Concerns over security and data privacy in the cloud need to be seen in the context of what organisations are currently doing to protect their confidential information, says Gordon Smith.
Survey after survey rate security concerns as the main obstacle to cloud computing. Whether the risks are perceived or real is to some extent irrelevant; as long as they exist, cloud providers must address them or face reluctant customers, despite a persuasive business case that offers cost savings and flexible technology to meet a company’s needs.
A recent report from the World Economic Forum (WEF), while broadly positive about cloud computing, cited significant barriers blocking its widespread adoption. Among the slew of rhetoric about technology’s latest trend, the WEF document stands out by the heavyweight panel assembled to contribute to it. The report was developed with the forum’s IT industry partnership and consultants Accenture, with input from some of technology’s leading names such as Microsoft, Google and Salesforce.com.
Chief among concerns about the cloud was maintaining the security of data, and related matters over privacy. A company that uses the cloud for its IT no longer has its data stored on its own servers within a computer room in its office building. Instead, it is stored in data centres belonging to third-party providers. The sense of information being out there in the ether straight away lends a feeling of insecurity and loss of control.
Secondly, logging in to many cloud services involves typing usernames and passwords, which experts say is not the most secure method of protecting information from unauthorised access.
Thirdly, the nature of how cloud systems are set up is that one company’s data can be stored side by side with that of a competitor, so businesses are naturally concerned that their precious information can’t be seen by anyone else.
Lastly, the cloud model means that a provider’s data centre may not even be in the same country as the customer. In an Irish context, that puts companies potentially in conflict with regulatory obligations such as the Data Protection Acts.
Addressing the security issues
Cloud providers are starting to acknowledge and address these worries; with a US$7m cloud computing deal with the City of Los Angeles on the line, Google recently agreed to step up security for its email and documents web service by adding an extra layer of protection to its standard username-and-password login. Anyone signing in with their password then receives a verification code by text message on their mobile phone.
Other providers say they will reveal exactly where your data is stored. Meanwhile, indigenous cloud service providers are making a significant play out of their locally-based data centres, which they say will ensure compliance with the data protection regime. Some firms also provide the ability to keep a company’s data on a physically separate storage system, which dramatically reduces the risk of unauthorised access.
Brian Honan, CEO of the Irish Reporting and Information Security Service, believes one benefit of the cloud is that it has made security a board-level issue that senior managers are now asking questions about.
However contrary to the received wisdom that cloud providers are making their infrastructures absolutely bulletproof, Honan suggests they are merely making it secure enough. “Technically the cloud provider’s servers are probably more secure than your own because if they have a security incident, they’re out of business. As against that, they want to keep their costs down – that’s the balance they’re trying to achieve,” he says.
Honan warns that companies expecting to get extra assurances about security may have their requests rebuffed. “The provider is trying to provide an elastic, flexible service and all of the good things that the cloud is, but to do that, it has to be a standard service. If the US government goes to a cloud provider it has a better negotiating position than a 100-person accountancy firm,” he points out.
That in itself is not a reason to avoid moving to the cloud – boards just have to consider the cloud in the context of risk management. “Companies need to look at their data, the risks associated with it, and see how that risk is going to be managed by moving to the cloud,” says Honan.
He advises boards to do proper due diligence on cloud providers to ensure they are financially sound, and to ask rigorous questions about how an organisation’s information will be treated. “Regarding the data itself, where compliance is concerned you also need to find out where your data is going to be stored. The likes of Microsoft, Amazon and Google offer cloud services which are located in the EU specifically to address European Data Protection regulations,” adds Honan. In Ireland, this legislation affects mainly when organisations store sensitive information about members of the public, and directors can be held liable for any breach of this data. This is clearly an issue that needs oversight, not outsourcing.
The European Network and Information Security Agency (ENISA) is working on a common assurance maturity model (CAMM) which will act as a framework to benchmark a cloud provider’s security capability. Honan is heading the team drafting this document which will give businesses an objective, independent way to evaluate different providers and decide which is the most trustworthy. The framework is due to be completed by the end of the year.
Giles Hogben, a network security policy expert with ENISA, presented at this year’s Cloud Computing Summit in Dublin and he acknowledged that security is a perception problem. “Especially in government, IT departments are quite nervous. They don’t like the idea that someone else has control of their data,” he said.
Possibly the biggest fallacy around security is that businesses assume their current IT systems protect them from loss of data. While statistics vary by sector, many business laptops and PCs are not secured properly. The annual report of the Data Protection Commissioner found that the number of reported data breaches in Ireland increased 50pc from 2009, so it is far from clear that organisations are doing a good job of protecting their own information.
As a result, a useful first step a board can take is to closely evaluate the company’s current information security posture: how well does it guard its data at the moment? If the business has already decided that it doesn’t need to encrypt the information that it holds, there may be no reason why that stance needs to change just because a company is moving some of its IT systems to the cloud. “Cloud security is not about risks in isolation – it’s about comparing risks that the cloud represents compared to the risks now, and in many cases, the cloud addresses those,” Hogben said.
However there are drawbacks with some of the IT industry’s approach to security in the cloud, said Hogben. Many service providers don’t allow penetration testing, which is a commonly used security technique for checking the defences of an IT system. Also, providers may not provide their customers with access to the log files after a security incident, potentially limiting the ability of firms to carry out their own digital forensic investigation. Hogben emphasised that directors could not assume that moving to the cloud places the onus for security solely onto the provider. “You as the customer of the cloud provider remain responsible for your data. The buck stops with you, legally speaking,” he said.
The most sensible view – repeated throughout the Cloud Computing Summit – is that companies should not move everything over to the cloud at once, but it should be a gradual process, keeping the most important information under lock and key until the business is completely confident in the cloud based on its own experience. “Moving sensitive intellectual property is not a very good idea, and healthcare is also a touchy area,” said Hogben.
A survey contained in the WEF report found that there is still a lot of fear about being ‘locked in’ to one service provider. This concern has dogged IT since its earliest days but Aidan McCarron, managing director of cloud computing provider Dediserve, says this is another aspect of traditional technology that the cloud turns on its head. “For most providers, the only way to win business is to be open – you just download your data back to your own computer. Vendor lock-in is nearly gone as an issue. It’s easier to move from one cloud provider to another than it is with a traditional technology provider,” he says.
If requested, service providers can also ring-fence a customer’s data to minimise the risk of unintentional access. “It’s the same as having two physical machines sitting beside each other, not connected,” McCarron explains.
The WEF report also suggested ways in which cloud providers can help to spur adoption of the technology by providing more clarity around addressing customer concerns. For example, this would include offering greater visibility about where data is located, making clear commitments around service levels and by making it easy to switch providers.
This might suggest a work in progress, and it is still a relatively immature market, but it follows businesses should take a parallel approach – committing as much to the cloud as they are comfortable with and moving more as assurances improve.
Travel tips for a safe trip into the cloud
- Perform due diligence on the cloud provider you intend to use
- Ask rigorous questions about where data will be physically stored
- Evaluate what implications a cloud strategy has on compliance efforts
- Clearly, define roles around protecting and securing data
- Don’t assume security is someone else’s responsibility
- Assess actual levels of security with in-house IT compared to the cloud
- Don’t move the most sensitive company or customer information until the technology is well proven within the business
This article is part of Cloud Computing, An Irish Director Report, a practical guide to the cloud for decisionmakers.