RSS Alerts

Related Links

Related Stories

  • Google Docs leaks out private data
    The security rating of cloud computing has taken a battering with news that users of Google's online word processing service - Google Docs - may have shared their data with unauthorised users.
  • Facebook backs down on owning rights to users' info
    Facebook has backed down from a controversial change in its terms which gave it rights to its users' information.
  • US standards drive Canadian information security
    An absence of legislation and the presence of the laissez-faire attitude has resulted in Canada being rather lax when it comes to information security compliance. Robin Arnfield looks at how US standards are driving the Canadian information security marketplace
  • Keynote Theatre Agenda
    The 2010 Keynote programme will address the security issues and pressures that organisations face in an increasingly mobile and global working environment. Leading security experts, industry innovators and speakers from the end-user community who will provide expert analysis, real-life case studies, strategic advice and predictions.
  • Companies leap to new web and mobile technologies leaving security behind
    Companies are embracing new web and mobile technologies such as cloud computing, virtualisation, social networking and mobile communication at a faster rate than their information security strategies are updated.

News

Forrester questions the security of cloud computing

12 May 2009

With the economic downturn, cloud computing is seen as a way to improve operational efficiency, reduce headcounts and help with the bottom line, but according to the report from Massachusetts-based Forrester Research on cloud computing, organisations should not jump on the ‘cloud wagon’ before considering security and privacy concerns.

Forrester Research questions the security of cloud computing in its report ‘How Secure is Your Cloud?’, the first document in the ‘Secure Cloud Computing’ series.

Benefits of using cloud computing include: operational (uptime, availability, expedite launch of new IT projects); financial (pay-as-you-go model, lower cost of ownership); and better support for collaboration and community computing.

Security and privacy concerns are still seen as a strong barrier-to-entry for cloud computing, however, and Forrester Research warns that IT professionals must develop better ways of evaluating security and privacy practices in the cloud services.

The analyst does not warn against cloud computing in itself, but highlights the security issues surrounding its use. “The ultimate goal [is to] make the cloud service work like your own IT security department and find ways to secure and optimise your investment in the cloud,” the report states.

Steve Whitlook from international IT security thought-leadership association, Jericho Forum, comments: “Like many others, we see huge potential and benefits for moving into ‘the cloud’, but we see risks, security issues, and interoperability issues. The community has much work to do to make the cloud a safe place to collaborate.”

Where’s the data?

Cloud computing raises information security issues such as ‘where is the data stored’ and ‘who else has access to the cloud’ as cloud computing is based on multi-tenancy. “These differences give rise to a unique set of security and privacy issues that not only impact your risk management practices, but have also stimulated a fresh evaluation of legal issues and areas such as compliance, auditing, and eDiscovery”, Forrester Research has found.

The report mentions the recent security breach at Google Docs and the proposed change of the terms and conditions on Facebook on ownership of content when a user wishes to withdraw information and content.

Forrester has compiled extensive checklists that organisations should go through before choosing a cloud computing service provider. The checklists include topics such as ‘security and privacy’, ‘compliance’ and ‘other legal and contractual issues’.

Organisations should also evaluate the vendor’s security and privacy practices including data protection, vulnerability management, physical and personnel security, availability, application security, incident response, and privacy.

Compliance – who’s liable?

“Cloud computing has the potential of putting compliance at risk, as it requires you to hand over IT controls to someone else and in the process of doing so introduces uncertainties in these aspects: business continuity…, logs and audit trails…, [and] specific compliance requirements…”, the report states.

Compliance is a big issue, as the responsibility remains with the company itself and not with the cloud computing services provider or vendor: “Companies that are considering contracting cloud services should understand that compliance is ultimately your responsibility”, Forrester Research says.

Using cloud computing means data could be put in places where there is uncertainty around how information is policed, and information security legislation in the country or countries where the organisation using cloud computing is based, could be different or not exist at all in locations where the information is being stored.

Safe cloud computing

Forrester sums up the report with some recommendations for organisations venturing into the clouds:

  • Gather legal and regulatory requirements first for a feasibility assessment;
  • Work guidelines and standards into the SLA;
  • Seek ongoing assurance that your service providers are compliant; and
  • Use a third-party, unbiased cloud assessment service.

 

This article is featured in:
Application Security Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water