Cloud Computing has, whether IT security managers like it or not, become the number one topic on many boardroom agendas. Why? Because cost savings can accrue from the use of the technology.
Consider also the equally tangible productivity benefits – driven by the ability for employees and third parties to gain near-anywhere/anytime access to company data – and it will become clear why finance directors are buttonholing their IT management colleagues on the subject.
Placing a company's IT files and selected systems into the cloud however, poses a clear and present danger to the integrity of the data, as well as to the reputation of the owner of information.
So how does the risk-reward ratio stack up when balancing the cost and productivity benefits of cloud computing against the security and reputational risks of using the technology?
According to a late spring 2009 report from IDC, larger enterprises are going down the cloud route in drives, in search of greater cost efficiencies and faster times to market for application development and testing services.
In the report entitled ‘Cloud-based application development and test services: customers' leading requirements and provider preferences', drawing on 400 IT and line of business executives in the US and Europe, IDC concluded that large enterprises are looking towards cloud-based outsourcing models as the next virtual frontier.
The early stages
Although many companies are still in the early stages of evaluating when and how to best leverage these services, researchers found that most organisations already have high expectations for efficient, secure, and reliable cloud-based environments.
IDC's study found that whilst customers are beginning to experience some of the positive operational and financial advantages tied to the use of new platforms – such as Platform-as-a-Service (PaaS) and Testing-as-a-Service (TaaS) – they are also concerned about the limitations and challenges of the new technology.
Rina Shuchat, director of application outsourcing services with IDC, says that success as a provider of cloud-based application services will be dependent on players proving themselves in the areas of reliability, security, availability, performance, and the management of service level agreements.
Large enterprises across all industry sectors, she explained, are concerned about not getting the support, security, and stability they need to rely on as they look to scale applications in a private, public, or hybrid cloud like environment.
Delving into IDC's report reveals that almost 30% of respondents were looking for 24/7 support from their cloud environments.
|"Working together, we believe that the CSA and Jericho Forum can bring clear leadership in this important area and dispel some of the hype and confusion stirred up in the cloud."
A similar percentage of respondents were also looking for data security and reliable performance under heavy workloads.
In addition, says the report, almost half of the firms surveyed selected full service outsourcers/system integrators as the leading provider they would choose to support cloud-based application development and testing environments.
Arguably the most interesting conclusion from the report is that with the proliferation of these cloud-based service platforms, there are clearly a number of new opportunities for traditional outsourcers and cloud providers to offer customers a range of new services.
These new services include robust data governance programmes, consolidated security test services, and next-generation bundled application lifecycle services.
|"Solving the new set of risk issues it introduces is a shared responsbility of cloud provider and customer alike."
Throwing money at the cloud
In a survey of around 470 organisations carried out earlier this year in preparation for the Infosecurity Europe show in April, around 75% of companies and public sector agencies said they intend to reallocate – or increase – their budgets to finance secure cloud computing and software as a service (SaaS) within the next year.
Infosecurity Europe's organisers interviewed a panel of 20 chief information security officers (CISOs) of large enterprises at the show in April. Results revealed concern about availability and security aspects of software services in the cloud.
The CISOs noted particular concern about the lack of standards for working in the cloud, SaaS and secure internet access. As a result, the majority stated that they would welcome the development of guidelines in this area.
According to Raj Samani, vice-president of communications with the Information Systems Security Association (ISSA), this is the clearest indication that SaaS is well and truly here to stay.
"With any new technology however, a risk assessment must be undertaken before allowing your data to be stored off-site (with a vendor). After all, you can transfer the burden of managing systems, but not the liability if something goes wrong", he says.
Aside from the need to carefully plan the road to cloud computing and conduct in-depth risk assessments at all stages in the planning process, what other areas should managers focus on when implementing IT in the cloud?
Sarb Sembhi, president of ISACA's London chapter, notes that, whilst simple web-based email services offered by Google and others are difficult to secure when using standard web interfaces, he believes that with the right technology and risk approach, these problems can be solved.
Storage Expo: Free cloud information, consulting and seminars
The Storage Expo event takes place in London on 14th-15th October, 2009. IDC analysts Carla Arena and Eric Sheppard will be speaking on cloud computing issues at the event.
Carla Arena, of IDC’s European infrastructure software operation, will be speaking on the subject of ‘Future directions: what is on the horizon that will shape storage strategies tomorrow?’.
Eric Sheppard, IDC’s programme manager for European disk storage systems will be presenting on the subject of `What to look for when buying virtualisation solutions: a top 5 questions checklist to ask your vendors.’
A session on `The truth about cloud: how fragile is it really?’ is also scheduled for Storage Expo.
According to Sembhi, apart from the basics, two-factor authentication systems − when married with encrypted VPN connections − help secure an internet connection into a cloud based service, making interception of files and transmissions harder.
“It is vital that you manage the associated risks (specific to cloud computing) to your business environment and goals and deal with them effectively”, Sembhi says.
In May 2008, ISACA polled its senior members about the security technology issues that worry managers the most. The findings of this survey revealed that IT security management, along with regulatory compliance and the challenges of managing IT risks, were their greatest concerns.
"Clearly, cloud computing adds to these issues”, says Sembhi, “but, with the right technology in place, the security issues associated with this brave new networked world can be surmounted, even if the risk management process takes a little time”.
View from the Jericho Forum
It's not just ISACA that is developing and recommending best practices on the cloud security front. The Jericho Forum has recently announced that it is teaming up with the Cloud Security Alliance (CSA) − a not-for-profit group of information security and cloud computing security leaders – to promote best practice for secure collaboration in the cloud.
Both groups have one goal: to help businesses understand the opportunity posed by cloud computing and encourage common and secure cloud practices.
Adrian Seccombe, CISO and senior enterprise information architect at Eli Lilly and a Jericho Forum board member, says that within the framework of the new partnership, both groups will continue to provide practical guidance on how to operate securely in the cloud while actively aiming to align the outcomes of their work.
"This is good news for the industry", he says, adding that the cloud represents a compelling opportunity to achieve more with less but at the same time presents considerable security challenges.
Seccombe argues that in order for business to get the most out of cloud computing, its development must be addressed responsibly and with IT managers’ eyes fully open.
|"It is vital that you manage the associated risks (specific to cloud computing) to your business environment and goals and deal with them effectively."
"Working together we believe that the CSA and Jericho Forum can bring clear leadership in this important area and dispel some of the hype and confusion stirred up in the cloud."
Over at the CSA, Jim Reavis, the alliance's co-founder, says that cloud computing represents a fundamental shift in computing with limitless potential.
“Solving the new set of risk issues it introduces is a shared responsibility of cloud provider and customer alike", Reavis says.
Both groups have recently published initial guidelines for cloud computing. The Jericho Forum has published a Cloud Cube Model designed to be an essential first tool to help business evaluate the risk and opportunity associated with moving in to the cloud.
A video presentation of this is available on YouTube and an accompanying Cloud Cube Model positioning paper is downloadable from the Jericho Forum website.