Securing the cloud

How secure?: Cloud security is becoming increasingly important

As cloud computing continues to dominate the IT landscape, more questions are being raised about security issues surrounding the concept.

Who is responsible for security in the cloud and where does the buck stop? Who puts the company data most at risk – senior management or staff? Can the blame for security breaches be shifted to channel players and third-party service providers?

Recent research by analyst Dynamic Markets – commissioned by security vendor Sourcefire – looked more closely at security in the cloud. The survey questioned more than 500 staff and 110 IT security managers at UK firms with 250 or more employees.

According to the results, 37 per cent of those questioned felt that cloud computing vendors such as Apple, HP, IBM and Oracle will increasingly become targets of malware and hackers, but 88 per cent of respondents felt they could cope with the attacks.

In terms of the success of cloud computing, 33 per cent felt it was the way forward, with a similar number believing it to be successful in 2010 and just 14 per cent believing it is a passing fad. However, 37 per cent felt it would only succeed if the big vendors were to get involved.

On the up

Recent figures from IDC show the cloud is set to grow, with server hardware sales in the public cloud increasing from $582m (£364m) now to $718m in 2014, and the private cloud server revenue rising from $2.6bn to $5.7bn in the same timeframe.

Katherine Broderick, research analyst at IDC, said: “Many IT decision makers are seriously considering cloud computing as a way to dramatically simplify their sprawling virtual and physical infrastructure. However, there is lingering apprehension over issues such as integration, availability, security and costs. These concerns will continue to guide the adoption of cloud computing over the next few years.”

Dr Cherry Taylor, managing director of Dynamic Markets, said firms are already pouring resources into cloud security issues. “On average a company will spend 7.5 days a month on researching cyber threats, with 91 per cent of companies admitting to spending time on this,” she said.

Taylor said in terms of compromising company security by using mobile devices, senior managers and directors are the worst culprits.

But despite the hype surrounding the cloud, security concerns around the concept are very real.

Peter Wood, ISACA conference committee member, said: “The cloud is fundamentally outsourcing. I spend a lot of time conducting security re­views and find that the average organisation does not have enough security controls when using a third party, whatever the relationship is.”

He added that organisations need to ascertain what risk the security threat to its information actually poses to the business.

“There are a lot of areas that need to be considered when moving data to the cloud, such as where the data will reside. There is a lack of understanding of how to approach these issues,” he said. “The primary goal of the IT department is to deliver what the business wants to keep the business running and it’s all about availability and resilience. While security issues are important, they are not an automatic consideration.”

Cost over security

Stuart Noad, marketing director at security specialist VAR HP-Vistorm, said more often than not it is cost savings that drive cloud adoption, rather than the need for security.

“Organisations want to reduce overheads and costs, so any focus on security is usually an afterthought,” he said. “Perhaps that is why there is a big shift towards security outsourcing. It’s not their core business and they just want the problem taken away.”

Nikki Babatola, security specialist at analyst group Canalys, said cloud implementation and indeed the channel have a huge role to play in future security issues.

“When the decision is made to move to the cloud, it is usually made at the corporate level, and only when it is implemented are the security issues actually identified and the IT department brought in,” she said.

“Going forward, effective cloud security relies on tighter communication between IT and the business. Perhaps this is where there is a role for the channel to offer this as a service,” Babatola added.

Jonathan Armstrong, a partner at law firm Duane Morris, said service-level agreements are the best way to retain control over data and business operations in the cloud.

“I advise people that they need to think about tagging the data they put in the cloud,” he said.

Dominic Storey, technical director at Sourcefire, said that the research had raised clear questions for companies about securing their devices, accessing corporate data and the im­pact of security on the adoption of cloud computing.

“The advice for organisations is that their data is their data, no one else’s, and no amount of outsourcing changes that. People must realise the buck stops with them,” he said.

“Work that contract, make sure it covers you as much as possible, and don’t forget to ask the basic questions of your suppliers.”