Where Cloud Computing is Heading

As cloud computing security standards, technologies and capabilities evolve, the industry will move toward the 'Inter-Cloud,' Hoff says.

The Inter-Cloud will be a federated marketplace of open, interconnected cloud services from multiple vendors. Customers will be able to choose cloud services that meet their specific security and service level requirements. And they'll be able to fluidly, securely move data, applications and resources between clouds managed by different service providers, giving consumers much more flexibility and choice than is possible today.

Cisco is working with other industry leaders to develop standards and protocols to transform the Inter-Cloud from the long-term vision it is today into reality.

In the meantime, it's essential that organizations appropriately balance the rewards of cloud computing with risks.

"We need to get comfortable with the cloud," says Oltsik, "because that's where computing is heading."

James A. Martin is a freelance writer based in San Francisco.