The Cloud Security Silver Lining

The past few weeks have been tough on cloud security. Cloud services provider Amazon lost control over its Amazon's Web Services for a number of days in an outage and many businesses using Amazon lost access to their systems. Also, cloud storage service provider Dropbox came under fire for changing its terms of service to permit the handing over of customer data if ordered by a legal request during law enforcement investigations.

The Amazon Web Services and Dropbox incidents should make it clear to those who haven't planned properly that security, privacy, and availability are critical considerations in the cloud, and that help may be needed in achieving a solution.

"Solution providers can play an important role in helping their clients to understand how their applications and systems change when they start considering a move to the cloud," says Mike Rothman, president and analyst at the security research firm Securosis. "It's not about selling products now as much as it is educating and building the right solutions," he says.

To be able to embrace the cloud, enterprises need to know that they can manage clouds in a secure way. And, especially for those operating in regulated industries, they need to have control over the security configurations of their data and cloud-based systems.

Unfortunately, when it comes to cloud security, there seems to be a chasm between cloud services providers and their customers. According to a survey released recently by software maker CA, and conducted by the Ponemon Institute, Security of Cloud Computing Providers, less than 20 percent of cloud providers across the U.S. and Europe view security as a competitive advantage, fewer than 30 percent consider security an important responsibility -- and a shocking 27 percent of cloud providers said their cloud services substantially protect and secure customer information.

And, according to the survey, 69 percent of cloud providers think security is the primarily the responsibility of the cloud user, while only 35 percent of cloud users believe security is their responsibility.

Cloud services providers and cloud users also disagree widely on the degree to which they saw intellectual property (IP) being too sensitive for the cloud. Sixty-eight percent of cloud users felt their IP was too risky for cloud use, compared to just 42 percent of cloud providers.

That chasm in expectations should slow any organization thinking about rushing to a cloud-based service without looking at where they're leaping. Cloud computing promised simplicity, yet the risks and impacts on security and regulatory compliance when it comes to moving to public, private or SaaS cloud services aren't clear.

"Enterprises need help to determine the best path for their business -- and then how to maintain a strong level of visibility into the security and control over their data," says Jon Ramsey, executive director of the Counter Threat Unit research group at Dell SecureWorks. "That means there's great need for consulting to help organizations understand what security their cloud provider is -- and isn't -- providing," he says.

Next: The Rogue Cloud Service Risk

One of the first risks enterprises face when moving to the cloud are "rogue" cloud services set up by internal departments that were not sanctioned by IT.

"There is just a sense that departments can go around IT to adopt cloud services, particularly software-as-a-service, going around the IT organization and buying just about any service you wish," Ramsey says.

Consider, as a simple example, when a product development group may seek a collaboration program that would provide it the ability to exchange files, maintain version control, conduct group white boarding, and other collaborative functions among the team. The group requests the functionality from IT, and learns that it could take six months, or longer, to deploy. The team then starts to look immediately at cloud providers, and finds a SaaS solution that can be running immediately, and billed at a low operational expense.

While easy to make, such moves can place the enterprise at considerable risk. First, the platform may not be as secure as the IT team would require. Second, regulated or confidential information may start being collected off site and in a way that wouldn't pass a regulatory audit.

Experts say this is why it's crucial to help companies understand what risks exist in the cloud not only from a technical perspective, but from an operational perspective as well. "Any way solution providers can help organizations improve governance when it comes to cloud systems will be welcomed," says Ramsey. "

"They have to design their processes to make certain that security is included in the beginning, instead of at the end of any decision-making process. That can be as simple as requiring legal department, during their services sign-off process, to require a security evaluation of any service be contemplated," says Ramsey. "That way, security can get involved in the process early."

Those processes need to be in place whether a company is moving to a public cloud, or a private cloud that they will run themselves in-house or outsource to a services provider.

"If there's a regulatory control over the data that says that the organization can't manage certain types of data in a multitenant environment then a public cloud is out of the question," says George Reese, founder and CTO of cloud infrastructure management firm enStratus Networks. "It then becomes a question about whether they'll move that data to a private cloud model, or if it will stay in the existing data center," says Reese. "What aspects of the IT enterprise can move to cloud is one of the first decisions that needs be made," he says.

Then, when it comes to security, does the enterprise have the ability to keep the data secure, or at least ensure that the cloud service provider has the ability to -- and is -- doing so.

"What's interesting when discussing cloud security is that we are not talking about any new security concepts. We're talking about what we've always done with essential security practices," says Ken Biery, principal consultant, governance, risk, and compliance services at New York-based Verizon Business. "They still have to have good access control, maintain least privilege access, harden systems, effective change management, protection against malware, in addition to all of our other security controls, " says Biery.

The challenge becomes: how do customers replicate those controls that are in place in their traditional data center.

Next: Cloud Security Vendors, Standards On Tap

Vetting cloud providers for the degree of security they can provide isn't yet straightforward. That's starting to change, however, as both cloud providers mature, and industry groups pull together ways to quantify cloud security. Late last year the Cloud Security Alliance (CSA) released its Cloud Controls Matrix (CCM) as a way to help cloud services providers, customers, and solution providers to assess the overall security risk of a cloud provider. The CCM is a controls framework that helps all parties align security to things like cloud architecture, legal and e-Discovery, compliance and audit, application security, and others.

CSA is also working on the development of cloud security and privacy standards with the International Organization for Standardization /International Electrotechnical Commission (ISO/IEC) to build guidelines on information security controls for the use of cloud computing services based on Information Security Management System controls.

While such standards and best practices are starting to mature for the cloud, security applications specifically designed for cloud computing, are starting to surface. Earlier this year, cloud encryption provider CipherCloud launched data encryption and tokenization services for a number of cloud platforms, such as Salesforce.com and Google Apps. Through a virtual appliance, data is encrypted before it is sent to the cloud application. The encryption keys reside within the enterprise and are not extended out onto any cloud services.

Also earlier this year, security firm CloudPassage announced it would help reign firewall and system configurations within the cloud. The company says its Halo SVM (Server Vulnerability Management) and Halo Firewall are the first server security and compliance services built specifically for clouds. "It's good to see vendors that are trying to tackle some of these issues with cloud-based solutions," says Securosis' Rothman.

Solution providers, for their part, say they are prepared to tackle the thorny issues that cloud security entails.

"There's nothing new about the security used in the cloud," adds Ramsey. "For us and other service companies bringing services to the cloud is another delivery model for something already being delivered in other ways. And the disruption cloud brings to the market makes it a great time to be in services," he says.