Security in the cloud

Cloud Computing is seen as the next big thing in IT. Nevertheless, as companies adopt cloud computing there are some security aspects that need to be kept in mind, writes Manjari Juneja

Cloud computing is one of the most promising technologies for any enterprise today. Especially in this economy, cloud services can provide speed, efficiencies, and cost savings. These benefits are enabling the technology to pick up in India. However with data privacy and other concerns, it can open up a potential Pandora’s Box of security threats. Hence, one of the biggest business requirements enterprises evaluate while looking at cloud-based solutions is security.

When it comes to security in the cloud, concerns include fear of data being transmitted and stored by a cloud services provider, keeping it safe, and preventing it from being lost or stolen. Users often wonder about an unproven cloud vendor’s security practices and the virtual separation between infrastructure rented out to different clients.

Enterprises need to ensure that their privacy and security as well as regulatory compliance needs are met, including secure access when connecting to cloud services. This would include authentication/ authorization, endpoint security validation, and security in the data center.

Businesses must clearly understand the resources, information, and technology that they plan to use, share, or extend so that they can make an educated decision about the risks that they might be taking on. Companies are under increased pressure to cut costs and are turning to a variety of Web-based services, from online collaboration tools to social networking platforms, without considering the increased risks that these pose and in some cases failing to inform IT security.

Vikas Desai, Lead Technology Consultant, India & SAARC, RSA Security, said, “Two studies recently released by RSA address the increased risks posed by cloud-based services and social networking. The 2009 survey, commissioned by RSA, surveyed 100 security executives at companies with revenues of $1 billion or more. It found that many organizations lack a security strategy to address the risks associated with cloud-based services. It is the third study in recent months to address the risks associated with the growing use of Web-based services. Making matters worse, some security professionals are not being informed when new cloud-based technologies are being used within an organization, according to the survey. More than 8 out of 10 respondents are concerned that the pressure to cut costs and generate revenue has increased their exposure to security risks.”

According to Verizon Business, security is the biggest concern. In cloud computing server, network, and storage resources are provided to the enterprise as a service and data is moved into the cloud. Whether it is private customer information, business data, intellectual property, trade secrets, or legal documents, IT leaders are understandably sensitive about letting this kind of information go outside the company firewall. ‘Where will this data be stored? Does the service provider maintain its own secure physical infrastructure, or will processing and storage functions be farmed out to third parties? How will data be secured as it travels within the cloud itself?’ These are critical concerns that must be adequately addressed before IT leaders can consider expanding their use of cloud computing solutions.

Industry standards and regulations such as HIPAA, the Payment Card Industry Data Security Standard (PCI-DSS), the Gramm-Leach-Bliley Act (GLBA), and the Statement on Auditing Standards 70 (SAS-70) have clearly defined and measurable security requirements. Organizations must be prepared to identify how data will be handled and stored, an undertaking that could prove difficult when data exists in the cloud. ‘If data isn’t handled properly and regulations are violated, who is responsible?’ For cloud computing to be viable for the enterprise, providers must adhere to the same standards and controls that an organization would impose in house.

Diptarup Chakraborty, Principal Research Analyst, Gartner, said, “20% of infrastructure related services are going to be in the cloud by 2011. Vendors are pushing cloud computing aggressively as they have invested heavily and now want to monetize. Security will be an overriding concern when it comes to cloud services. It is crucial for customers to know the credentials of the vendors and the extent to which their security offerings are safe. Customers should insist on regulatory compliance and certification and should read the SLAs carefully.”

Andy Karandikar, Marketing Head, Red Hat India, added, “The cloud offers compelling and exciting benefits. However, there are significant barriers to its adoption and security is one of them. Within this area data, application isolation, shared networks and compliance are major issues, which need to be addressed.”

Checkpoints to consider

Companies need to evaluate how fault tolerant the systems they intend to use really are. It is important for a company to assess its needs and the robustness of the infrastructure/systems that it intends to use. IT staff should consider that with Infrastructure-as-a-Service (IaaS), it is typically using a more homogenous computing environment than is typical inside a company.

Amit Nath, Country Manager, Trend Micro India and SAARC, said, “This monoculture has both advantages and disadvantages. The environment can be more efficient because it is better understood, security patches can be applied systematically to all instances, and administration can be centralized. However, the security downside is that these selfsame features open the door to exploitation. Intruders potentially have the opportunity to hire the same computing environment and test it for weaknesses. Some potential breaches are due to the virtualization techniques used and can be quite unexpected. Moreover, the company deploying its IT into the public cloud needs to consider how administrative access will be granted to cloud computing resources.”

Yet another situation which comes under the heading of catastrophic failure is data theft and data loss. Given that access to cloud computing resources will be remote, a company needs to consider measures such as encrypting data in the cloud. Ideally the deploying company should hold the encryption keys rather than the IaaS provider.

Where the market is headed

By 2012, customer spending on IT cloud services will grow almost threefold, to $42 billion and account for 9% of revenues in five key market segments (business applications, application development or deployment, system infrastructure software, storage and servers), according to IDC. The analyst firm also predicted that spending on IT cloud services is growing at over five times the rate of traditional, on-premise IT.

Manish Bansal, Marketing Manager, Websense Software Services India Private Limited, said, “Predictions are that this model will continue to grow and can become the most common form factor for application delivery in the not-too-distant future. Cloud computing and SaaS can deliver efficiencies beyond what is achievable with traditional approaches.”

Challenges

With any new technology there are challenges and apprehensions and the same also applies to cloud computing. Data security, cross-country data migration and data recovery are going to be some of the big challenges coming in the way of this technology being deployed. Outsourcing would also create some roadblocks.

The biggest challenge, of course, is that of data security and privacy. It’s a huge challenge to ensure that the right person gets access to the right content at the right time. This necessitates a solution which is both generic as well as dynamic. The combination of Adaptive Authentication which is a risk analysis based solution and Data Leakage Protection solutions would be ideal for such a dynamic environment.

Satish Joshi, EVP, Patni, added, “The first challenge is to understand the implications of the commercial models offered by cloud providers. The key reason for moving to a cloud computing environment is cost savings as what one pays per month to use the cloud should be significantly less than the expenses incurred (including cost of capital) of running the same applications in house. Quantifying this is even more difficult partly because there are no accepted standard charging mechanisms as there are no standard definitions of what is meant by computing capacity (except perhaps in case of Storage and network bandwidth), and there are no standard definitions of service levels. This makes it difficult to compare the real benefits of moving to a cloud model versus computing in house and to choose between the competing offers of different cloud providers.”

“The other challenge arises because typically all of an organization’s computing tasks will not move into the cloud, certainly not all at one time and most probably some will always remain in house for one reason or the other. It is also likely that those tasks that move into the cloud and those that remain behind will interact closely, exchange data or transactions frequently, share common databases as well as depend on each other’s successful execution because they represent discrete steps in a single continuous business process etc. Therefore integrating both, tasks that have moved into the cloud and tasks that remain behind, is a non-trivial technical issue that must be solved diligently and this requires significant efforts plus significant alterations or reengineering of applications and their interfaces. It may even require redesign of the underlying business process,” he concluded.

manjari.juneja@expressindia.com