Cloud computing is attractive, seductive and perhaps irresistible. The benefits are compelling, particularly the pay-as-you-go model that has been likened to buying electricity (or, if you, prefer, buying your drinks by the glass rather than the bottle).

There’s a powerful business case for buying computational power, disk storage, collaboration, application development resources, CRM, on demand. Rather than buying more servers and disks or expanding or deploying expensive infrastructure and programs, cloud computing is flexible and scalable. It can meet short-term initiatives and requirements and deal with peaks and valleys in business cycles.

But where does security fit into all this? Security analysts and practitioners generally say proceed, but proceed with caution. All the risks to sensitive corporate data associated with outsourcing apply to cloud computing, and then some. Enforcing security policy and meeting compliance requirements are tough enough when you deal with third parties and their known or unknown subcontractors, especially on a global scale. Add the blurry characteristics of the cloud and the entry of non-traditional vendors into the technology market, and some red flags go up.

In an IDC survey of 244 IT executives/CIOs published last fall, 75 percent of the respondents cited security as a significant or very significant challenge with cloud computing. Compare that with 63 percent cited for the next two concerns–performance and availability. So, you’d better get ahead of the risks of cloud computing before your business colleagues get ahead of you.

“I recommend security people get some exposure to it,” says Craig Balding, technical security lead for a Fortune 500 company. “Because the CFO, attracted by the numbers, or the CIO who is told by the CFO, is going to come knocking on the door and ask ‘What’s this cloud thing all about? What can we do in the cloud?’”

Let’s examine some of the risks versus the benefits of cloud computing, and what your company can do to mitigate those risks and reap some of its benefits.

				Cloud Blurs Auditors’ Vision
				Satisfying auditors that data is properly isolated can be a problem.    IF SECURITY CONTROLS are obscured in the cloud, it follows that regulatory compliance can be problematic as well. How do you perform an on-site audit for example, when you have a distributed and dynamic multi-tenant computing environment spread all over the globe? It may be very difficult to satisfy auditors that your data is properly isolated and cannot be viewed by other customers.  Compliance presents cloud providers with a business problem: Meeting particular compliance requirements of each customer takes away some of the economies of scale that allow them to offer inexpensive services and still realize nice profit margins. But it’s one they need to address if they want large, heavily regulated companies as customers. “There are conflicting requirements,” says Forrester analyst Chenxi Wang, “between specific compliance regulations, between specific security requirements of a client and the need to amortize resources and amortize consumption across different clients. Achieving compliance becomes a little more difficult.” Since your data can be anywhere, data location can be particularly tricky, especially when it spans international borders. For example, says Gartner analyst Mark Nicolett, European privacy laws restrict movement and cross–border access of certain types of data. “You have to be aware of any restrictions in this area,” he says, because cloud providers typically don’t provide any type of location gating or guarantees about compliance on your behalf with privacy laws of that sort.” Nevertheless, don’t assume that you can’t outsource regulated data and operations into the cloud. You’ll need to work with auditors and prospective service providers to determine if cloud computing supports your compliance requirements. “It depends on the regulations,” says Craig Balding, technical security lead for a Fortune 500 company. A lot of people waving the regulation flag and saying, I can’t do this in cloud.” Much depends on what type of audits are required to satisfy the data and process control requirements. Does the auditor need to see change control logs; do you need to run security tools against the cloud computing provider’s infrastructure (which is, as a practical matter, everywhere)? Is a paper audit sufficient or does it need to be more hands-on? “Those are questions that will get fleshed out over time,” Balding says but it’s not terribly clear right now.” –NEIL ROITER

Security Isn’t A Vendor Priority

Not surprisingly, cloud computing providers are not talking much about security today. That’s pretty typical whenever “The Next Big Thing” in technology bursts upon the business landscape.

Most of the public discourse is coming from security experts and analysts pushing vendors to take the initiative. Amazon, for example, doesn’t have much of a security presence on their Amazon Web Services (AWS) Web site, and the same is true for Google Apps, says Balding. There’s no obvious procedure or clear commitment, for example, to deal with a researcher who wants to report a vulnerability.

“Google and Amazon have very smart security people,” Balding says. “But, when you talk to the Amazon evangelists who are prominent at every cloud conference about security, there’s not much of a conversation. It would be great if they put people into the community who could talk about security.”

The question is not whether cloud computing vendors are indifferent to security–clearly, they are not. Rather, how important is strong security to their business models and how far they are willing to go and how much are they willing to spend? Does the business model, for example, support a security program that is not only strong but flexible enough to meet unique customer security and compliance requirements, especially large multinational companies?

“Cloud computing is optimized for performance, optimized for resource consumption, and optimized for scalability,” says Forrester analyst Chenxi Wang. “It’s not really optimized for security.”

At this early stage of the market, you have to be concerned with where security is now and whether vendors can bake it into their services from the start or try to bolt it on under pressure from customers. It’s a new market in which companies have to be especially diligent about security before jumping in.

“Right now, it’s not cut and dried,” says Gartner analyst Mark Nicolett. “It’s an early adopter type of situation. You can’t assume any level of security practice any more than you can assume a certain level of security practice with a traditional outsourcer.”

Cloud’s Heightened Risks

What you can assume with cloud computing is that you have to deal with all the risk factors you expect to face in “normal” outsourcing. But cloud computing also brings its own inherent set of security problems, which make it not only difficult for your company to get the assurance it needs to meet its obligations, but in some cases difficult for the service provider to meet all your requirements.

“What’s different about cloud is control,” says Balding. “To have control implies visibility. You can’t control something if you can’t see.”

Consider three cardinal requirements of data security: availability, integrity and confidentiality.

The first is core to your business and your service provider’s business. A data breach is bad enough, but if the service goes down, the business is down. Amazon’s Simple Storage Service (S3) went down twice last year for several hours, for example. If your first requirement is near-100% uptime, then it’s a good bet that almost every vendor will make that its number one priority.

Data integrity and confidentiality are another matter. Integrity requires that only authorized users make authorized changes. Confidentiality means that only authorized users can read the data. One would expect to apply strong controls to enforce policies over authorized user access, authentication, segregation of data etc. With traditional partners and service providers who handle your sensitive data, you can extend those controls. But with cloud computing, you don’t know and, as a practical matter, can’t know where your data is. You don’t know what server is computing for you, where it’s transiting over which network, even where it’s stored as the providers’ systems respond dynamically to your rising and falling requirements and those of thousands of other customers. The flexibility and scalability that makes cloud computing attractive makes it unpredictable.

“Going to Amazon, or IBM or Dell or Microsoft in cloud isn’t much different than outsourcing to AT&T,” says Jeff Kalwerisky, chief security evangelist at Alpha Software. “The difference now is you literally don’t know where data is.”

Furthermore, it’s difficult to assure data segregation, because those networks and servers are sharing data from thousands of customers. So you have to be concerned that your service provider’s personnel and someone from another organization may be reading it because of improper authorization or authentication.

A related issue, says Forrester’s Wang, is transitive trust because cloud computing vendors have to rely on third-party suppliers to provide computational and infrastructure resources. So, how can I extend that trust even if I have a trusted relationship with my provider?

“These third-party infrastructure resources touch my confidential data,” says Wang. “Do I allow this trust I’ve established with, for example, Amazon, to be carried over to a third party, and how do I even evaluate that? The transitive trust question does not have clear answer.”

So, your vendor doesn’t know where your data is going to be at any given time, and that makes it difficult to determine if your data is being handled in a way that assures confidentiality and privacy.

				Private Clouds
				Building your own cloud guarantees security levels.    ONE WAY to maintain control of your data in the cloud is to own it, says Craig Balding, technical security lead for a Fortune 500 company.  Large companies are heavily invested in data centers already, he says, so business agility and new business initiatives may be more compelling drivers for cloud computing than saving on hardware costs, at least at this stage. Hence the notion of private clouds, which can be completely internal for really large companies (call that an “enterprise cloud”), but would more likely involve third-parties, such as one of the hosting providers that are trying to move into cloud-based services. The difference is the private cloud wouldn’t be open to the public. The enterprise customer reaps most of the on-demand benefits of cloud computing, but can exert the same security and compliance controls they do with more conventional outsourcing. Since hosting providers typically segregate data by sector–defense, financial services, for example, and are accustomed to maintaining strong access controls over each customer’s information, they would be well-positioned to support this type of cloud. “With a private cloud, there’s less of an attack surface,” Balding says, because not everyone in the world can sign up with a credit card.”[END MARK] –NEIL ROITER

Ascend to the Cloud with Caution

None of this means that your company should dismiss the idea of doing business in the cloud; nor should you compromise security.

“The only thing you can do now is good contractual thinking before you go in,” says Alpha Software’s Kalwerisky. Large customers can leverage major cloud providers to assure better security and transparency, he says. After all, there are choices.

“If one provider won’t play ball, I can go to others,” he says. “The market will drive it.”

Gartner recommends that you adhere to strong security requirements for engaging outsourcers, even though the cloud computing environment is more problematic. The risks to your data are still there.

In its report, “Assessing the Risks of Cloud Computing,” Gartner strongly recommends engaging a third-party security firm to perform a risk assessment. It cautions that even large and sophisticated organizations, such as major financial institutions, which are used to conducting their own assessments, are better off hiring a third party to evaluate cloud computing partnerships.

The distributed nature of cloud computing makes this kind of assessment more difficult. And, unlike traditional outsourcing partners who have come to view good security as a competitive value, cloud computing providers may be more reticent about outsiders auditing their operation, or at least limit their access. They may be less likely to allow auditors and assessment teams to lay hands on their data centers, but performing log reviews and reviewing audit trails should be negotiable.

“Obviously, auditing cannot be as detailed,” says Forrester’s Wang. For example, a vulnerability assessment scan of Google [is not reasonable]. They won’t let you do that. You have to see if it is possible to do some level of external auditing. Today, that is very difficult.”

Large enterprises certainly shouldn’t settle for the providers’ standard service level agreements, but smaller companies are another story. They typically lack the expertise to adequately assess the security of the services, so they are more apt to rely on providers who have that expertise.

“Most small companies I talk to, unless they are highly regulated, tend to put performance, reduction of resource overhead ahead of security,” says Wang. “But that doesn’t mean that cloud computing vendors shouldn’t do more to satisfy their needs and be more transparent.”

The most important consideration, regardless of company size, is the sensitivity of the data that’s exposed to the service provider. If the service does not put sensitive data at risk or jeopardize your operation, security requirements for the vendor can be less stringent. On the other hand, companies shouldn’t compromise security if confidential customer information, intellectual property or other sensitive data is at risk.

“What companies need to do is evaluate risks against business benefits, identify workloads where business benefits are high relative to risks,” says Gartner’s Nicolett. “Those workloads are the ones that are most appropriate for cloud computing at this time.”

Companies can also insist on encrypting data, both in transit and at rest. Encrypting data in motion is pretty much a given; all service providers are using SSL or some other strong encryption. Data at rest is more complex, and you may have to rely on your own resources to encrypt it. The key question is…who holds the keys?

Encryption is less reassuring if the provider controls the keys. It gets back to a question of trust and verification that the provider is following strict policies regarding who has access to the keys and under what circumstances. The mechanics are more intricate if your company holds the keys, but the security is obviously in your hands, since only your personnel can decrypt the data.

Gartner’s Nicolett cites vulnerability management service provider Qualys as a good model. Customers’ data is commingled, but it is encrypted, and the customer controls the decryption keys.

“It is the capability that makes companies feel comfortable to have their sensitive security data hosted externally,” he says.

Stick to Policy

Easy accessibility is one of cloud computing’s strengths–and also one of it’s risks. It’s trivial for a department, workgroup or even an individual to jump onto the cloud on their own. Just whip out that corporate credit card.

It’s the downside of democratization from security point of view,” says Balding. “Unless you have fantastic DLP in place, you may not even know cloud is being used.”

Consider a group of developers who can circumvent their company’s policies and processes–maybe things move a little too slowly for their liking. They’re not the bad guys; they’re just trying to get their jobs done and do what they love doing: creating first-rate software for their company.

Or a business unit can make the decision to contract for application development or perhaps CRM, such as salesforce.com. They get the job done, but bypass all the policy controls they should adhere to.

“It’s probably a valid business decision, but the worry is it’s an unconscious decision,” says Gartner’s Nicolett. “Then there is no evaluation of security, compliance and risk level, because the people that understand those risks aren’t involved in that decision.”

There are operational risks as well, he says. Workflows can be damaged or disrupted because the links between the applications moved into the cloud and internal processes aren’t clear, and process integration may be degraded.

You can still migrate the application to the cloud, he says, but you need to make a conscious, well-planned decision that addresses these kinds of potential problems up front.

The solution is straightforward. If your company has good governance in place, employees follow policy and procedure for risk assessment, planning and review before signing on for services. The message from the top should be that yes, outsourcing policies apply to cloud computing. So, put the credit card back in your wallet, at least until you’ve thought this through.

Standardization — the Next Step?

One of the major impediments to evaluating cloud computing providers is the lack of standards by which you can compare them. There are no standards for how data is stored, access controls, performance metrics, etc.

This raises business and security issues. For example, if I outsource my sales system to one provider, but want to contract another for accounts receivable, how do I share data between them? Is it even possible?

Vendors, analysts and security leaders are discussing the need for standardization, for example, for SLAs.

“My clients have trouble understanding one SLA against others because the language is different; the properties they promise are different,” says Forrester’s Wang. “You really have to spend a lot of time making sure you are comparing apples to apples.”

The next step might be agreement by an industry consortium, and eventually by some recognized standards organization. Getting competitors to agree on standards is historically a tough sell, and this probably will be no exception.

“None of the vendors will want to change to some other vendor’s standard,” says Alpha Software’s Kalwerisky. “But once we have standards about how data is stored and security issues and many other things, then cloud computing becomes an unstoppable option, because you’ll have everything you have in your data center with a lot less hassle and less capital investment.”

Neil Roiter is senior technology editor of Information Security. Send feedback on this article to feedback@infosecuritymag.com.

Information Security Magazine is a part of the TechTarget portfolio of enterprise IT-focused media.
Copyright 2000 – 2009, TechTarget. All Rights Reserved.  

M. Tim Jones, Consultant Engineer, Emulex Corp.

Cloud computing and storage convert physical resources (like processors and storage) into scalable and shareable resources over the Internet (computing and storage “as a service”). Although not a new concept, virtualization makes this much more scalable and efficient through the sharing of physical systems through server virtualization. Cloud computing gives users access to massive computing and storage resources without their having to know where those resources are or how they’re configured. As you might expect, Linux® plays a huge role. Discover cloud computing, and learn why there’s a penguin behind that silver lining. …

Click here for complete article.

Cloud computing implements the idea of utility computing, which was first suggested by John McCarthy in 1961, where computing is viewed as a public utility. Cloud computing can also be compared to cluster computing, which views a group of linked computers as a single virtual computer for high-performance computing (HPC), or grid computing,where the linked computers tend to be geographically distributed to solve a common problem. Time-sharing systems were offered in the 1960s IBM, General Electric, and other companies. Complete article here.

Besides reducing the management cost associated with cloud computing resources, there are other advantages. For example, when you separate yourself from your resources by the Internet, it doesn’t really matter where those resources reside. They could be, for example, in a climate that offers ambient (natural) cooling and therefore minimizes energy usage.

“Cloud Computing is the realisation of Internet (‘Cloud’) based development and use of computer technology (‘Computing’) delivered by an ecosystem of providers.”

It’s amazing that such a simple concept has caused so much confusion, but having spent the last few days reviewing the recent discussions it seems many are falling into the trap of trying to align Cloud Computing with (or contrast it against) existing terminology like SaaS and Utility Computing. It is in fact far more suitable as an umbrella term encompassing all of these related components.

– Sam Johnston

Definition

Let’s break down my definition (which I came to by collating the assertions that were in line with my view and then boiling the result down to the basic common elements):

“Cloud Computing…

• …is the realisation of…
  While many of the requisite components have been available in various forms for some time (eg Software as a Service, Utility Computing, Web Services, Web 2.0, etc.) it is only now they are reaching critical mass that the Cloud Computing concept is working its way into the mainstream. As more of a collection of trends (a ‘metatrend‘) we still have some way to go yet, but Cloud Computing solutions are a reality today and will rapidly mature and expand into virtually every corner of our lives and enterprises.
• …Internet (‘Cloud’) based…
  Although some have [ab]used the ‘Cloud Computing’ term in reference to infrastructure (particularly grid computing, like Amazon’s pioneering Elastic Compute Cloud), much of its value is derived from the universal connectivity of the Internet; between businesses (B2B e.g. Web Services like Amazon Web Services), businesses and consumers (B2C e.g. Web 2.0 like Google Apps) and between consumers themselves (C2C e.g. peer to peer like BitTorrent). Many of us are now connected to ‘The Cloud’ where we work (office), rest (home) and play (mobile) and there are solutions (eg Gears) for when we are not.
• …development and use of computer technology’…
  an accepted, all-encompassing definition of computing – there are very few areas which will not be affected in some way by Cloud Computing so I’ve gone for the broadest possible definition.
• …delivered by an ecosystem of providers.“
  While it is possible to enjoy some of the advantages using a single provider (eg Google), it is hard to imagine a functionally complete solution which does not draw on multiple providers (in much the same way as we install task-specific applications onto our legacy computers). Your electricity is almost certainly generated by wholesale providers who pump it into the grid and similarly Cloud Computing will typically be delivered by layered (eg Smugmug on Amazon S3) and/or interconnected (eg Facebook<->Twitter) systems.

Full article here.

Below is a rundown of the share of internet users who have done a select set of online activities that involve storing data online or accessing applications in cyberspace.

56% of internet users use webmail services such as Hotmail, Gmail, or Yahoo! Mail.
34% store personal photos online.
29% use online applications such as Google Documents or Adobe Photoshop Express.
7% store personal videos online.
5% pay to store computer files online.
5% back up hard drive to an online site.

Overall, 69% of online users have done at least one of these six activities, with 40% of internet users having done at least two of them.

Convenience and flexibility are the watchwords for those who engage in at least one of the cloud computing activities listed above:

51% of internet users who have done a cloud computing activity say a major reason they do this is that it is easy and convenient.
41% of cloud users say a major reason they use these applications is that they like being able to access their data from whatever computer they are using.
39% cite the ease of sharing information as a major reason they use applications in cyberspace or store data there. At the same time, users report high levels of concern when presented with scenarios in which companies may put their data to uses of which they may not be aware.

90% of cloud application users say they would be very concerned if the company at which their data were stored sold it to another party.
80% say they would be very concerned if companies used their photos or other data in marketing campaigns.
68% of users of at least one of the six cloud applications say they would be very concerned if companies who provided these services analyzed their information and then displayed ads to them based on their actions.

More info here.

Complete report.pip_cloudmemo

Check out the answer given by Jimmy Pike from Dell: (Complete article here.)

Most discussion these days involves grid, utility, and cloud computing to which we will add software as a service (SaaS).

• Grid computing is a fairly all encompassing concept and as you probably know, can be generally defined as: “a system that uses open, general purpose protocols to federate distributed resources and to deliver nontrivial qualities of service.” Or in other words, it uses standard “stuff” to make many distinct systems work together in a way that makes them useful.
• Utility computing or on-demand computing is the idea of taking a set of resources (that may be in a grid) and providing them in a way in which they can be metered. This idea is much the same as we buy electricity or a common utility today. It usually involves a computing or storage virtualization strategy.
• Cloud computing is a subset of grid computing (can include utility computing) and as I mentioned in my opening post, is the idea that computing (or storage) is done elsewhere or in the clouds. In this model many machines (Grid) are orchestrated to work together on a common problem. Resources are applied and managed by the cloud as needed. (In fact this is a key characteristic of cloud computing. If manual intervention is required for management or operations, then it probably doesn’t qualify as a cloud.) Cloud computing provides access to applications written using Web Services and run on these Cloud Services.

Gspace

Salesforce.com

Mindjet Connect

Smartsheet