Analysing the brave new cloud world
By 2013, cloud services will be dominant, especially in SMEs. Best to start preparing for the future, says Andrew Donoghue.
Clouds by their very nature are ethereal and hard to grasp. Combine this with the IT industry's obsession with tacking the latest buzz-word anywhere it can get away with it and it's not surprising that cloud computing has some people flummoxed.
What is clear though is that, however you choose to define the term, the cloud is subverting the established rules of the tech industry. However, fundamental change makes people nervous and one of the aspects of cloud computing which is raising concern is security.
While a lot of attention has been focused on whether online apps or hosted compute power are inherently more or less secure than their on-premises equivalents, less attention has been given to the changes that cloud is having on security products and services themselves.
This oversight needs correcting as the evolution of cloud-based security is inextricably linked to the future impact of the whole cloud computing concept, as experts agree. “The ability to provide massively scalable processing, storage and bandwidth inherent in cloud computing will enable security controls and functions to be delivered to customers in new ways, and by new types of service providers,” states analyst Gartner in its 2008 report, Cloud-based computing will enable new security services and endanger old ones.
Small companies could abandon IT security altogether
For security vendors and customers alike, cloud-based services are already beginning to disrupt the status quo. Only by focusing through the miasma to five or ten years from now can companies hope to understand how the cloud is going to alter the way they acquire security products and services. For many smaller companies, this future may mean they no longer engage in any IT security directly at all.
Online or hosted security services are nothing new and predate the current cloud hype cycle by several years. A variety of vendors offer online tools to help companies filter and clean email, for example. According to Gartner, cloud-based services accounted for 20 per cent of revenue in 2008 for email filtering specialists. By 2013, the analyst predicts this will rise to 60 per cent.
Adrian Seccombe, former chief information security officer at Eli Lilly, recounts how the pharmaceutical company has extensive experience of using security services that only recently earned the moniker ‘cloud'. “For a long time, Eli Lilly was cleaning its emails in the cloud. We didn't care who was doing it. Email cleaning and filtering is an example of something that is already happening,” he says.
But Seccombe's experience of cloud security technologies doesn't stop with the services offered by the likes of MessageLabs (owned by Symantec), MX Logic (owned by McAfee), Webroot, Websense and others. As associate lecturer at the University of Surrey's computing department and board member at security think-tank Jericho Forum, he is one of the experts charged with trying to work out exactly how the cloud will impact on security and vice versa. Jericho has developed a Cloud Cube Model to guide customers through the security considerations of using cloud services.
Semantics of the cloud
The first step in understanding how cloud security services will evolve is to understand the scope of the term itself, says Seccombe. “A lot of people get hung up on the specifics of the word. For me, it is a much looser set of definitions. The initial term ‘cloud computing' came from the telecoms industry. We moved to a model which said ‘I am not doing leased line anymore, I am letting the telecoms vendor deal with that and just buying an end-to-end service'. How they get me there isn't me buying a slice of copper or a piece of a slice of copper. I am just saying, ‘get me there'.”
Rather than getting tied up in the semantics of whether cloud includes terms such as Software-as-a-Service (SaaS) or Computing-as-a-Service (CaaS), Seccombe believes it's more important to look at the overall impact. Companies buying IT services via the internet rather than building their own infrastructure will change the fundamentals of the security industry and IT as a whole, he believes.
“It is not a question of if but when. Commoditisation is a supernatural force that you cannot resist. It is like the tide – it will come in. When electricity was put into shops in London, everyone had to have a generator in their basement. That commoditisation of mains power is exactly what is happening with local computing now,” he says.
“We will see the commoditisation of compute power as well. The shift is going to be what you can do on top of that and what it enables.”
What that future looks like is still unclear, but for experts such as Seccombe it means the more mundane aspects of security no longer being the responsibility of end-user companies. “I think the operational security stuff becomes less and less relevant to a small company because they don't care what the server is or what patch level it is at – that is the responsibiity of salesforce.com or whoever,” he says.
Companies such as Qualys are already offering a whole blend of security services via Software-as-a-Service which aim to simplify the tasks faced by IT security specialists. “There is no hardware or equipment to maintain, no operating system to patch, no software conflicts to avoid,” says Randy Barr, Qualys chief security officer. “There is a lower total cost of ownership and rapid access to new and upgraded applications because of the shorter development cycles that address new and emerging security threats.”
Security as a business enabler
Other experts agree with this vision of the future, where security becomes a given in cloud services – and even believe the level of security will become a differentiator for customers. “What will change is that security will become even more prominent in their offering, more transparent and act as a differentiator that will keep them ahead of some of the more resource-constrained providers. In essence, security may finally become the business enabler,” says Gary Wood, research consultant, the Information Security Forum.
If the more mundane aspects of security are set to be subsumed, what role will there be for internal security specialists in enterprise IT departments? According to Seccombe, security experts in enterprise IT departments will move to a more strategic role, focused on tracking company data in the cloud – something he refers to as ‘breadcrumb trails'.
“A trail of breadcrumbs can be a good thing or a bad thing, depending on what you do with them,” he says. “If you leave a trail of breadcrumbs behind you that baddies are following, that is not a good thing to do in the cloud. An example could be if pharmaceutical company Lilly went in and took that particular data out of those three public sources, then put this amount of that data in this public location and processed it using this much power for ten minutes. You could – if you were the right kind of scientist – ask: ‘What is it they were doing there and why were they doing it?' Those could be breadcrumbs, where a rival could reconstruct more than we would like them to have done.”
According to Seccombe, tracking these breadcrumb trails of data in the cloud will be the new focus of security professionals as companies struggle to keep ownership of information and intellectual property. “What information did I leave in that space? Is my data out there and is it at risk? Security services are going to shift into that higher frame rather than the mundane operational stuff – like have I got up-to-date anti-virus or not?” he explains.
Another fundamental area where the cloud will impact on security services is the whole area of identity authentication management (IAM). Analysts such as Gartner point to the challenges faced by companies in enabling mobile users to use cloud-based services securely and suggest some solutions. “One answer will be cloud-enabled security ‘proxies' whereby all access to approved cloud-based IT services will be required to flow through cloud-based security services that enforce authentication, data loss prevention, intrusion prevention, network access control, vulnerability management and so on,” says John Pescatore, vice president and distinguished analyst at Gartner.
Major shift in identity
Seccombe believes the whole aspect of identity management and authentication needs to be re-worked for the cloud-enabled world. “There needs to be a major shift in the way we approach identity,” he says.
“Currently, we do enterprise-centric identity, where all the companies think about giving identities to their users. But what we need to move to is principal- and resource-centric identity and entitlement management. The resource would have a rule controlling how it could be used or accessed and the principal would have to demonstrate that it had the attributes or capabilities that would allow it to gain access,” says Seccombe.
Some cloud-based authentication services exist already, offered by companies such as CryptoCard. “Allowing employees to access the company network remotely is essential for companies that are delivering online services and have a high level of visibility on the internet,” says Neil Hollister, CEO, CryptoCard. “Businesses need to put measures in place to protect the data they hold, and standard passwords just cannot protect against the sophisticated hackers around today.”
This model would lend itself better to the diffuse nature of IT services and applications that will result from the move away from on-premises or enterprise-owned IT to cloud-based services. He likens this shift to the processes that exist in a bar for proving the age of a drinker. “That model is very similar to a bar. If you go into a bar, you have to demonstrate that you are above drinking age. The resource rule is drinking above 18 and your capability is today's date minus your date of birth, which is hopefully more than 18,” Hollister adds.
Ultimately, the evolution of cloud security services depends on the degree to which companies embrace the cloud generally. The more that IT becomes a service, the more likely it is that, for small companies at least, security will cease to be a core competence.
But just like any new tech trend, cloud brings with it its own unique set of security challenges. While the more mundane aspects of security may be outsourced, there are sure to be a new wave of tasks to keep security pros busy in the brave new cloud world.
Customer case study: European Patent Office
Dealing as it does with patent applications from countries across the region, the European Patent Office (EPO) is an organisation that knows a thing or two about dealing with complexity. The organisation receives around 200,000 patent applications a year, granting around 60,000.
In a bid to cut down on some of the substantial paper trails generated by its 6,500 employees and the customers they interact with, the EPO has been embarking on a plan to move to digital formats, where practical. Around 40 per cent of applications are now delivered and processed electronically.
“When we saw the number of applications submitted each year continuing to increase, we recognised the clear benefits of digitising as much of the process as possible,” says David Allin, director of planning, security and inventory for the EPO.
However, given the huge volumes of potential intellectual property and other confidential information the EPO deals with, security is a major consideration. The move to more electronic formats and greater use of the internet has meant a serious re-think about IT security, according to Allin.
“While we have excellent and technically competent people, these systems were all set up for various projects within the organisation at varying times. Without centralised management, properly operating and maintaining these systems and the associated risk grew difficult to sustain,” says Allin.
Keeping on top of patching and assessing the new infrastructure manually did not appear like a workable or practical solution, so the organisation took the decision to use a cloud-based service from security provider Qualys. The company provides a whole range of cloud-based security services, including vulnerability management and policy compliance. “We don't have to manage a server, vulnerability updates, or any other hassles,” says Allin. “From our perspective, this was the most accurate, easiest way to manage vulnerabilities.”
The system allows EPO to conduct a daily vulnerability assessment to analyse the status of internal and hosted systems. “We were able to rapidly identify where we had patch deficiencies, and where we had configuration issues. We even saw where we had firewall issues – and that we should lock a few things tighter,” says Allin.
Qualys says its QualysGuard service is used by more than 4,000 organisations in 85 countries. The Express version was recently awarded the SC Magazine Europe Award 2010 for Best Small and Medium Enterprise (SME) Security Solution.
Five top tips on moving to the cloud
Five experts give their inside advice on what to watch out for when adopting cloud-based security services.
1 Customers should look for cloud-based offerings with proven track records to ensure that the vendor has a reliable solution. (Randy Barr, CSO, Qualys)
2 Homomorphic encryption (should someone manage to get it right) will be key to information security and will genuinely allow organisations to buy the lowest cost/highest performance cloud storage solution, safe in the knowledge that their data is secure, but still usable. (Gary Wood, research consultant, Information Security Forum)
3 Look for standards. Data security standards such as PCI DSS, a security standard created by the credit card industry, requires organisations to manage their infrastructure in a certain way. (Geert Jansen, product manager, Red Hat)
4 Keep an eye on the Cloud Security Alliance (CSA), which is helping to establish and promote best practices for securing data in the cloud. (Guy Churchward, CEO, LogLogic)
5 Emerging technologies that provide leading edge security that would benefit cloud providers include Palo Alto, Varonis, Websense DSS. (Steve Smith, managing director, Pentura)