The Cloud Security Silver Lining


The past few weeks have been tough on cloud security. Cloud services provider Amazon lost control over its Amazon's Web Services for a number of days in an outage and many businesses using Amazon lost access to their systems. Also, cloud storage service provider Dropbox came under fire for changing its terms of service to permit the handing over of customer data if ordered by a legal request during law enforcement investigations.

The Amazon Web Services and Dropbox incidents should make it clear to those who haven't planned properly that security, privacy, and availability are critical considerations in the cloud, and that help may be needed in achieving a solution.

"Solution providers can play an important role in helping their clients to understand how their applications and systems change when they start considering a move to the cloud," says Mike Rothman, president and analyst at the security research firm Securosis. "It's not about selling products now as much as it is educating and building the right solutions," he says.

To be able to embrace the cloud, enterprises need to know that they can manage clouds in a secure way. And, especially for those operating in regulated industries, they need to have control over the security configurations of their data and cloud-based systems.

Unfortunately, when it comes to cloud security, there seems to be a chasm between cloud services providers and their customers. According to a survey released recently by software maker CA, and conducted by the Ponemon Institute, Security of Cloud Computing Providers, less than 20 percent of cloud providers across the U.S. and Europe view security as a competitive advantage, fewer than 30 percent consider security an important responsibility -- and a shocking 27 percent of cloud providers said their cloud services substantially protect and secure customer information.

And, according to the survey, 69 percent of cloud providers think security is the primarily the responsibility of the cloud user, while only 35 percent of cloud users believe security is their responsibility.

Cloud services providers and cloud users also disagree widely on the degree to which they saw intellectual property (IP) being too sensitive for the cloud. Sixty-eight percent of cloud users felt their IP was too risky for cloud use, compared to just 42 percent of cloud providers.

That chasm in expectations should slow any organization thinking about rushing to a cloud-based service without looking at where they're leaping. Cloud computing promised simplicity, yet the risks and impacts on security and regulatory compliance when it comes to moving to public, private or SaaS cloud services aren't clear.

"Enterprises need help to determine the best path for their business -- and then how to maintain a strong level of visibility into the security and control over their data," says Jon Ramsey, executive director of the Counter Threat Unit research group at Dell SecureWorks. "That means there's great need for consulting to help organizations understand what security their cloud provider is -- and isn't -- providing," he says.

Next: The Rogue Cloud Service Risk