Making Clouds Secure - Page 2
Defining security problems on Cloud servers
Practically every expert in the industry approaches Cloud Computing with their own interpretation of the concept. As a result, after examining numerous published works on the subject, one might get the impression that there is really no standardization at all. Questions regarding the security of Skype — a typical consumer Cloud service — get jumbled up with the business aspects of installing SaaS, while Microsoft Live Mesh is already becoming a headache for companies that never even planned on using it in the first place.
That's why it would make complete sense to deconstruct the problem of Cloud Computing security into several high-level categories. In the end, all aspects of Cloud service security can be put into one of four main categories:
- Security issues with consumer Cloud and Web 2.0 services. As a rule, these problems don't have as much to do with security as they do with privacy and the protection of personal data. Similar problems are common among most major Internet service providers — just think about all of the accusations against Google or Microsoft that come up from time to time with regard to tracking user activity.
- Corporate-level security issues resulting from the popularity of consumer Cloud services. This becomes a problem when employees get together on sites like Facebook and gossip about corporate secrets.
- Cloud computing security issues related to corporate usage, and the use of SaaS in particular.
- Issues concerning the use of the Cloud Computing concept in information security solutions.
Deconstructing corporate Cloud services
IDC analysts who spoke at the IDC Cloud Computing Forum in February 2009 stated that information security is the top concern among companies interested in using Cloud Computing. According to IDC, 75% of IT managers are concerned about Cloud service security.
In order to understand why, we need to continue our deconstruction of the security issue. For corporations using Cloud services, all security issues can be further divided into three main categories:
- the security of a platform that is located on the premises of the service provider;
- the security of workstations (endpoints) that are located directly on the client's premises;
- and finally, the security of data that are transferred from endpoints to the platform.
The last point concerning the security of transferred data is de facto already resolved using data encryption technologies, secure connections, and VPN. Practically all modern Cloud services support these mechanisms, and transferring data from endpoints to a platform can now be seen as a fully secure process.
The platform: trust and functionality problems
Clearly, security issues related to service platform functionality are the biggest headache for IT managers today. For many, figuring out how to ensure the security of something that cannot be directly controlled is not a very straightforward process. The platform of a typical Cloud service is not simply located on the premises of a third-party organization, but often at an unknown data center in an unknown country.
In other words, Cloud Computing's basic security problem comes down to issues of client trust (and verifying trust) in service providers and is a continuation of the same issues that arise with any type of outsourcing: company specialists and management are simply not accustomed to outsourcing something as crucial as the security of business data. However, one can be certain that this problem will be resolved since other forms of outsourcing for the same IT processes and resources no longer give rise to any fundamental concerns.
What is this certainty based on? First of all, it is considerably easier for Cloud service providers to ensure the security of the data centers where available resources are located. This is due to the scale effect: since the service provider is offering services to a relatively large number of clients, it will provide security for each of them at the same time and, as a result, can use more complex and effective types of protection. Of course, companies like Google or Microsoft have more resources to ensure platform security than a small contracting firm or even a large corporation with its own data center.
Second, using Cloud services between client and provider organizations is always based on their respective Cloud services quality agreements (SLA), which clearly set out the provider's responsibility for various information security issues. Third, the provider's business directly depends on its reputation, which is why it will strive to ensure information security at the highest possible level.
In addition to verification and trust issues, Cloud platform clients also worry about the full functionality of information security. While most in-house systems already support this feature (thanks to many years of evolution), the situation is much more complicated when it comes to Cloud services.
Gartner's brochure “Assessing the Security Risks of Cloud Computing” examines seven of the most relevant Cloud service security problems, most of which are directly related to the idiosyncrasies of the way Cloud systems function. In particular, Gartner recommends looking at Cloud system functions from the viewpoint of access rights distribution, data recovery capabilities, investigative support and auditing.
Are there any conceptual restrictions that might make it impossible to put these things into practice? The answer is definitely no: everything that can be done within an organization can technically be executed within a “Cloud.” Information security problems essentially depend on the design of specific Cloud products and services.
When it comes to Cloud Computing platform security, we should address yet another important problem with regard to laws and regulations. Difficulties arise because a separation of data takes place between the client and the service provider within the Cloud Computing environment, and that separation often complicates the process of ensuring compliance with various statutory acts and standards. While this is a serious problem, it will no doubt be resolved sooner or later. On the one hand, as Cloud Computing becomes more widespread, the technologies used to ensure compliance with legal requirements will be improved. On the other hand, legislators will have to consider the technical peculiarities of the Cloud Computing environment in new versions of regulatory documents.
In summary, the concerns about information security as it pertains to the platform component of the Cloud Computing environment lead us to the conclusion that while all of the problems that potential clients have identified do in fact exist today, they will be successfully resolved. There simply are no conceptual restrictions in Cloud Computing.