Tuesday, July 6, 2010

Cloud computing - White, Fluffy and Safe or a Hazy, Mysterious step into the Unknown? PART II

Security and the Cloud

Cloud advocates will argue that customers stand to benefit from multiple points of replication and defence and the use of sophisticated technologies that individual companies could afford; yet others insist that cloud computing is a ‘security nightmare’. Whilst this view may be a little extreme, cloud computing will inevitably have a major impact on the way we think about and react to a variety of information security issues.

For this reason Gartner recently issued a report outlining some of the key information security aspects to be aware of regarding the use of cloud services.

1. Privileged user access: Sensitive data processed outside the enterprise brings with it an inherent level of risk, as outsourced services bypass the "physical, logical and personnel controls" in- house IT teams are able to exert. For this reason it is vital for companies to gather as much information as possible about the people who will be managing their data, including the hiring and control procedures of privileged administrators.

2. Regulatory compliance: Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers must also undergo a similar process before an organization can entrust them with sensitive corporate data.

3. Data location: When using cloud solutions you may not know exactly where or in which country your data is hosted. It is important to ask the provider if they will commit to storing and processing data in a specific jurisdictions and whether they will make a contractual commitment to obey local privacy requirements.

4. Data segregation: Typically data in the cloud is held in a shared environment alongside data from other customers. For this reason it is important to understand what measures are taken to effectively encrypt and segregate data.

5. Recovery: It is crucial for the purposes of Business Continuity Management to understand how your data will be recovered in a disaster situation. Ideally your data and application infrastructure should be replicated across multiple sites. It is also critical to understand the restoration process and anticipated recovery times.
6. Investigative support: Investigating inappropriate or illegal activities become significantly harder in cloud computing. The very nature of cloud services makes it especially difficult to investigate a security breach or incident as data logs for multiple customers may be co-located.

Gartner also recommends that smart customers employ the services of a neutral and experienced third party to undertake a security risk assessment to map the specific threats and security challenges an organization may encounter upon moving services to a cloud environment. Comsec can vouch first-hand for the complexities involved with mapping, preparing for, and mitigating the risks associated with migrating to the cloud. Our extensive experience in this area, has enabled us to conduct large-scale projects of this nature, most recently for an organization of 140,000 employees. Cloud computing has unique attributes that require undertaking a risk assessment in areas such as, data integrity, recovery, testing procedures, privacy, security policies, in addition to the management, monitoring, alerting and reporting of security vulnerabilities or breaches. It is also important to evaluate the legal ramifications in areas such as regulatory compliance, and auditing.

However, despite some of the security concerns it looks like cloud computing is here to stay. Whether adoption becomes as prevalent and deep as some forecast will depend largely on overcoming the fears of the cloud. When considering the solutions to the problems raised by cloud computing, it is important to remember that essentially many of these issues are simply old problems in a new setting. Attacks on server infrastructure and web service vulnerabilities existed long before cloud computing became fashionable. Although some aspects of security will be exacerbated when utilizing the cloud, such as data privacy, segregation, access control and governance, others, such as incomplete security patching, will be mitigated. So whilst cloud computing adds a new dimensions to the security challenge, it also provides an opportunity for improvements.