Security behind the cloud
David Hobson asks whether the security issues around cloud computing have been ironed out
David Hobson: Consider security issues before investing in cloud solutions
As our use of computing resources evolves from mainframes to PCs and networks, we are facing a shift in the way we work. But security issues need to be discussed, risks assessed and judgements made.
Pretty much everyone has an email address. And free web-mail accounts such as Hotmail and Gmail are early examples of cloud computing.
Cloud computing gets its name from network diagrams showing the internet as a cloud, since the route taken by data via the internet can not easily be defined.
Cloud computing architecture is relatively simple – a data store and server are hosted on the internet, and the client can access the server from anywhere with an internet connection.
Normally, the client has a web-based front end to make access even easier. Soon there may be no need to buy packaged software, instead ‘renting’ it for periods of time or on a pay-per-use model.
Alternatively, users can get to use the software in return for agreeing to receive advertisements.
The major benefit is financial. There is no need to invest in hardware, infrastructure or software. However, security issues must be considered.
Security has always been about confidentiality, integrity and availability. These three areas should be considered by any potential user of cloud computing.
If users are giving data to a third party, they can lose control of it. To whom has it been given? How is access to the data controlled? Who sees it? Can the data be taken and used by someone else? What assurance is there that the data remains confidential?
The contractual warranty must also be considered? Does it please the user, and if so, what is their recourse if the contract is breached?
Can users retain the integrity of data? Can data integrity be tampered with? If it was, would they know? How satisfactoyy is the way in which data is segregated? What is the chance of leakage and how is this prevented and monitored?
If data is not available to users for whatever reason, it is no good. Cloud computing may actually provide strong back-up and provision for disaster recovery.
Most solutions will provide at least one back-up resource. Subscribers should check what provisions are made.
However, if the ISP fails, users lose access to data. So redundancy of internet access is a must. Various products offer the ability to combine ISPs to provide virtual single access to the internet.
Also, if users need to get data back from a remote data store, how long will it take to download everything in an emergency? And when was this last tested?
The size of most organisation’s internet connection is small relative to their LAN.
The second issue is changing service providers. If users wish to use a service such as Salesforce.com for outsourced CRM, the data may be stored in a proprietary format. If users are unhappy with a service and wanted to move to an alternative, how would they get their data back? And would it be useable once they got it?
Compliance is also a major business challenge, so data stored in the cloud must be considered against compliance needs.
What type of data is it? Is it confidential? Are there regulations to control how and where it is stored?
In the UK, the Data Protection Act is very strict on data storage. If data is being stored in the cloud do users know where it is actually being stored? Are they breaking legal requirements? Policies on data storage must address these issues.
One risk not often considered is that putting your data with a major provider may actually create a bigger target for hackers. If the service provider is hacked, or suffers some virus or security breach, how will data be affected?
Service providers have suffered already from hackers. They will argue they can invest more in security than many organisations, they are a bigger prize. Some say there is much to be said for security by obscurity.
A lot of enterprises outsource their computing to save money. And the outsourcer may provide a private cloud to give the relevant service. Yet all the questions we have raised apply equally.
David Hobson is managing director at Global Secure Systems