Reducing Security Risks in Cloud Computing
Two recent events have exposed the dark sides of cloud computing for both businesses and consumers.
These incidents—the partial outage of Amazon’s EC2 cloud service and the security breach of Sony’s PlayStation Network and Qriocity music service—underscore a key issue of the cloud computing model: customers’ lack of control over their data.
But they’ve also shed light on realities that need to be confronted if cloud computing is to live up to the hype as the next big thing in computing.
Although industry experts say there are no indications that businesses are delaying cloud computing projects, these events have highlighted the need for cloud customers to perform better due diligence. It’s also made clear the need for a standard set of best practices, which experts say will help instill confidence that data stored in the cloud will be handled securely, reliably, and in compliance with various regulations.
“Businesses are still going forward with new projects,” says Jim Reavis, executive director of the Cloud Security Alliance. “But they’ve tended to look at the specifics of their deployment and ask, What lessons can we learn from the Amazon issue, and do we need to change anything in our deployment?”
Reliability and security are customers’ main concerns about cloud computing. Jay Heiser, research vice president at Gartner, notes that cloud providers have a long way to go when it comes to proving their ability to recover from a significant outage. Although Google successfully restored e-mail messages that were lost during a Gmail outage earlier this year, Heiser says the amount of time it took to recover is hardly comforting.
"Providers have a responsibility to be a lot more transparent in exactly what they’re doing—how they’re securing systems, how they’re managing data, how they delete data, how they provision systems."
“It took four days to recover 0.02 percent of the users of a single service,” he says. “That raises the question of how long it would take to restore a bigger event. If one percent of Gmail users were impacted, would it take 200 days to restore service? I don’t know how a provider can give their customers some level of assurance that they can quickly restore after an unforeseen accident happens.”
And Terry Woloszyn, founder of PerspecSys, an Orangeville, Ontario-based developer of cloud data governance solutions, says that as cloud computing becomes more popular, the providers become bigger targets for hackers.
“As we’ve seen with Sony, one hack buys me millions of identities,” he says. “The cloud vendors are painting targets on their backs, and the enterprise knows it, and now the consumer is starting to realize it as well. Cloud overall has to start addressing that, from the individual all the way to the largest of enterprises, if it’s going to succeed.”
By paying a third-party vendor to handle tasks such as storage and database management offsite, businesses can save on technology and personnel costs. But Reavis notes that by ceding that control to a cloud provider, corporate customers often ignore their core business practices and risk management policies.
“What we’ve found is some of them have gotten a bit sloppy,” he says. “Because cloud is so easy to provision, enterprises sometimes bypass their central procurement department. The general IT processes that do all the vetting for risk management and security don’t get followed sometimes.”
The Cloud Security Alliance works with standards development organizations to promote best practices for both cloud computing providers and their customers.
“Providers have a responsibility to be a lot more transparent in exactly what they’re doing—how they’re securing systems, how they’re managing data, how they delete data, how they provision systems,” Reavis says.
“And customers have to understand that they can’t just throw all of the security and compliance concerns to the provider; they have a responsibility, as well, to ask for the right things, to understand their risk management responsibilities, because you can’t outsource that.”
Heiser says initiatives from the Cloud Security Alliance and other organizations are a good start, but that the industry is still a long way off from a consensus.