Secure Cloud Computing

Although it represents a fundamental shift in the way IT is provided and brings a new set of risks to contend with, is there anything intrinsic about cloud computing that makes it a security concern?

I’m becoming an increasing fan of Google Trends (www.google.com/trends). Enter any search term and, provided it is popular enough, you will see a graph showing the relative popularity of that term over time, and the significant events in that period – rather like the graphs you see for stock prices.
I can imagine a lot of marketing people spend a significant amount of time on this site, but it can be pretty interesting for the rest of us. Recently I did a search for the term “cloud computing” and it showed that cloud computing is a very hot topic right now. So, this month I’m going to spend some time looking at security considerations with regard to cloud computing.

Cloud Questions
Probably the first question I get asked any time I talk about cloud computing is “what exactly is it?”. We are notoriously bad at defining things in the computer industry, in part because journalists, analysts and companies continuously redefine terms and introduce new ones that mean almost the same thing. So one could argue that cloud computing is just the new, snazzy term for Software as a Service (SaaS), and SaaS was just the new, snazzy term for ASP. One could argue that, but it’s missing the point. Cloud computing can encompass SaaS (and more traditional ASP), but it’s really an umbrella term that covers those and more.

The key differentiator of cloud computing is its flexibility – you can easily scale up and scale down your use of cloud computing offerings according to your requirements. In fact, for many IT leaders I’ve heard from, the most attractive promise of cloud computing is a move towards utility computing – where computing resources are provided in much the same way as gas or electricity and metered according to their use.

Regardless of whether we call the term cloud computing in a few years’ time, it is clear that there is a medium-term trend towards increased outsourcing, and what is being outsourced is changing. Previously companies would have retained ownership of their services, but outsourced some or most of the staff needed to support that service. Now they are going a step further and outsourcing the entire service, and may use different outsourcing providers for each service (rather than a single staffing provider). The bottom line is that the entire model of how IT services are being provided to customers is changing, and increasingly the IT department is acting as a broker between a number of external companies and their own internal customers.

There is nothing about cloud computing that makes it inherently less secure. In fact, some analysts argue that a cloud computing model has the potential to be more secure than more traditional IT models, but there is no doubt it represents a fundamental shift in the way IT is provided, and with it, a different set of risks for IT security professionals to deal with.

Inside the Cloud
Probably the greatest concern for security professionals is the cloud itself. In other words, what is inside the cloud? When a service is outsourced to the cloud, you lose direct control of it, and with it, the ability to directly ensure that the service is secure. Your information is frequently residing in a shared data centre, and may even be alongside that of your direct competitors. Taking on trust that the cloud computing environment is secure is not a risk that many security teams are prepared to take, particularly with smaller cloud computing providers.

You need to focus on understanding the security that is provided, and determining if it is sufficient to meet the needs of your organisation. As a starting point, increasingly I’m seeing companies ask providers to complete a security questionnaire, so that they can at least get an understanding of the security practices used by the other company. Questionnaires should deal with key questions such as how they authenticate your users, and prevent unauthorised users from gaining access, how they separate your data from that of other organisations that share the infrastructure, how they meet government regulatory requirements, how they ensure business continuity in the event of a disaster, and how they support any legal need you may have to investigate your own data (for example, to defend a lawsuit).

This type of questionnaire allows you to get the appropriate initial information to see what issues need to be followed up, and some of the information contained within it may form the basis of the contract you sign with the service provider.

Increasingly, cloud computing providers are asking third-party security firms to provide an independent analysis of their security practices. I think this is a very good move, as they can safely provide those firms with more detail than they can your company (just think how much detail you want them to provide your competitors), and a dedicated security firm is likely to have much more specialised expertise in assessing their security practices than you do.

Good Connections
Assuming you are happy with the security practices of the cloud computing provider itself, there is still the question of the network connectivity to the provider. Of course, typically the connection is over the Internet and uses SSL to secure the data. In most cases this is sufficient, but it is not always the only option. For more highly secure data, you may be able to set up a dedicated VPN-type connection between your data centre and the provider. There may also be an option where the cloud computing provider, typically through an arrangement with a third-party provider, is able to provide you with a local point of presence to which you can connect more directly. This may be to improve performance, security, or both.

Another important thing to consider, particularly in larger companies, is the possibility of IT security procedures in your organisation being skipped entirely. Unfortunately, there is a perception in some companies that if a service is entirely outsourced, then IT does not need to be involved at all in its implementation. I’ve seen a number of instances recently where an individual business group in an organisation has signed a contract with a SaaS provider or an ASP directly, and only later has IT become aware of it. In these scenarios, IT’s best-laid plans come to naught.

Security is only part of the reason that IT must be involved in the decision to outsource an IT service. Performance is another. For example, will your network meet the requirements (in terms of speed and latency) for the application in question, and will the new service you are outsourcing mean that the network has to be upgraded to meet all its other requirements. A third reason is cost. If you already provide a similar service, or could expand the service to meet the requirements of the business, outsourcing the service may not make financial sense.

When you think about it, it’s not that surprising that the IT department frequently gets skipped. From a business unit perspective, if you have made the decision to go with an external provider, the only thing that IT will do is introduce unnecessary time delays and costs. So a key part of ensuring good security with cloud computing is educating the rest of the company on why IT needs to be involved even in services that are outsourced, and providing sufficient governance controls, backed by senior management, to ensure compliance.

Be Prepared
In the immediate future, cloud computing environments are likely to become more rather than less complex. For example, providers themselves are likely to partner up or outsource. An e-mail service provider may outsource the network to one company, and the data centre outsource to another. So understanding what is going on inside the cloud may become ever trickier. I think the ultimate solution will be some sort of standardised security certification for cloud computing providers. If this is sufficiently rigorous, then much of the worry for security professionals will go away.

In the meantime, it’s important to remember that while there may be problems today in fully assuring yourself of the security of a cloud computing provider, there is nothing intrinsic about cloud computing that makes it a less secure option. If you focus on understanding and managing the security measures that are implemented by each provider, you can take advantage of some of the benefits that cloud computing can bring, and prepare yourself for the seemingly inevitable flood of cloud computing solutions that will be offered in the near future.