Without a doubt, cloud computing adoption has skyrocketed in recent years. Cloud computing can make a company more agile, efficient and productive. However, cloud adoption is far from universal. There are still many companies that continue to resist, or not need, the technology. In many cases the reason for an organization’s hesitation is simple: security. Business leaders fear that moving important data or operations into the cloud may put themselves at risk. To alleviate this risk while still maximizing the cloud’s value and capabilities, managed services can prove essential.
Security concerns have always been an obstacle to cloud adoption. Even as awareness of cloud computing has increased and business leaders generally accept that the technology is not inherently any less secure than legacy solutions, these fears have remained a focus. IT leaders understand their organizations need to embrace its efficiencies but as always these benefits must be accompanied by robust, reliable security. It is a common theme for users and companies to desire more accessibility to their data and technology while still requiring the same security of it.
What’s not to like about the cloud? It fits well into the way businesses operate today — remotely, collaboratively, and globally. It also helps to get rid of one of computing’s worst security threats: portable storage devices like thumb drives and hard drives that are easily lost or preloaded with malware. There lies the irony… there are still a lot of businesses that are hesitant to migrate data to the cloud because of security concerns. Not only that, but concerns about security are not decreasing; they’re increasing. A report from October 2011 indicated 25 percent of businesses expressed some concern over cloud security, a figure that increased to 42 percent in July 2013. The fact of the matter is if you don’t own the network and control its layers, than it’s open to the rest of the world. The cloud, by definition, is more insecure than storing data on premises.
Even cloud enthusiasts have begun to express concern over cloud security and what it means for the future of cloud computing. 66 percent of the Open Data Center Alliance believe that cloud security woes are hurting cloud adoption. If companies are shying away from the cloud because of security concerns, does this mean we’re seeing the demise of cloud computing?
There have been improvements in cloud security in recent years, as cloud providers have taken more responsibility for their clients’ data. The best security is built into the cloud from the beginning, rather than incorporated later on.
Like securing data on your own network, data in the cloud can be secure because good security is good security, no matter where it exists.
Protecting your data in the cloud is done by implementing:
- Access control lists to define the permissions attached to the data
- Storage encryption to protect against unauthorized access at the data center (especially by malicious IT staff)
- Transport level encryption to protect data when it is transmitted
- Firewalls (to include web application firewalls) to protect against outside attacks launched against the data center
- Hardening (updating and patching) of the servers to protect against known, and unknown, vulnerabilities in the operating system and software
- Physical security to protect against unauthorized physical access to data
If data was stored on a corporate network, management would want to know what security controls are in place, to what extent are these controls implemented, and what plans are in place to deal with an attack. Likewise, these questions should be answered sufficiently by cloud providers. Obviously Cloud computing is fraught with security risks. Customers must demand transparency, avoiding vendors that refuse to provide detailed information on security programs. Ask questions related to the qualifications of policy makers, architects, coders and operators; risk-control processes and technical mechanisms; and the level of testing that’s been done to verify that service and control processes are functioning as intended, and that vendors can identify unanticipated vulnerabilities.
Additionally, it needs to be made clear as to what the provider is responsible for as far as security is concerned, and what the owner of the data is responsible for. According to a report titled Security Guidance for Critical Areas of Focus in Cloud Computing V2.1, “The key takeaway for security architecture is that the lower down the stack the cloud service provider stops, the more security capabilities and management consumers are responsible for implementing and managing themselves.” Knowing who is responsible for what can prevent unnecessary finger pointing in the future. Finding a Managed Service Provider to take over where your Cloud provider drops off is key in a cloud deployment.
While data theft (confidentiality) and data tampering (integrity) often take the forefront of the security discussion when it comes to the cloud, the accessibility of data should not be overlooked. Consumers need to question what the cloud provider has in place to protect against threats like Distributed Denial of Service attacks that can prevent access to stored data. Another consideration is how backup and recovery are handled by the provider to deal with disaster recovery.
When Eran Feiganbaum, Director of security for Google Apps, compared cloud security to bank security, it was based in the theory that like a bank, a cloud provider has the resources to put security measures in place for protection that cannot be achieved at home, or on the corporate network. Like storing valuables in a bank, the owner of the data needs to take responsibility and check out the thickness of the vault, the reputation of the security guards, and the placement of the cameras. You must also realize that you just put all your information in a larger target for thieves, just like a bank.
There are certainly important security items to take into account when considering adopting cloud computing. With the correct segregation of data and a managed service provider businesses may discover a way to mitigate the risk.