A Clear Future for a Cloudy Concept

Cloud computing is a technology that all large IT organizations will, at the very least, be considering.

The financial crisis of the last two years, and the resulting squeeze on capital for new IT projects, makes the “pay-per-use” model of cloud computing very attractive.

At the same time, advances in computing technology – such as virtualization – have lowered the cost of providing cloud services. Improvements in communications – especially internet bandwidth – have also brought cloud services within reach of more organizations. But when it comes to data privacy and information security in the cloud, significant concerns remain.

The idea of cloud computing is not, in and of itself, a new one. Companies and public sector organizations have used remote or shared computing services in one form or another since the 1960s, suggests Hamish Macarthur, co-founder of industry analysts Macarthur Stroud. The difference lies mainly in the proliferation of cloud service providers, and the technology’s reliance on the public internet.

“Cloud is an extension to the service bureau model and the outsourcing model”, Macarthur says. “With developments in virtualization, in particular, there are new ways of delivering services that are network based”, he adds. “For cloud, those services can be private or public. It is about how you look at the technology to provide a service, or whether you look at other parties to provide it.”

Consuming IT Services

Despite the hype, even cloud computing vendors concede that the technology is more evolutionary than revolutionary. As Marc Wilkinson, director of the cloud global practice in HP’s Software & Solutions division points out, cloud computing shares many facets with other forms of outsourced IT.

“The security policies and procedures are, in many ways, identical to other ways of consuming IT services”, he says.

“The threats may be different, especially because cloud computing tends to be delivered over the public internet, often through a VPN. If you use a poor VPN, you are opening yourself [up to] more.”

Conventional outsourcing contracts, he suggests, are usually longer-term, less dynamic arrangements that merit installing fixed infrastructure, such as leased lines. These, Wilkinson notes, can be easier to secure.

“With cloud, the feeling is that there is an increased security risk from the public environment, but in part that is ignorance”, he adds. “[The industry] needs to spend time on education.”

Nonetheless, there are a number of specific security issues that could affect businesses using cloud-based IT services. As Wilkinson cautions, the speed and ease of development of applications and services in the cloud can mean security is overlooked.

A Transparent Cloud

The primary risk to data security comes from the public nature of cloud services and the fact that, unless a business uses a private cloud, processing and storage is shared with other users.

Although techniques such as virtualization have improved – allowing IT departments to better segment processing loads between users on the same physical system – other issues remain. Chief among these are the need to transmit information over the public internet to the cloud service provider, and the differing levels of control offered with the various cloud computing environments.

Organizations that are able to rent an entire virtual machine in the cloud – so-called infrastructure as a service – will at least retain control over issues such as firewalls and operating system patches.

Platform-as-a-service systems – where customers write applications specifically for the cloud system – offer less control and therefore require a greater degree of trust between the service provider and customer.

According to Steve Lipner, director of security engineering strategy at Microsoft, platforms as a service (PaaS) and infrastructure as a service (IaaS) do complicate the picture.

“If you are running a custom application on the cloud, it is up to the customer to build and configure that application securely”, he says. “But PaaS environments such as [Microsoft] Azure do provide the opportunity to provide a safe language and a run-time environment to reduce the cloud customer’s exposure and reduce the type of program areas that cause problems.”

Security officers, though, will need to look beyond the application development platform and technical security features, such as sandboxes and run-time environments, and also examine the detail of the contracts.

“Moving to cloud computing services shifts direct control over the technology and resources that provide the services, making it a shared responsibility for the infrastructure and also the data within the cloud computing environment”, says Gary Wood, co-author of an Information Security Forum report, ‘Security Implications of Cloud Computing’.

With any cloud computing project, the issue of which party is responsible for certain aspects of security, and the way those responsibilities are written into the contract, go to the core of a successful deployment.

Bespoke or Not Bespoke?

Public cloud services are, by their nature, generic. A provider is unlikely to be willing to write specific security measures or service levels into the contract, whereas an organization setting up a ‘private’ cloud, either in their own data centre or through a service provider, will have a much greater degree of control. But, inevitably, bespoke systems will cost more.

For public clouds, “it is about getting clarity into the contract”, says Tony Osborn, technology manager for the public sector at Symantec. “It is about understanding who is responsible for what”, he continues. “You need clear service level agreements and clear reporting. It is a partnership with significant responsibilities on both sides.”

The principles involved in writing a contract for secure cloud computing are similar to those for other forms of outsourcing, Osborn adds, but the difference is that the cloud requires a “significant increase in trust and assurance”.

It is not just the flexibility of the cloud – such as the ability to move and store data in different locations almost at will – that raises concerns. As the market is still relatively immature, with both large vendors and start-ups competing for business, cloud users need to take care over issues such as vendor stability and financial viability.

CIOs and CISOs need to be sure that legal title to data remains with their company, not the cloud vendor. For cloud services that offer mostly computing or processing capacity, data recovery might not be too great an issue.

But for any system that deals in archiving or holds data for the long term, cloud users need to make sure there are arrangements in place for recovering or repatriating the data at the end of the contract, or in the event of vendor failure.

Given the size of data sets being used in business today, this is a serious consideration: network technologies might not be adequate to transfer data back to in-house systems or a new provider in a reasonable time frame. In some cases, a data owner might only be able to retrieve information by disk or tape, which will mean obtaining physical access to the provider’s data centers.

“How secure is my data is a key question”, says Stephen Haux, EMEA product manager at Iron Mountain, which provides cloud-based data archiving as well as archiving for physical documents.

“There is also the legal question: can the customer give me the data? We have data centers in the UK and Belgium so clients don’t need to go outside their country, or the EU. But there is still a lack of understanding of the EU legislation”, Haux warns. “Then there is the risk of a provider going bankrupt.”

He points out that Iron Mountain has offered online archiving for 10 years and physical document storage for 60 years, but Haux concedes that the public perception of cloud computing is being colored by the rapid growth of low-cost, consumer services, some of which have failed or closed down.

Over-engineered Systems

IT departments, however, would be wrong to dismiss all public – or even all consumer – cloud services out of hand. Some offer a combination of sufficient security and resilience, at a low cost (or even no cost).

Much depends on the nature of the project, and the sensitivity of the data. Large newspaper groups, including The Guardian and The Telegraph, for example, are using Google Docs, and companies in industries as sensitive as pharmaceuticals have used Amazon’s EC2 cloud infrastructure for analysis work.

“If you have no security issues, working with Amazon or Google may be OK”, says Neil Fisher, vice president for global security solutions at Unisys, the IT security vendor.

Although there are high-security solutions on the market, such as Unisys’ Stealth cloud, businesses should also try to avoid over-engineering their systems. If organizations had ‘grown up’ with cloud computing, rather than building in-house systems, many of the security issues would not seem as severe. Organizations could also take advantage of some of the inherent security advantages of the cloud, such as information dispersal.

In fact, taking different approaches to cloud security and other IT infrastructure might well prove counterproductive.

“We are trying to make cloud computing security as simple as possible”, suggests Lee Newcombe, principal consultant for security at Cap Gemini. “It is a question of identifying and managing the risks. It is just a different [IT] delivery model.”