Cloud computing security forecast: Clear skies
To critics, cloud computing can't be trusted because you aren't in control of the data outside your network.
But if that's the case, then how secure are the data and collocation centers that corporations contract with to host their data?
"It does come down to vetting the practices of the provider and making sure they meet the standards you want for your business," Phil Hochmuth, a senior analyst at Yankee Group, said Monday, the eve of Cloud Computing Innovation Day in Santa Clara, Calif.
Companies like Salesforce.com, Amazon.com, and Google have built businesses around serving up on-demand services to enterprises that would rather pay a service provider than buy hardware and hire staff to manage their databases. However, handing over the data is still a cause for concern among many corporations.
"What are they doing to the data? Is it persistently encrypted? Are there access controls in place? Do you get to monitor who they hire and who cleans the data centers at night?" said Phil Dunkelberger, chief executive of PGP Corp. in relaying the concerns on peoples' minds about cloud computing.
How secure is the data? "It's one of the first questions we get, especially from enterprises," said Adam Selipsky, vice president of product management and developer relations for Amazon Web Services.
Securing the data is key to a cloud service provider's business, Selipsky said. "We can afford to devote resources to it that, quite frankly, most of our customers can't," he added.
"Cloud computing can be as secure, if not more secure, than the traditional environment," said Eran Feigenbaum, director of security for Google Apps. "Most organizations really struggle, whether they want to admit it or not, securing their networks."
Feigenbaum points to data breaches that hit the headlines, such as the one that exposed credit card information held by payment processor Heartland recently.
Then there are the statistics that show that one-third of breaches result from stolen or lost laptops and other devices and from employees accidentally exposing data on the Internet, with nearly 16 percent due to insider theft.
"Cloud computing can fix some of these issues," Feigenbaum said.
Not only can Google apply patches more quickly than most enterprises to plug holes in software, but the Google Apps Premier edition offers the ability to protect data in transit by encrypting it in the pipe between Google and the user's desktop, as well as offer control over who can access the data, he said.
Cloud service providers are held to high standards, must offer evidence of security certifications, and are subject to inspections by auditors, placing them under much higher scrutiny than typical in-house security teams, according to Peter Coffee, director of platform research at Salesforce.com.
Most data theft results from someone authorized to access the data doing so improperly or handling the data carelessly, he said. With cloud-based services, when a user logs out, the browser cache can be set to flush automatically, leaving nothing on the desktop to be lost or stolen, and logs can show who did what to which data, he added.
"This is inherently safer than the typical client-server model of downloading data that remains on the end-user device, and is far more secure than distributing data as e-mail attachments whose subsequent use and transmittal are largely uncontrolled," Coffee wrote in an e-mail reply to questions.
The security concern with cloud computing is a cultural issue, said Rebecca Wettemann, a vice president at Nucleus Research.
"The question is would I rather be at a huge data center where a vendor is contractually required to keep my data secure or would I rather rely on my staff to do it properly?" Wettemann said. "You need to trust that your vendor will manage your data."
So far, there haven't been any significant security breaches with an on-demand services vendor, she said. And people are getting used to the idea of being able to access their data anytime and from anywhere because it is out on the Internet, she added.
There have also been precursors to cloud computing that people are familiar with, such as the evolution of answering machines to voice mail services, said Peter Evans, director of security strategy and technology integration at IBM Security Systems.
"It is as much an emotional thing as anything," Evans said. "When my data is on my server in my building, there is a good gut feeling about that. When it's out in the ether, how do I know it's protected?"
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
I think we should start having redundant pgp encrypted files. Nobody but GOD and those who I approval to my data and not some shrink wrapped legalese agreement that some snoop will be allowed to read my data without my consent. All this cloud computing is just good for internet gaming. Do not put your company intellectual property on a cloud lest you will see a break in or even worse data taken and no trace on who took it without anyone knowing. I am sure there iwll be some kind of agreement of sharing of data of customers who use cloud computing and although y our data itself isn't being shared but how you use cloud computing and what services are being used could be sold to competitors so they will always have the edge over you. No data dircet or passive should be relayed about paying customers at all
Better word: TRUST.
I dont trust any of these places. I wouldnt trust them with one bit of information, let alone gigabytes.
2. Anyone who implies they are secure because of encryption doesn't know what they are talking about. It is a small piece of the security puzzle.
Do you realize that encryption can be rendered moot very easily? By someone with no technical skill?
A company that trusts its business to someone who stores their data offsite is just asking for trouble. Encrypted or not.
A big piece missing from this discussion is strong 2-factor authentication. Most cloud computing data breaches come from phishing or trojans that steal a user's password. Once a criminal has your username and password, they can typically log in from anywhere and access your stored data. Imagine how bad this can get if people start hosting full business applications or virtualized desktops in the cloud! One phishing attack and you can compromise the entire security posture of an organization.
Companies have spent billions on strong authentication to keep unauthorized people out of their corporate networks. This level of authentication needs to be offered by business services and cloud computing services.
When not under your control everything dealing with remote data security should be itemized either on a weekly or monthly basis. Even though cloud computing offers security/redundant security. The services offered should also be fully compatible with clients own security products such as PGP. Perhaps there will be a cloud version of PGP.
But when data is not under your control many times you are not notified nor are the hosting companies compelled to inform their clients that data may or might be accessed by third party for what ever reason.
I would love to read the legal mumbojumo on this sent to clients.
Cloud concepts have so much potential in health care, education, and Commuting (how about saving 350 Million commuting hours a week, 700 Million gallons of gas, untold pollution, just for a start) . How about the efficiency resulting from that reduced commuting time? How about the increases in Productivity? Worker satisfaction?
Apply that thinking to Education, and other areas, as well.
The new Cloud, it's Applications, Services and ability to revolutionize how we develop and manage out society is demanding. By the way, we could recycle up to 50% of existing office buildings into Condos and apartments, with just the reduced demand allowed by Cloud Commuting. And the technology is already here!
Go CLoud!
1) One of Ellinor's points is that the real danger to the network is an inside job - cloud providers don't care about the data on their servers, just that their ability to continue as a going concern hinges on protecting their client's data.
2) True, big companies may not put their trade secrets outside their internal network, but there's plenty of work that's not strategic that could be done by a cloud provider. In the end it's about putting the right data/resources in the most appropriate/efficient place (think "The World is Flat")
3) Any attempt to slow down or derail Cloud computing will be vulnerable (like EVERYTHING else) to the economics - an executive will have to make a business decision about whether the risk of data loss is greater than the millions of dollars they could save as a result of moving to the cloud. Security risk will simply be one input to that decision - not the only.
I came across a very interesting online summit which is also relevant to this discussion
Cloud Security online summit-http://bit.ly/10zkvC
Thought leaders from eBay,Capgemini & HP will discuss cloud threat landscape, Cloud identity & access mgmt & innovations
What?
Industry Thought Leaders will dive into the different security options available across multiple cloud architectures, and case studies and association presentations will further illustrate the security issues facing the cloud today.
Who?
Miranda Mowbray, Hewlett-Packard, Senior Technical Contributor
Jim Reavis, Cloud Security Alliance
Liam Lynch, Chief Security Strategist, eBay
Jinesh Varia, Technology Evangelist, Amazon Web Services
Lee Newcombe, Capgemini, Principal Consultant
Enables vibrant exchange of ideas between Thought Leaders and viewers
Provides Thought Leadership, Best Practices and Case Studies
- by Lee Koo (ADMIN) October 15, 2009 10:30 AM PDT
- Testing testing, please ignore this awesome post!
- Reply to this comment
-
(13 Comments)