Feeds

Security in the clouds - or clouds in security?

Supplementary benefits

Security for virtualized datacentres

‘Cloud Computing’ is the marketing term of the moment, despite lacking a formal definition (this is what we came up with),

Undoubtedly, many organisations are looking to source certain IT services from across the internet. While such capabilities may be initiated as standalone, they frequently move on to be used in combination with existing IT services.

Whether or not cloud computing will replace everything that has gone before (no, we don’t believe so either), the use of internet-based services leads to several security considerations. Not only do security professionals need to understand the security challenges inherent in accessing systems and data by way of the Internet. But also, it is worthwhile considering if there are, in fact, opportunities to source security services themselves from the Cloud, i.e. ‘as a service’?

Taking the first point, some obvious areas must be checked with each service provider for every Cloud / SaaS service being considered. As with all IT services, an organisation must decide what levels of security and data protection are applicable to the service under consideration. All systems need to be secure, but the precise nature of security to be implemented varies depending on the nature and value of the service being considered and the data generated.

Where data is required to be kept confidential, for example, this may require some data elements to be encrypted and it will be necessary to ensure that the supplier’s internal processes, staff and systems meet the desired security criteria. This may apply just as much to the physical elements of the service (data centre access, rack access, staff vetting etc.) as to the IT service elements.

There is then the old chestnut of how the data and service is backed up and how the data recovery process functions. Despite the popular conception that cloud providers are in some way ‘better’ than internal operations, there is no reason or proof why this should be the case (indeed, recent data loss cases such as ma.gnolia.com suggest that organisations would do well to proceed with appropriate caution).

It's the process, stupid

Taking things more broadly than the data, it is essential to investigate how all operational and administrative processes function. For example, how are new users added and who can authorise service changes and amendments? Process, process and process are just as important in cloud security as for internal operations.

Then there are a few thorny legislative matters. Where are the servers hosting the cloud based? Whose legal jurisdiction covers any data held on the servers and under what circumstances will the provider disclose said data to third parties? Do these legal obligations contradict any local laws where the customer is based? There is clearly plenty of scope for lawyers to get a much needed and well deserved crust or two.

Finally there is the question of the financial stability of the service provider. And more importantly what happens if they go out of business suddenly or simply choose not to carry on providing the Cloud / SaaS service? Essentially this comes down to questions of how can any data and other valuable information be retrieved at a forced end of service or when the customer simply decides to terminate the arrangement? Can data be retrieved simply and easily? How will the service provider ensure that it removes such data, and any backup / replica copies from systems and ensures that these are either destroyed or placed securely in storage where they cannot be accessed?

These are difficult questions, and our advice at this stage is based on ‘due diligence’ – that is, treat cloud service providers in the same way as any other service provider, assessing their capabilities and inherent security risks accordingly.

As mentioned earlier, Cloud Computing may come with risks attached, but it can also provide a basis for the delivery of security services themselves. There are a number of good reasons for this – not least that many of the threats already exist in the cloud, and therefore the cloud is a good place to deal with them.

An additional factor concerns the nature of security itself. IT security is a specialist concern, requiring a complex array of skills which many organisations would be hard pressed to come by. It therefore makes sense to see IT security from the perspective of service provision, and the cloud is one of a number of appropriate delivery mechanisms.

Supplementary benefit

Everything from anti-virus / anti-spam updates, to vulnerability assessments and services that record the safety of millions upon millions of ever changing web pages can be taken as some variation of a cloud offering. In fact it is today possible to utilise almost all of the standard security services employed to protect end point devices as well as many of the services intimately linked to security that have traditionally only been deployed in the customer's own data centre.

Cloud based security services have a lot to offer in many scenarios and there is every likelihood that such solutions will increasingly be deployed to supplement traditional security systems. Note we use the term ‘supplement’ – it is highly unlikely that organisations will replace internal systems wholesale with cloud-based services any time soon. And while there are internal systems, there remains a need for internal security.

To conclude, Cloud computing is a work in progress and should be treated as such. Of course there but many security issues are still to be worked through. In the meantime, you can expect to see IT security vendors stepping up to the plate. Cloud has its benefits even in security but don’t start throwing out existing tools and practices until you are confident of a better, more cost effective alternative to suit your own needs.

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.