Cloud Computing - a security risk?
Cloud Computing is all the rage, but while most enterprise IT departments are eager to explore the possibilities offered by decentralized infrastructure and applications, they are also deeply worried about possible security risks
And they're right. Before heading for the cloud, IT departments and business leaders need to solve a number of issues, the first of which may sound almost too simple. They need to answer one very basic question, namely: What do we mean by cloud computing?
Like with most hype IT topics, everybody seems to have his or her own definition of what it's all about. The vendors and their marketing departments tend to complicate matters further by trumpeting out their special brand of cloudiness tailored to fit their own existing product portfolio or, worse, products that are still on the drawing board.
Cloud Computing is all about service
In a nutshell, cloud computing is the first step toward truly service-oriented IT; one that is able to adapt itself better, faster and more flexibly to the everyday needs of lines of business by orchestrating a wide range of IT services to fit their special requirements and situations. These services can be provided either by internal or external providers. As long as they offer top quality, it really doesn't matter that much whether they are supplied in-house or from outside. In fact, the trend seems to favor outsourcing, but that really isn't essential to the cloud vision.
This explains why users are so confused. Confronted with a jumble of catchphrases such as "private" clouds via against "public" clouds, they don't know what to believe. Some vendors muddle things up further by suggesting a mix of both – often referred to as "hybrid" clouds.
Pity the poor layman!
Most companies have been using external services for years. External backup, managed eMail services, virus library updates, web hosting and web conferencing are everyday stuff, as are specialty services from outsiders such as services offered by DATEV, a large German tax assessment service provider. IT outsourcing, by any name, is actually a form of cloud computing, more or less. So nothing new under the sun, it seems. Cloud computing is just a nice new label for something that has been going on for years.
Securing the cloud
All this is not to say that the security issues facing cloud computing are also old news. Yes, outsourcing has always carried its risks, and many of these have been successfully solved in the past. But the nature of next-generation cloud computing is also changing the nature of the threats. New technology, as a rule, brings new hazards.
Possibly the most important aspect of cloud computing is that it forces IT departments to abandon their hitherto often rather opportunistic handling of outsourcing in favour of a straightforward, strategic approach. Customers following a well-planned cloud strategy will also insist on being free to switch vendors if it turns out that their provider simply can't cut the ice.
The capability to move from one vendor to another inevitably brings new risks – and new chances. The later arise from the fact that strategies tend to favor standard solutions and formal criteria on which decisions are based. In this case, odds are that security will receive greater attention than it would if decisions are made ad-hoc. The risks lie in the fact that working with many different providers simultaneously makes the job of overseeing each of them more difficult.
Getting started in the cloud
IT risk management is always a good first step towards entering the cloud. If you are aware of what can go wrong, you can make smart choices about individual services and outsourcing opportunities. This means evaluating the offerings of vendors from a risk perspective and determining which can be used for each cloud application based on the nature and sensitivity of the data involved.
Risk management also calls for a consistent and comprehensive evaluation of the service on offer. This involves also looking at the environment in which the service is to be hosted and run. Which security measures are in place? Where are the data being stored and processed (especially personal information)? "In the cloud" isn't the answer you want to hear. Push your service provider to give specifics. The same goes for encryption. Ideally, data should be encrypted over its entire lifecycle ("at rest", "in motion", "in use"). Can your provider guarantee this?
But contracts are one thing, making sure the vendor lives up to them is another. Monitoring SLA compliance can be tricky, especially since many cloud providers believe their customers don't want to be bothered by pesky details. After all, isn't that why they're going cloud, just to rid themselves of everyday hassle and bother? Think again! Keeping tabs on your provider is essential to any successful cloud strategy. And if he tries to wriggle out of giving you all the information you need to assess his performance – fire him and find someone else!
Cloud computing also calls for end-to-end administration, authentication, authorization and auditing. No cloud solution can do without full identity and access management (IAM) capabilities if you want to make sure that security policies are truly enforced within the cloud. Unfortunately, most cloud vendors aren't up to much on IAM. They often lack standard-based interfaces for external identity management and monitoring. There is no excuse for this.
Standards such as SAML, SPML or XACML have been around now for years and belong in any decent cloud service tender.
Finally, risks tend to multiply in mysterious ways once you start to work with more than one provider, especially if internal and external services are mixed together. However, these usually concern only availability issues, not overall security, at least if good "Cloud IAM" is in place.
Cloud Computing – a calculated risk
Nevertheless, cloud computing remains a calculated risk for most IT departments. This goes, however, for any kind of externalized service. The past has shown that companies are pretty good at dealing deal with residual risk. The strategic decision to enter the cloud calls for extensive rethinking within the IT organization itself. Clearly-defined, end-to-end service management at every level is the final goal. That way, IT professionals can keep their eye on the risks while enjoying the undeniable cost and efficiency benefits that cloud computing can bring. If, on the other hand, cloud is seen as "just another service", the risks may in fact be incalculable.
Martin Kuppinger, Founder and Principal Analyst of Kuppinger Cole
www.kuppingercole.com
