First, Gebel went through some of the justifications for moving towards cloud computing from businesses’ perspective:
- We’re running out of space and power (in data centres)
- We’re spending lots of money on overhead
- It’s not our core competency
- We could not exist without it
With cloud computing, applications, data and infrastructure could be spread everywhere: on premise, and in public, private and hybrid clouds.
The risks of cloud computing
Cloud computing could present significant risks, and so security must be applied to the cloud and hybrid scenarios, Gebel said.
He warned that businesses should be very wary of storing sensitive data in the cloud. However, it makes a lot of sense to use internal or hybrid clouds to save costs.
Furthermore, in the current cloud computing market, it is hard to change the terms of what is being offered by cloud service providers, meaning companies have little actual control over the services the subscribe to.
There is also the risk with the multi-tenant, dynamic characteristics of cloud computing may put sensitive data at risk.
Vendor viability creates strategic risk (there are many starter vendors); denial of service (DoS) attacks could create systemic risk; and a lack of transparency and accountability regarding security practices lowers vendor trust in cloud computing.
Cloud computing also presents users with legal, financial and reputation risks:
Jurisdiction of where companies are based vs. where the data is held – even though cloud computing is about storing data anywhere
What if law enforcement where your data is held requests it to be handed over, and the service provider does so without notifying your company first?
Also some cloud service providers do not disclose their security measures.
The benefits of cloud computing
Gebel was keen to point out, however, that he was in no way against cloud computing, as it also has its positives.
If comparing cloud computing against ‘conventional’ computing, Gebel said that on premise IT “doesn’t have a perfect record either”. It is also important to measure cloud computing against realistic expectations.
If done correctly and securely, cloud computing could improve availability and private clouds (communities) can support collaboration with external partners.
Some use cloud computing for business continuity and disaster recovery purposes – such as the swine flu.
There is also the benefit that workloads can be moved around a lot more easily with cloud computing.
Although you have less preventive security controls available with cloud computing, you can transfer risk and monitor it.
What is needed?
Gebel told the ISSE 2009 audience that we need to define rules of engagement for using cloud computing – assess sensitivity of information, risks, etc. Furthermore, customers need the right to audit and the right to privacy in the public cloud.
Secure cloud computing requires third party trusted assessors, and we must rethink security technologies. It also goes without saying that encryption and key management are important.
Recommendations for secure cloud computing:
- Should not use public clouds for sensitive data
- If need to use cloud computing, then take out an insurance policy for the IT department
- If using public clouds, start with low risk or low volume applications
- Build internal clouds
- Consider private clouds for vertical industry
- Demand greater vendor transparency
- Demand service level agreements and have an exit strategy
- Better definition of audit assessment criteria.