Feeds

Security in the clouds - or clouds in security?

Supplementary benefits

Build a business case: developing custom apps

‘Cloud Computing’ is the marketing term of the moment, despite lacking a formal definition (this is what we came up with),

Undoubtedly, many organisations are looking to source certain IT services from across the internet. While such capabilities may be initiated as standalone, they frequently move on to be used in combination with existing IT services.

Whether or not cloud computing will replace everything that has gone before (no, we don’t believe so either), the use of internet-based services leads to several security considerations. Not only do security professionals need to understand the security challenges inherent in accessing systems and data by way of the Internet. But also, it is worthwhile considering if there are, in fact, opportunities to source security services themselves from the Cloud, i.e. ‘as a service’?

Taking the first point, some obvious areas must be checked with each service provider for every Cloud / SaaS service being considered. As with all IT services, an organisation must decide what levels of security and data protection are applicable to the service under consideration. All systems need to be secure, but the precise nature of security to be implemented varies depending on the nature and value of the service being considered and the data generated.

Where data is required to be kept confidential, for example, this may require some data elements to be encrypted and it will be necessary to ensure that the supplier’s internal processes, staff and systems meet the desired security criteria. This may apply just as much to the physical elements of the service (data centre access, rack access, staff vetting etc.) as to the IT service elements.

There is then the old chestnut of how the data and service is backed up and how the data recovery process functions. Despite the popular conception that cloud providers are in some way ‘better’ than internal operations, there is no reason or proof why this should be the case (indeed, recent data loss cases such as ma.gnolia.com suggest that organisations would do well to proceed with appropriate caution).

It's the process, stupid

Taking things more broadly than the data, it is essential to investigate how all operational and administrative processes function. For example, how are new users added and who can authorise service changes and amendments? Process, process and process are just as important in cloud security as for internal operations.

Then there are a few thorny legislative matters. Where are the servers hosting the cloud based? Whose legal jurisdiction covers any data held on the servers and under what circumstances will the provider disclose said data to third parties? Do these legal obligations contradict any local laws where the customer is based? There is clearly plenty of scope for lawyers to get a much needed and well deserved crust or two.

Finally there is the question of the financial stability of the service provider. And more importantly what happens if they go out of business suddenly or simply choose not to carry on providing the Cloud / SaaS service? Essentially this comes down to questions of how can any data and other valuable information be retrieved at a forced end of service or when the customer simply decides to terminate the arrangement? Can data be retrieved simply and easily? How will the service provider ensure that it removes such data, and any backup / replica copies from systems and ensures that these are either destroyed or placed securely in storage where they cannot be accessed?

These are difficult questions, and our advice at this stage is based on ‘due diligence’ – that is, treat cloud service providers in the same way as any other service provider, assessing their capabilities and inherent security risks accordingly.

As mentioned earlier, Cloud Computing may come with risks attached, but it can also provide a basis for the delivery of security services themselves. There are a number of good reasons for this – not least that many of the threats already exist in the cloud, and therefore the cloud is a good place to deal with them.

An additional factor concerns the nature of security itself. IT security is a specialist concern, requiring a complex array of skills which many organisations would be hard pressed to come by. It therefore makes sense to see IT security from the perspective of service provision, and the cloud is one of a number of appropriate delivery mechanisms.

Supplementary benefit

Everything from anti-virus / anti-spam updates, to vulnerability assessments and services that record the safety of millions upon millions of ever changing web pages can be taken as some variation of a cloud offering. In fact it is today possible to utilise almost all of the standard security services employed to protect end point devices as well as many of the services intimately linked to security that have traditionally only been deployed in the customer's own data centre.

Cloud based security services have a lot to offer in many scenarios and there is every likelihood that such solutions will increasingly be deployed to supplement traditional security systems. Note we use the term ‘supplement’ – it is highly unlikely that organisations will replace internal systems wholesale with cloud-based services any time soon. And while there are internal systems, there remains a need for internal security.

To conclude, Cloud computing is a work in progress and should be treated as such. Of course there but many security issues are still to be worked through. In the meantime, you can expect to see IT security vendors stepping up to the plate. Cloud has its benefits even in security but don’t start throwing out existing tools and practices until you are confident of a better, more cost effective alternative to suit your own needs.

The essential guide to IT transformation

More from The Register

next story
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Know what Ferguson city needs right now? It's not Anonymous doxing random people
U-turn on vow to identify killer cop after fingering wrong bloke
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.