Cloud growth prompts shift in enterprise security strategies

What a different global economy this would be if it were only a little bit more like the cloud. As the financial markets go through their bipolar mood swings with every wrenching headline, the market for cloud services has marched steadily upward and onward, seemingly unfazed by the concerns of the non-virtual world.

According to the research firm Global Industry Analysts, worldwide demand for cloud computing services will reach $222.5 billion by the year 2015. Indeed, the very perils of the current economic climate seem to propel cloud prospects forward.

"The bad economy is feeding [demand], as cash- and revenue-starved companies prowl for IT solutions that are cost-effective, require minimum to zero investments, and low management of computing resources," note the analysts in a statement.

IDC predicts public cloud computing services alone will grow to $72.9 billion in 2015, up from $21.5 billion in 2010. Indeed, in 2015, public cloud services will account for 46% of net new growth in overall IT spending in five key product categories --applications, application development and deployment, systems infrastructure software, basic storage and servers.

With numbers like this, what could possibly go wrong?

In fact, there is significant trepidation over security, governance and risk management issues associated with every flavor of the cloud--public, private and hybrid. "Security and other risk concerns are the largest inhibitor of cloud computing," says Gartner Vice President Jay Heiser.

Trend Micro found that 43% of the 1,200 worldwide respondents to a survey it conducted have had security issues with their cloud providers. The report showed that even though more enterprises were moving to the cloud, 50% were concerned over the security of their data as well as the cloud infrastructure itself. About 48% were concerned about performance and availability of cloud service.

The finding is supported by analysts from the Burton Group (which is now owned by Gartner), in a report from July 2009, titled Cloud Computing Security in the Enterprise.

"Cloud computing," note the Burton Group researchers, "creates significant risks and requires a rethink--but not a reinvention--of security programs and architectures. To the extent that they leverage public or private (community) clouds, organizations must accommodate themselves to security postures emphasizing risk transfer, deterrence, monitoring, feedback, and audit more than preventive control."

Moving Away From the Center

Traditional approaches to security, in short, are not going to port easily to the cloud environment.

The central reason revolves around the lack of a center. Not long ago, security doctrine revolved around putting sensitive information inside a secure firewalled environment, and then hardening the perimeter. Anything inside the firewall was good. Anything outside, not so much.

Over the years, the proliferation of mobile devices, remote access and inter-organizational collaboration has punched a growing number of holes in this philosophy of secure computing. Moreover, we are now coming to understand that the "cloud" is less a place "out there" than it is a style of managing computing and communications resources.

The cloud approach is more about "federation" than about "centralization." In other words, as organizations seek to put the most appropriate and cost effective technology resources on key business challenges or processes, they are turning to third-party providers like SalesForce.com for things like customer relationship management. The reason: these third-party providers do a much better job at managing these discrete functions at a much lower per-seat cost. They have economies of scale, and a lot more practice.

We are also learning that the most reputable cloud service providers have a huge stake in meeting the highest security standards and compliance requirements. Their business models depend on enterprise clients having a high level of confidence in their environment.

"Traditional security involves an outside-in approach where you have layered primary defenses," says Dave Asprey, vice president of cloud security at Trend Micro. "In the cloud a lot of the perimeters that you used to defend are not your responsibility anymore. They are your cloud providers' responsibility. As a result, [enterprises] don't have all of the visibility they used to have in order to provide full defense."

The issue of federation does not go away in the private cloud model. As CIOs adopt internal clouds to consolidate infrastructure and optimize service delivery, the concept of federation remains in place.

Optimizing Utilitization

For instance, virtualizing the infrastructure means applications can dynamically move among servers as needed. The main cost benefit of this approach is that it helps to optimize utilization of the infrastructure. Instead of dedicating specific applications to specific servers that only operate at 10 to 30% utilization rates in order to account for spikes in demand, virtualization allows CIOs to create "pools of processing capacity" regardless of operating system. This abstraction allows organizations to double--and even triple--utilization rates. This saves lots of money.

But it raises some interesting questions: How do you know where critical data is at any given moment in time? Can data flows be tracked? And regardless of where it is in this virtualized environment, is data being protected in a consistent and compliant fashion?

"One of the biggest challenges is how to bring existing services along with standards for audit, compliance and security into this new cloud infrastructure," says Dave Elliot, development manager for Symantec.

To add some clarity to the whole process, there is a growing chorus of people who believe that the industry should develop some kind of cloud-focused security certification program.

One group that is hoping to establish itself in this arena is the Cloud Security Alliance (CSA), a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing.

In early August, the group launched a new initiative to encourage transparency of security practices within cloud providers. Scheduled to be available in the fourth quarter of this year, the CSA Security, Trust & Assurance Registry (STAR) will be a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering.

The STAR announcement builds on efforts to liaise with international standards setting bodies to define best practices around security and privacy issues so that enterprises can move forward confidently with their cloud strategies.

Benefits Abound

Experts agree the benefits of security standards are numerous, including:

* Consistency. Users have a list of things that are especially relevant to cloud computing and have specific questions to ask of their vendors. "Only a small number of vendors have truly taken it to heart, but I honestly believe the buyers will force them into being more transparent," Heiser said.

* Availability. For an enterprise interested in the highest possible up time and riding its workload on multiple clouds, this is a secure way for them to take a workload and make sure they have back-up. If one cloud provider does have an outage, which does happen, the other cloud is able to pick up the load. "One benefit of security is availability," said Asprey. "People are realizing without security, the cloud will probably go down and their uptime will be affected. Security is now seen as operational."

* Cost savings. With standards, buyers are able to hold cloud providers accountable. They will be able to deploy around standards, which means lower operational costs.

Sustained confidence in the secure and risk-adjusted business processes at work behind cloud technology will play a key role in the ongoing growth of this market. And who knows, if cloud can stay on its current trajectory, maybe its positive outlook can spread to the rest of our anemic economy.

Patricia Brown is a Washington, D.C.-based writer and editor who has been covering technology and business for more than 20 years. Reach her at pbrown@biztechreports.com.