Spotlight on Cloud Computing: The Great Data Center Debate

Kevin Townsend examines security and compliance concerns when moving your information to a cloud-based provider
Kevin Townsend examines security and compliance concerns when moving your information to a cloud-based provider
Simon Daykin, Logicalis
Simon Daykin, Logicalis
Matthew Philpott, Telstra International
Matthew Philpott, Telstra International
Raj Samani, McAfee
Raj Samani, McAfee

In December 2010, the Centre for Economics and Business Research (CEBR) published a report commissioned by EMC: The Cloud Dividend (Part One) – The economic benefits of cloud computing to business and the wider EMEA economy. The numbers involved are astonishing. “We find”, it claims, “that, across the five economies as a whole [France, Germany, Italy, Spain and the UK], widespread adoption of cloud computing has the potential to generate over €763 bn/£650bn/$998bn of cumulative economic benefits over the period 2010 to 2015.”

Savings for individual companies are equally astonishing: 20% reduction in the costs of external IT services; 2% reduction in software maintenance costs; 18% reduction in server and storage costs; and 44% reduction in network hardware costs. Add to this the almost complete elimination of heating, cooling and floor space expenditures for those companies moving their entire data center into the cloud.

"Gaining visibility into service provider environments and governing them according to overall enterprise GRC strategy have emerged as the major concerns for organizations when considering the use of public cloud services"
Eric Baize, EMC

Nevertheless, the complete migration of data centers into the cloud is not happening as fast as these arguments suggest it should, which poses several questions as to why this is the case. To answer some of these questions it’s important to examine the concept and the arguments in favor of, and against, moving data centers into the cloud.

Defining the Data Center in the Cloud

The key features of cloud computing are that it provides and charges for computing services on-demand over a network. These services usually fall into one of three categories:

  • Public cloud: Provides computing services to whoever requires them, including, in theory, anything from a complete data center to Google Docs or Hotmail.
  • Private cloud: Provides hosted computing services, such as a data center, to a select number of entities from one or a limited number of hosting sites.
  • Hybrid cloud: Companies use limited cloud services (such as the storage of non-sensitive data, or email services) while retaining their own computing resources for mission-critical computing.

Technically, a data center could reside in either the public or private cloud, but it does beg the question: What is a data center in the cloud? If you keep to the traditional definition (a server farm with associated storage and telecommunications conforming to Tier 1 to 4 standards, but in a private cloud), then you effectively have a hosted data center, not a cloud data center. If you develop a data center in the public cloud, then to maximize public cloud opportunities you would disperse it – and you would no longer have a data center.

"With a secure and transparent cloud, the capability exists to meet most if not all compliance requirements"
Simon Daykin, Logicalis

William Beer, UK director at PricewaterhouseCoopers, understands the confusion. “If we are talking about a data center in the public cloud”, he says, “it is extremely difficult to define it. If we’re talking about a data center in a private cloud, then it is a little easier in that I’ve got more understanding of what’s happening and where.”

He does, however, say that none of this is really important – that the beauty of the cloud is that you simply don’t need to know the details. “All I need is the service level agreement with my provider – and that should supply me with all I need to know, and all I need to understand.”

The logic of this argument is that you have a data center in the cloud if you have a contract with a cloud provider to supply you with data center services. What, where and how is simply no longer your concern. If the contract says you have a data center, then you have a data center.

The Case in Favor: The Green Argument

One of the biggest arguments for moving into the cloud is the green argument, but this could equally be called the ‘cost argument’. “There is a genuine green argument for cloud computing”, says Philip Lieberman, president and CEO of Lieberman Software. “In conventional data centers, every system is running 24 hours a day and, by necessity, over-provisioning of systems is normal. This means huge amounts of power and air conditioning are needed to support an in-house solution.”

Conversely, notes Lieberman, “cloud providers use more power-efficient solutions, and the air conditioning strategies are also less power hungry. As a matter of cost savings, cloud providers shut down unused systems simply because they save money doing so. The hardware used by the cloud providers is also vastly more energy efficient compared to what data centers normally use. Finally, the cloud providers are proactively operating their infrastructures in a power-efficient manner.”

"As much as any individual company can be compliant in its own local/private data center, it can be compliant in a data center hosted by someone else"
Rami Habal, Proofpoint

Max Feneck, marketing manager at SunGard Availability Services, absolutely agrees. “In some respects, a cloud environment is the ultimate shared service – not only the servers and the discs are shared, but the cabinet, data centers, communications lines and even the skilled staff required to run the environment. It makes the data center available at a fraction of the cost of any one company trying to buy, resource and power its own dedicated facility and allows organizations to move more of their IT costs towards an operational expenditure model. All added together, [it] means a more efficient and therefore greener solution than a ‘dedicated’ solution.”

So whether you call it the green argument or the cost argument, it is certainly a compelling line of reasoning: you should move your data center into the cloud. The contract with a provider will define just how green it is and how much money will be saved.

The Case Against: Security

There are two aspects to the security problem: defending your data (traditional security), and complying with legal requirements (compliance).

When you move your data into the cloud, you are forced to rely on the security of your provider. This is psychologically difficult. Logic, however, suggests that a dedicated service provider will have dedicated security experts – probably more than you could afford yourself.

Consider the recent pro-WikiLeaks DDoS attacks. “While some corporate brands fell under the logical weight imposed by cyber attacks”, comments professor John Walker, CTO of Secure-Bastion, “some cloud-based sites successfully sustained their operations during the adverse conditions”.

The reason, he believes, is relatively simple. “While organizations buy the latest technology, they don’t always buy the latest training for their employees, creating a gap in understanding that manifests in problems.

"Because virtualization products deal with all aspects of the host and network, they are in a unique position to offer a more in-depth line of defense by being able to see the entire environment"
Matthew Philpott, Telstra International

Compare this to the cloud. What the cloud does is provide solutions. If you sign on with a good provider, it will have excellent technology that is up-to-date and current; but beyond that, it will have people who really understand the technology.” In short, a good cloud provider will have a better understanding of the security threat – and a greater ability to combat it – than most companies have outside of the cloud.

Matthew Philpott, of cloud provider Telstra International, believes that the physical characteristics of the cloud itself can also lead to improved security. “Some may argue”, he suggests, “that it is easier to build a compliant cloud, as the cloud used is more likely based on a specific product such as VMware or Hyper-V. Because virtualization products deal with all aspects of the host and network, they are in a unique position to offer a more in-depth line of defense by being able to see the entire environment.” (It is worth noting that, beyond a few proofs of concept, there is as yet no known malware able to attack the hypervisor.)

It is certainly the compliance issue that is the more difficult side of cloud security. Put simply, in most jurisdictions you are legally responsible for any personal data you hold. That effectively means every company, since a company’s own HR data will inevitably contain personal information.

“People are not moving sensitive data into the cloud yet”, says Edy Almer, VP of product management at end point security provider Safend. “There are a lot of legal issues around that. That is probably one of the hardest things to move into the cloud because you can’t tell where your data resides; and you have to be able to assure your regulator that you are not moving it outside of the country.” If you can’t do this, then you cannot have a data center that is truly in the cloud.

Not everyone agrees that cloud and compliance cannot be combined, however. Simon Daykin, CTO at Logicalis, has no doubts whatsoever. Can you be compliant in the cloud? “Absolutely!”, he says. “Compliance is about using a transparent and secure cloud where you can demonstrate separation and operate in clearly defined boundaries. With a secure and transparent cloud, the capability exists to meet most, if not all, compliance requirements.”

Rami Habal, director of product marketing at Proofpoint, takes a pragmatic view. “As much as any individual company can be compliant in its own local/private data center, it can be compliant in a data center hosted by someone else”, he suggests. For example, with “the EU Data Protection”, he says, “it is the data owner for sure (and there is a private right of action under the EU Data Directive), but a data processor can also become liable depending on its relationship with the data subject and the relevant contracts in place”.

The key to security and compliance in the cloud is the service-level agreement contract with the provider. It is unlikely that you can ‘contract out’ of your legal responsibilities as the data owner, but contractual proof of your attempts to safeguard that data will be an arguable defense in case of data loss.

The Contract

As previously noted, the key to developing a data center in the cloud, whether it’s to save costs by going green, or to specify security and compliance, is the SLA contract with the cloud provider. But how do you do this? How can you be confident that your provider is actually providing what it says?

"The user seeks a supplier whose answers satisfy its own risk appetite"
Raj Samani, McAfee

Checking that the provider uses the Cloud Security Alliance’s new Governance, Risk Management and Compliance Stack is advisable. Launched in November 2010, this is a toolkit for enterprises, cloud providers, and security solution providers, to instrument and assess both private and public clouds against best practices. At its launch, Eric Baize, senior director of cloud security strategy at EMC, claimed that “gaining visibility into service provider environments and governing them according to overall enterprise GRC strategy have emerged as the major concerns for organizations when considering the use of public cloud services.” CSA’s new GRC Stack will help enable this process.

But possibly more pertinent is Europe’s new Common Assurance Maturity Model – CAMM. It is designed to provide assurance levels for the third parties that you might seek to use – and it has particular relevance to cloud providers.

Raj Samani, founder of CAMM, explains that “the CAMM framework has a series of controls, and the third party would answer the questions that provide the answers. The third party then makes those details available. The user seeks a supplier whose answers satisfy its own risk appetite. For low-level security, a self-assessment might suffice; for high-level security, an independent audit might be required. Such an independent audit would be made available to all of the customers that the third party interacts with.”

In short, CAMM has the potential to provide the cloud buyer with an independent assessment of the cloud vendor, at no additional cost. CAMM may possibly make moving into the cloud easier, cheaper, and more assured. Samani has now taken on the additional mantle of the Cloud Security Alliance strategic advisor for EMEA. We can expect the CSA and CAMM to move closer: and between them they are likely to make the cloud a more transparent, secure and compliant location.

What’s Hot on Infosecurity Magazine?