Feeds

Security in the clouds - or clouds in security?

Supplementary benefits

The essential guide to IT transformation

‘Cloud Computing’ is the marketing term of the moment, despite lacking a formal definition (this is what we came up with),

Undoubtedly, many organisations are looking to source certain IT services from across the internet. While such capabilities may be initiated as standalone, they frequently move on to be used in combination with existing IT services.

Whether or not cloud computing will replace everything that has gone before (no, we don’t believe so either), the use of internet-based services leads to several security considerations. Not only do security professionals need to understand the security challenges inherent in accessing systems and data by way of the Internet. But also, it is worthwhile considering if there are, in fact, opportunities to source security services themselves from the Cloud, i.e. ‘as a service’?

Taking the first point, some obvious areas must be checked with each service provider for every Cloud / SaaS service being considered. As with all IT services, an organisation must decide what levels of security and data protection are applicable to the service under consideration. All systems need to be secure, but the precise nature of security to be implemented varies depending on the nature and value of the service being considered and the data generated.

Where data is required to be kept confidential, for example, this may require some data elements to be encrypted and it will be necessary to ensure that the supplier’s internal processes, staff and systems meet the desired security criteria. This may apply just as much to the physical elements of the service (data centre access, rack access, staff vetting etc.) as to the IT service elements.

There is then the old chestnut of how the data and service is backed up and how the data recovery process functions. Despite the popular conception that cloud providers are in some way ‘better’ than internal operations, there is no reason or proof why this should be the case (indeed, recent data loss cases such as ma.gnolia.com suggest that organisations would do well to proceed with appropriate caution).

It's the process, stupid

Taking things more broadly than the data, it is essential to investigate how all operational and administrative processes function. For example, how are new users added and who can authorise service changes and amendments? Process, process and process are just as important in cloud security as for internal operations.

Then there are a few thorny legislative matters. Where are the servers hosting the cloud based? Whose legal jurisdiction covers any data held on the servers and under what circumstances will the provider disclose said data to third parties? Do these legal obligations contradict any local laws where the customer is based? There is clearly plenty of scope for lawyers to get a much needed and well deserved crust or two.

Finally there is the question of the financial stability of the service provider. And more importantly what happens if they go out of business suddenly or simply choose not to carry on providing the Cloud / SaaS service? Essentially this comes down to questions of how can any data and other valuable information be retrieved at a forced end of service or when the customer simply decides to terminate the arrangement? Can data be retrieved simply and easily? How will the service provider ensure that it removes such data, and any backup / replica copies from systems and ensures that these are either destroyed or placed securely in storage where they cannot be accessed?

These are difficult questions, and our advice at this stage is based on ‘due diligence’ – that is, treat cloud service providers in the same way as any other service provider, assessing their capabilities and inherent security risks accordingly.

As mentioned earlier, Cloud Computing may come with risks attached, but it can also provide a basis for the delivery of security services themselves. There are a number of good reasons for this – not least that many of the threats already exist in the cloud, and therefore the cloud is a good place to deal with them.

An additional factor concerns the nature of security itself. IT security is a specialist concern, requiring a complex array of skills which many organisations would be hard pressed to come by. It therefore makes sense to see IT security from the perspective of service provision, and the cloud is one of a number of appropriate delivery mechanisms.

Supplementary benefit

Everything from anti-virus / anti-spam updates, to vulnerability assessments and services that record the safety of millions upon millions of ever changing web pages can be taken as some variation of a cloud offering. In fact it is today possible to utilise almost all of the standard security services employed to protect end point devices as well as many of the services intimately linked to security that have traditionally only been deployed in the customer's own data centre.

Cloud based security services have a lot to offer in many scenarios and there is every likelihood that such solutions will increasingly be deployed to supplement traditional security systems. Note we use the term ‘supplement’ – it is highly unlikely that organisations will replace internal systems wholesale with cloud-based services any time soon. And while there are internal systems, there remains a need for internal security.

To conclude, Cloud computing is a work in progress and should be treated as such. Of course there but many security issues are still to be worked through. In the meantime, you can expect to see IT security vendors stepping up to the plate. Cloud has its benefits even in security but don’t start throwing out existing tools and practices until you are confident of a better, more cost effective alternative to suit your own needs.

Next gen security for virtualised datacentres

More from The Register

next story
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.