RSS Alerts

Related Links

Related Stories

  • Companies leap to new web and mobile technologies leaving security behind
    Companies are embracing new web and mobile technologies such as cloud computing, virtualisation, social networking and mobile communication at a faster rate than their information security strategies are updated.
  • Keynote Theatre Agenda
    The 2010 Keynote programme will address the security issues and pressures that organisations face in an increasingly mobile and global working environment. Leading security experts, industry innovators and speakers from the end-user community who will provide expert analysis, real-life case studies, strategic advice and predictions.
  • Cloud computing in the spotlight
    Cloud computing promises cost savings and productivity benefits, but how secure is the technology? Neil Stinchcombe investigates
  • Forrester questions the security of cloud computing
    With the economic downturn, cloud computing is seen as a way to improve operational efficiency, reduce headcounts and help with the bottom line, but according to the report from Massachusetts-based Forrester Research on cloud computing, organisations should not jump on the ‘cloud wagon’ before considering security and privacy concerns.
  • What’s in store for 2010?
    The Noughties are behind us now, but memories of a decade of data breaches will continue to haunt the infosec professional. If only there was a way of knowing what the threat landscape would look like in the months to come. Well you’re in luck as Davey Winder has dusted off the crystal ball and spoken to a broad church of infosec professionals to get some informed predictions for 2010

News

ISSE 2009: The ups and downs of cloud computing

07 October 2009

Gerry Gebel, vice president at the Burton Group took the audience at ISSE 2009 in The Hague on 6 October 2009 through the ups and downs of cloud computing exploring pitfalls and benefits.

First, Gebel went through some of the justifications for moving towards cloud computing from businesses’ perspective:

  • We’re running out of space and power (in data centres)
  • We’re spending lots of money on overhead
  • It’s not our core competency
  • We could not exist without it

With cloud computing, applications, data and infrastructure could be spread everywhere: on premise, and in public, private and hybrid clouds.

The risks of cloud computing

Cloud computing could present significant risks, and so security must be applied to the cloud and hybrid scenarios, Gebel said.

He warned that businesses should be very wary of storing sensitive data in the cloud. However, it makes a lot of sense to use internal or hybrid clouds to save costs.

Furthermore, in the current cloud computing market, it is hard to change the terms of what is being offered by cloud service providers, meaning companies have little actual control over the services the subscribe to.

There is also the risk with the multi-tenant, dynamic characteristics of cloud computing may put sensitive data at risk.

Vendor viability creates strategic risk (there are many starter vendors); denial of service (DoS) attacks could create systemic risk; and a lack of transparency and accountability regarding security practices lowers vendor trust in cloud computing.

Cloud computing also presents users with legal, financial and reputation risks:

Jurisdiction of where companies are based vs. where the data is held – even though cloud computing is about storing data anywhere

What if law enforcement where your data is held requests it to be handed over, and the service provider does so without notifying your company first?

Also some cloud service providers do not disclose their security measures.

The benefits of cloud computing

Gebel was keen to point out, however, that he was in no way against cloud computing, as it also has its positives.

If comparing cloud computing against ‘conventional’ computing, Gebel said that on premise IT “doesn’t have a perfect record either”. It is also important to measure cloud computing against realistic expectations.

If done correctly and securely, cloud computing could improve availability and private clouds (communities) can support collaboration with external partners.

Some use cloud computing for business continuity and disaster recovery purposes – such as the swine flu.

There is also the benefit that workloads can be moved around a lot more easily with cloud computing.

Although you have less preventive security controls available with cloud computing, you can transfer risk and monitor it.

What is needed?

Gebel told the ISSE 2009 audience that we need to define rules of engagement for using cloud computing – assess sensitivity of information, risks, etc. Furthermore, customers need the right to audit and the right to privacy in the public cloud.

Secure cloud computing requires third party trusted assessors, and we must rethink security technologies. It also goes without saying that encryption and key management are important.

Recommendations for secure cloud computing:

  • Should not use public clouds for sensitive data
  • If need to use cloud computing, then take out an insurance policy for the IT department
  • If using public clouds, start with low risk or low volume applications
  • Build internal clouds
  • Consider private clouds for vertical industry
  • Demand greater vendor transparency
  • Demand service level agreements and have an exit strategy
  • Better definition of audit assessment criteria.

 

This article is featured in:
Application Security Business Continuity and Disaster Recovery Compliance and Policy Encryption Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water