Cloud computing and security - what are the issues? Information at the moment is sketchy to say the least.
There has been a lot of buzz around “cloud computing,” mostly focused on defining what this term means and what it encompasses. There has been comparatively little written about cloud computing and security – other than to say that security is a problem. Any details have been almost entirely lacking. For example, one recent blog – 10 Reasons Enterprises Aren't Ready to Trust the Cloud – stated:
“It's not secure. We live in an age in which 41 per cent of companies employ someone to read their workers' email. Certain companies and industries have to maintain strict watch on their data at all times either because they're regulated by laws such as HIPAA and the Gramm-Leach Bliley Act, or because they're super paranoid. If the latter is the case, it means sending that data outside company firewalls isn't going to happen.”
What does that tell me? Nothing. But this lack of discussion began to change in June with Gartner's report Assessing the Security Risks of Cloud Computing.
In that report, written by Jay Heiser and Mark Nicolett, nine security risks to evaluate in the offerings of providers are listed: privileged user access; compliance; data location; data segregation; availability; recovery; investigative support; (provider) viability; and support to reducing risk. While Gartner's list is by no means exhaustive, it is nevertheless a good starting point for evaluating cloud computing security.
For example, the Gartner report states that: “…many cloud-based offerings do not provide service level commitments that are typically needed for critical business processes.” This is indeed a significant issue. Amazon.com, Google, Research in Motion, Yahoo! and others have all suffered significant outages recently with their cloud-based services. “Last holiday season, Yahoo's system for internet retailers, Yahoo Merchant Solutions, went dark for 14 hours, taking down thousands of e-commerce companies on one of the busiest shopping days of the year.”
However, the lack of availability of these services might be beyond the provider's ability to control – as well as beyond your own enterprise's control. Recall the now infamous attempt by Pakistan to block YouTube in February of this year. Due to routing mistakes involving BGP (Border Gateway Protocol, the core routing protocol on the internet) made by two service providers, YouTube was unavailable to most of the world for two hours.
Two other availability risks are also likely to be amplified. Cloud computing is premised on the ubiquity of internet connectivity – particularly wireless connectivity. Depending on where in the world your increasingly mobile workforce is located, ubiquitous internet connectivity might not be a valid assumption. And without such connectivity it is even more difficult to be productive without local access to data and cloud-based applications.
The other availability risk likely to be amplified with a move to cloud computing is the threat of distributed denial of service (DDoS) attacks. If your services are hosted by your own enterprise, then you at least have some degree of control over malicious traffic directed at your on-line services. However, with cloud computing, you lose even that limited capability to defend your access to services if your cloud provider is subjected to a DDoS attack.
There is a second aspect to cloud computing and security that has escaped almost unnoticed. That is, what is the possible impact to security products themselves?
So, there was a bit of a buzz when Trend Micro started talking about how it intended to evolve its anti-malware product because of cloud computing. Initial details on exactly what Trend Micro was/is doing to operate effectively in cloud computing were sketchy.
However, the fact that it has opened up this discussion about security products and their operational effectiveness is healthy. That is a discussion that needs to happen – especially for customers.
Tim Mather is chief security strategist for RSA Conferences