Forrester Research questions the security of cloud computing in its report ‘How Secure is Your Cloud?’, the first document in the ‘Secure Cloud Computing’ series.
Benefits of using cloud computing include: operational (uptime, availability, expedite launch of new IT projects); financial (pay-as-you-go model, lower cost of ownership); and better support for collaboration and community computing.
Security and privacy concerns are still seen as a strong barrier-to-entry for cloud computing, however, and Forrester Research warns that IT professionals must develop better ways of evaluating security and privacy practices in the cloud services.
The analyst does not warn against cloud computing in itself, but highlights the security issues surrounding its use. “The ultimate goal [is to] make the cloud service work like your own IT security department and find ways to secure and optimise your investment in the cloud,” the report states.
Steve Whitlook from international IT security thought-leadership association, Jericho Forum, comments: “Like many others, we see huge potential and benefits for moving into ‘the cloud’, but we see risks, security issues, and interoperability issues. The community has much work to do to make the cloud a safe place to collaborate.”
Where’s the data?
Cloud computing raises information security issues such as ‘where is the data stored’ and ‘who else has access to the cloud’ as cloud computing is based on multi-tenancy. “These differences give rise to a unique set of security and privacy issues that not only impact your risk management practices, but have also stimulated a fresh evaluation of legal issues and areas such as compliance, auditing, and eDiscovery”, Forrester Research has found.
The report mentions the recent security breach at Google Docs and the proposed change of the terms and conditions on Facebook on ownership of content when a user wishes to withdraw information and content.
Forrester has compiled extensive checklists that organisations should go through before choosing a cloud computing service provider. The checklists include topics such as ‘security and privacy’, ‘compliance’ and ‘other legal and contractual issues’.
Organisations should also evaluate the vendor’s security and privacy practices including data protection, vulnerability management, physical and personnel security, availability, application security, incident response, and privacy.
Compliance – who’s liable?
“Cloud computing has the potential of putting compliance at risk, as it requires you to hand over IT controls to someone else and in the process of doing so introduces uncertainties in these aspects: business continuity…, logs and audit trails…, [and] specific compliance requirements…”, the report states.
Compliance is a big issue, as the responsibility remains with the company itself and not with the cloud computing services provider or vendor: “Companies that are considering contracting cloud services should understand that compliance is ultimately your responsibility”, Forrester Research says.
Using cloud computing means data could be put in places where there is uncertainty around how information is policed, and information security legislation in the country or countries where the organisation using cloud computing is based, could be different or not exist at all in locations where the information is being stored.
Safe cloud computing
Forrester sums up the report with some recommendations for organisations venturing into the clouds:
- Gather legal and regulatory requirements first for a feasibility assessment;
- Work guidelines and standards into the SLA;
- Seek ongoing assurance that your service providers are compliant; and
- Use a third-party, unbiased cloud assessment service.