Cloud security – a pleonasm?

I'm sorry, sir, no more Cloud in here...

Whenever you mention the world “Cloud” to an experienced IT infrastructure professional, he or she will likely talk up the dreaded “S” issue as a major obstacle that will derail Cloud ever really being widely adopted across enterprise processes. 

Quite simply, Cloud computing represents one of the biggest opportunities and threats to IT professionals today.  However, spend some with the CTOs at the likes of eBay, Amazon, Salesfore.com etc., and their eyes will light up talking about their intense development programs, where they are training young IT talent to learn how to Cloud-enable applications that can underpin many different types of business processes.   

Cutting to the chase, where industries such as IT services are rapidly commodotizing, don’t they need a new wave of innovation to drive new development, new thinking and new energy to create new levels of productivity and top-line growth into enterprises?  Having business processes enabled to be provisioned on-demandin the Cloud is a massive disruptive opportunity for both providers and buyers of global business/IT services.  Our forthcoming research wave on Business Process as a Service (BPaaS) is fleshing out the potential versus the reality of this happening (stay tuned). 

Anyhow, we did want to get the “S” issue firmly on the table for discussion, so asked our new expert contributor, Andy Milroy, to weigh in with some of his perspective here… 

Cloud Security – A Pleonasm? 

The IT industry successfully generates billions of dollars each year by selling us security products and services. Security always plays a major role in any corporate IT purchasing decision. But, we are still a very long way from securing our IT environments.

Most security breaches are caused internally by employees or other authorized users of corporate systems such as contractors. It is these groups that are most likely to compromise the integrity of our systems, not external hackers. In spite of this, much more focus tends to be placed on external threats.  Each time I work on a client’s site, I am struck by how easy it would be for me to compromise their systems. All I would need to do is insert a thumb drive with malicious code into a USB port and, hey presto, I’ve undermined hugely expensive security investments. 

It is reckless to allow employees and contractors to carry highly sensitive data around with little consideration of the consequences of losing the laptops and smart phones that house the data. Amazingly little focus is placed on addressing this particular security threat.

Indeed, enterprises do not sufficiently focus on changing the behaviour of their users by making them aware of security policies and the reasons for those policies. Few ensure adequate control of basic access to their physical premises and to end points that form part of their network. As mentioned earlier, it also seems as though few enterprises track the location of sensitive data that physically moves around with employees and contractors.

Ensuring that everybody who accesses enterprise networks is trained to follow appropriate security policies is an extremely challenging task. For this reason, it is necessary to consider other ways of mitigating the risk of an employee or contractor from compromising security.

One way of doing this is to source as much of the enterprise’s computing resources from the cloud as possible. Managing the security of heterogeneous on-premise IT environments is a highly complex and almost impossible task. Minimising the amount of on-premise resources that a corporation manages mitigates risk associated with security breaches enormously. Ensuring that data is stored in a secure environment (in the cloud) rather than on portable devices such as laptops and smart phones also enables corporations to mitigate risk.

Cloud computing, and I mean public cloud computing, allows us to mitigate risk and in many cases offer greater security that can be provided by spending millions of dollars in an attempt to secure on-premise resources.

Multitenancy and virtualization do indeed add a lot of complexity to providing levels of security that many enterprises require. However, public cloud services providers such as Google, Amazon, Microsoft and Salesforce.com focus heavily on ensuring that their datacenters follow best practice security policies and are using the most up to date security tools. Security can also be tied into service levels.

So, using public cloud services can offer more security than keeping data and other computing resources on-premise. These services can also reduce the amount spent on security massively. Perhaps this is the reason why many in the IT industry are keen to dissuade us from using cloud computing.

Andy Milroy, Horses for Sources

Andy Milroy

Security is always a challenge. But, there is little evidence to suggest that using the public cloud is less secure than the traditional on-premise form of computing. In fact, there is more evidence to suggest that using public cloud services can, in many cases, mitigate security risks that exist with on- premise computing alternatives. 

The cloud model of computing is much better positioned to address today’s security challenges and concerns than alternative models. So, will the term cloud security soon be considered to be a pleonasm? 

Andy Milroy, pictured here,  is Expert Contributor for Horses for Sources Research.  You can access his bio here.  He likes to be tweeted at @andy1994

 

Bookmark the permalink | Leave a trackback: Trackback URL

10 Comments

  1. Posted May 14, 2010 at 2:32 pm | Permalink

    I’m too lazy to look up “pleonasm”, but briefly I’ll at least share my thoughts and experiences on “cloud” computing. I use double quotes around the word because there’s varying definitions of what cloud computing is which only adds more confusion to organizations investigating this type of architecture.

    I’ll just say that cloud computing is not for every organization and leave it at that, but for small organizations that are virtual (no physical location but desire to collaborate and store data securely) or have no permanent or on-call IT staff, it offers some real tangible benefits.

    No cloud provider can give you a 100% guarantee that you will never ever lose data or have intellectual property compromised by someone accessing your data. I’ve managed large data centers in the past and I too could never offer a 100% guarantee on zero data loss or compromised data access, but I designed and implemented backup and access control plans that kept the risks of these two issues at an absolute minimum.

    I do feel a reputable cloud provider who has been in business for awhile and has high-profile clients can in most cases provide a better level of service than I and my team could ever deliver in the past. They simply have more resources and talent than many small IT shops in many cases. I’m not dissing small IT shops as I have been one, by the way :-)

    If I was evaluating the security of a cloud service provider, I’d want:

    - to know if a cloud provider has had a third-party security audit done
    - to question the provider about detailed information on their security plan
    - to know if they have tested their security plan
    - to know where my data will be physically stored and the security details of the building
    - to know if there are any Service Level Agreements and the details of them
    - to know the policies they use for hiring and oversight of privileged administrators
    - to know the details of their disaster recovery plan
    - to know if my data is encrypted or somehow segregated from other people’s data
    - to now if this company looks like it will be around for a nice long time and what happens if they go out of business. Will I get my data back?

    Cloud computing is still in its infancy and it’s really easy to build a bunch of Fear, Uncertainty, and Doubt (FUD) in the minds of potential customers. The biggest issue right now is if I ask 5 people what cloud computing is and how it can benefit an organization, I’ll get maybe 3 different answers. Though security is a very important concern when looking to move to this architecture, there so much more to discuss, but that’s a whole different post :-)

    Daniel Lautenschleger

  2. Michael Klubok
    Posted May 14, 2010 at 5:05 pm | Permalink

    Andy,

    Google’s Chrome OS Operating System will be designed to work exclusively with web applications. This will almost definitely result in an increase in cloud computing. As it evolves there will be changes and enhancements to security procedures just like other advances in information technology,

    Michael

  3. Posted May 14, 2010 at 6:36 pm | Permalink

    I think using Cloud computing is an excellent way of increasing or adding capacity without doing the same to the current infrastructure. I know most people are worried about the security aspect but that fear is probably more associated with the fear of letting that control go. Not having physical control of your servers is hard to do for most companies but it may very well be the direction your company needs to take. The key is to be able to heavily rely on the SLAs that you have paid into and understand the risks involved if something was to happen that may negatively impact your business.

    Cloud computing is a service and as all services, it needs to be researched and analyzed to ensure that going in that direction will be a beneficial effect. Key questions other than the obvious security ones must include disaster recovery along with storage and backup. This is especially important as E-Discovery continues to become such an important issue. Does your company have the necessary tools in place to do perform a successful E-Discovery analysis in a timely manner? Does your company have an effective Disaster Recovery and Storage plan? If not not then maybe cloud computing is the answer.

    Alexander Irigoyen

  4. Posted May 14, 2010 at 6:38 pm | Permalink

    Realy easy – get in the “Way Back” machine with Rocky & Bullwinkle and pick any first thing – the 1200 baud modem, FTP, that little fax machine that spun around 6 or 8 minutes to transfer one page… The “S” word will be handled just fine – those against will push forward – history repeats itself…

  5. Mark LeCroy
    Posted May 15, 2010 at 12:51 am | Permalink

    They just say that because they probably fear change and are scared they may not be needed if a server is not in the big cold room on the right. Truth is the “S” word is not a major obstacle if you are using mature provider or a real professional engineer. Actually, it is probably more secure in the cloud than in the local corporate server room.

    Commercial warning – Amazon VPC or Public. Either can be secure if configured correctly. You can also achieve load balancing, scalability, compliance, lower overall costs, etc…

  6. Karen Lund
    Posted May 16, 2010 at 11:42 am | Permalink

    Wow! I have a BA in English,but I had to look up “pleonasm.” Great word to know.

    Anyway, now that you know I have an English degree, you can safely guess I’m not a computer security expert. But I have learned to use (and even enjoy) technology over the years, so I can speak a little from my own experience.

    I see two distinctly different (although occasionally overlapping) types of computer security: first, there is security from losing my data; second, there is keeping my data safe from the wrong people. Cloud computing seems good for the first, bad for the second.

    Examples: A few years ago I suffered a hard drive failure, complete with Blue Screen of Death. As I only back up my personal computer occasionally (not near as often as a corporate IT department would), I lost some files and some e-mail messages that were locally stored. Nothing of any great value, but frustrating. When I got the new drive installed, I decided to leave nearly all e-mails on the Gmail servers where they would be safe against crashes. Recently I’ve been taking some continuing education classes and have composed some term papers (there’s an anachronism!) using Google Docs, or if not I e-mail the electronic files to myself so that they’re stored on servers somewhere. I might lose the most recent updates (though I haven’t) but I won’t lose the whole thing. Great! Love the cloud for that.

    But then there’s the matter of my personal, private, confidential information. All it would take is for someone to hack into my account (e-mail or otherwise) and get their greedy eyes on, say, my financial information…. or my future best-selling novel or plans for world domination. (I wish!) That’s the kind of information I want to keep under close watch, and I’m not offering anything to the cloud that isn’t already there. For that kind of security I don’t yet trust the cloud and I don’t know that I ever will.

    Karen Lund

  7. Brian Curtis
    Posted May 18, 2010 at 5:11 am | Permalink

    Security of “cloud” software is a consumer education issue. The companies you mention all focus heavily on security because their business depends on it. While there will always be offerings with security flaws, the successful SaaS solutions will be more secure then equivalent self-hosted products. This is not necessarily a reflection on the software in either case as security breaches are largely a product of human imperfection (which extends well beyond product quality). It is the core focus of the solution provider that wins out in the end. Regardless, nothing is more secure then the person with the password. All the technology in the world can’t address that.

    Brian

  8. Cosmoz
    Posted May 18, 2010 at 7:54 am | Permalink

    How would Cloud Computing prevent hacking better than the existing systems? We have all heard about recent incidents of cyber attacks and eavesropping originating from China. If they have managed to break into some of the most secure government systems, getting into a ‘Cloud’ would be quite easy (there are several ways, both direct and indirect, to gain access to a user’s account).

    If the data is securely encrypted in a laptop, and the laptop is not connected to the world, at least it will be safe.

  9. Posted May 18, 2010 at 6:58 pm | Permalink

    In case anyone else is interested: Pleonasm is the use of more words or word-parts than is necessary for clear expression. I was curious.

    Phil – I agree that public Cloud brings more security to businesses. Private-cloud is just the new way to say on-premise so personally I dismiss the term but for clarity the distinction has become necessary due to great marketing from legacy vendors. Economies of scale bring more than just cost benefits – security and service level transparency also improve exponentially through economies of scale.

    The Cloud debate often reminds me of the eCommerce and online banking debates. Both of which have seemed to slip into history as nonevents.

    Does anyone sit down at their local bank and ask about how the bank handles security – online or otherwise? Nope, we trust they run their operations professionally. Yet, most IT managers still think their data is safer under the mattress.

    Very few individual firms could provide the same level of security to their data that Google can and no single firm could do it more efficiently.

    Presently, the largest security risk to most companies is the status quo.

  10. Eric Seymour
    Posted May 19, 2010 at 2:04 pm | Permalink

    Andy,

    What about the applications themselves? EC2 has a great datacenter / network-layer security white paper, Salesforce.com has a fantastic policy for data management and I would assume MS tackles the same issue. BUT, everyone is missing the webappsec situation here.

    There’s a great blog post from my colleagues @ art of defence that sums up this issue pretty well – all about scalability and the issue of forcing apps into a cloud model w/o addressing the shift in attack vectors this creates:

    http://artofdefence.wordpress.com/2009/09/01/jeremiahs-right-about-scalability/

    Eric

2 Trackbacks

  1. [...] Cloud security – a pleonasm? [...]

  2. [...] Cloud security – a pleonasm?“Managing the security of heterogeneous on-premise IT environments is a highly complex and almost impossible task. Minimising the amount of on-premise resources that a corporation manages mitigates risk associated with security breaches enormously. Ensuring that data is stored in a secure environment (in the cloud) rather than on portable devices such as laptops and smart phones also enables corporations to mitigate risk.” [...]

Post a Comment

Your email is never published nor shared.