The hype around cloud computing would make you think mass adoption will happen tomorrow. But recent studies by a number of sources have shown that security is the biggest barrier to cloud adoption. The reality is cloud computing is simply another step in technology evolution following the path of mainframe, client server and Web applications, all of which had -- and still have -- their own security issues.
Security concerns did not stop those technologies from being deployed and they will not stop the adoption of cloud applications that solve real business needs. To secure the cloud, it needs to be treated as the next evolution in technology not a revolution that requires broad based changes to your security model. Security policies and procedures need to be adapted to include cloud models in order to prepare for the adoption of cloud-based services. Like other technologies, we're seeing early adopters take the lead and instill confidence in the cloud model by deploying private clouds or by experimenting with less-critical information in public clouds.
Organizations are asking many questions and weighing the pros and cons of utilizing cloud solutions. Security, availability and management all need to be considered. As part of that process, here are 10 security-related questions organizations should consider to help them determine if a cloud deployment is right for them, and if so, which cloud model -- private, public or hybrid.
1. How does a cloud deployment change my risk profile?
A cloud computing deployment -- whether private or public -- means you are no longer in complete control of the environment, the data, or the people. A change in control creates a change in risk -- sometimes an increase in risk and in some cases a decrease in risk. Some cloud applications give you full transparency, advanced reporting, and integration with your existing systems. This can help lower your risk. Other cloud applications may be unable to modify their security profiles, they may not fit with your existing security measures, and may increase your risk. Ultimately the data and its sensitivity level will dictate what type of cloud is used or if a cloud model makes sense at all.
2. What do I need to do to ensure my existing security policy accommodates the cloud model?
A shift to a cloud paradigm is an opportunity to improve your overall security posture and your security policies. Early adopters of cloud applications will have influence and can help drive the security models implemented by the cloud providers. You should not create a new security policy for the cloud, but instead extend you existing security policies to accommodate this additional platform. To modify your policies for cloud, you need to consider similar factors: where the data is stored, how the data is protected, who has access to the data, compliance with regulations, and service level agreements.
3. Will a cloud deployment compromise my ability to meet regulatory mandates?
Cloud deployments shift your risk profile and could affect your ability to meet various regulations. This requires evaluation of compliance requirements as they relate to the cloud deployment you are considering. Some cloud applications give you strong reporting and are tailored to meet specific regulatory requirements, while others are more generic and cannot or will not meet detailed compliance requirements. For example, if you are bound by a regulation that says your data cannot be stored outside the country, some cloud providers may not be able to accommodate this regulation based on data center locations.
4. Are the cloud providers using any security standards or best practices (SAML, WS-Trust, ISO or otherwise)?
Standards play a very important role in cloud computing as interoperability among services will be critical to ensure the cloud does not go down the path of proprietary security silos. A number of organizations have been created and extended to support cloud initiatives. The Cloud-standards.org wiki lists most of the standards organizations involved in the cloud, including those associated with security.
5. What happens if a breach occurs? How are incidents handled?
As you plan for security in the cloud you need to have appropriate plans in place for breaches and loss of data. This is a critical component to your overall agreement with the cloud service provider and must be handled on an individual basis. The cloud provider (as a service provider), and you as a company, most likely have breach notification policies or regulations you must meet. You must ensure that a cloud provider can support your notification requirements should the need arise.
6. Who is liable or will be viewed as the responsible entity for securing my data?
The reality is security responsibility will be shared. However, in the court of public perception, -- at least today -- it's the company collecting the data, not the cloud provider, who is viewed as ultimately responsible for information security. In well-negotiated contracts you may be able to limit your responsibility and your liability for data loss so that it is shared with the cloud provider, but from your customers' perspectives, you still may be viewed as responsible.
7. How do I ensure only appropriate data is moved into the cloud?
Understanding what data is sensitive and building an appropriate security model based on data and applications is critical to understanding what data could be moved to the cloud. This process should begin long before ever considering a cloud deployment as it is a critical part of good security practices. Many companies use data leakage protection technology to classify and tag data.
8. How do I ensure only authorized employees, partners and customers can access data and applications?
Identity and access management is an existing security challenge that is amplified by cloud deployments. Technical capabilities such as federation, securing virtualized systems, and provisioning all play a role in cloud security, as they play a role in today's IT platforms. Extending and supplementing your existing environments to support the cloud can help solve this challenge.
9. How are my data and applications hosted, and what security technologies are in place?
Cloud providers should provide this information as it can directly affect an organization's ability to comply with certain regulations. Transparency is critical and necessary for you to make informed decisions.
10. What are the factors that tell me I can trust this provider?
A number of factors come in to play when evaluating the level of trust to assign to a provider. They include many of the same dynamics you consider for any outsourced project, such as: the maturity of service and the provider; the type of contracts, SLA's, vulnerability procedures, and security policies; their track record; and their forward-looking strategy, to name a few.
Moving to a new computing platform is not something to jump into without careful consideration. The answers to these questions are complex and often lead to more questions. We've merely scratched the surface at a high level on some of the security questions to think about when considering a cloud platform.
However, enterprises should also understand they have the power to drive the security technologies used in the cloud -- whether it's a private, public or hybrid cloud. Understanding that cloud consumers can, should, and are expected to take responsibility for security measures can lead to the cloud being a secure platform that delivers cost savings and improved productivity.
Tim Brown is a distinguished engineer and chief security architect for the Security and Compliance business unit at CA, Inc. He has worked with many companies and government agencies to implement sound and practical security policies and solutions. Recently he provided expert testimony at the Cyber Security R&D hearing before the (U.S.) House Committee on Science and Technology, Subcommittee on Research and Science Education. Prior to joining CA, Tim spent 12 years at Symantec. He is an avid inventor with 14 patents on file in the security field.