Cloud computing has all the hallmarks of becoming a prevalent and valuable innovation that IT professionals should use to their advantage. However, the dangers of hosting and accessing services and applications through the internet also need to be recognised: when 'in-the-cloud' an organisation can lose track of resources: who controls them and who is currently using which resources.
For those that don't know, cloud computing quite simply means vast computing resources reside somewhere in the ether (rather than in your computer room) and can be stitched together using an API to produce applications which can be used as needed. This has many benefits, with companies being able to increase capacity or add capability on the fly without investing in new infrastructure, train new personnel, or licence new software. Enterprises are starting to make the most out of cloud computing, but it's the starts-ups and organisations who don't have to rip out any existing infrastructure to install cloud computing that are realising the benefits first. Whatever the type or size of business, the principles for adopting cloud computing successfully are the same and careful consideration must be taken over data security when moving in to a cloud.
Placing large amounts of sensitive data in the globally accessible cloud leaves organisations open to large distributed threats that mean attackers no longer have to come onto the premises to steal data, and they can find it all in the one “virtual” location. Concentrating a single company's data in a single location is risky and multiple companies using the cloud can create a potentially dangerous scenario. As data breach after data breach are reported in the media, one of the key considerations for companies when considering cloud computing should be how secure data will be in-the-cloud.
Demystifying cloud computing
The realities of cloud computing are that it is driven by economics; and reducing cost does not always mean an improvement in security. Securing data isn't an easy task and exposing services and moving data outside an organisation does not automatically make data security easier, it can actually make it more complex. Those adopting cloud computing must remember it is the responsibility of the data owner, not the service provider to secure valuable data.
There are many myths surrounding the security of cloud computing, which need to be addressed to enable businesses to get the full benefits of this technology. Design and implementation of access controls is just as important and easy to get wrong in-the-cloud as it is in any IT system, but exposure to remote attackers is higher in-the-cloud, accentuating the risks. There is a perception that cloud computing removes data compliance pains, however it should be clear that the data owner is still fully responsible for compliance. Furthermore, concentrating several companies' mission critical data in a single location provides an enriched target that will inevitably attract the forces of e-crime. Hackers only have to get lucky once – the cloud must defend the data from all misuse – a tough job!
Cloud computing is not necessarily more secure; applications with years of expert development still contain undiscovered vulnerabilities that can be a risk to data security. There is insufficient evidence that cloud computing providers have got it right yet; nor for that matter, have the organisations in determining and enforcing which users have access to what.
Cloud applications undergo constant feature additions and users must keep up to date with the application improvements to ensure they are protected. This means that users have to constantly upgrade as an older version will not function, or protect the data.
So where does that leave us?
Ensuring security whilst data is in-the-cloud is not simple. Businesses looking to move into a cloud will have to sign up to the service provider's service level agreements, so it is important that the partner that is chosen takes security seriously. One key area to look at when considering which partner to work with is whether security policies that do not need ongoing maintenance have been set. Data in-the-cloud can change so quickly and if policies are fixed, much more time needs to be spent to ensure data is secure. Time is precious in businesses today and IT managers want to get the benefits of cloud computing without having to spend hours managing it.
Users must know the data assets they are putting into a cloud and ensure the control policies match the legal requirements of that data. Organisations also need to ensure that all data access in-the-cloud is mediated through a proactive security control that can monitor and block malicious or inappropriate use.
My advice would be that cloud computing is a great new technology opportunity. Organisations just need to remember to only choose what data to put in-the-cloud environment after they have been through a full risk analysis of their data security requirements.