Are Security Fears Holding Back Your Organisation’s Use of Cloud Computing?

 We recently held of one of our executive leadership dinnners to discuss some of the issues surrounding deployment of cloud services. Although the main focus of the evening was to address issues around application development and migration in cloud environments, there was one issue that simply had to be tackled first because it was looming large both for CIOs considering internal cloud deployment, as well as ISVs whose clients were reluctant to move to Cloud solutions: both groups were being constrained in cloud deployment because of fears about security.

We will be publishing the paper from that meeting shortly but in the meantime believe security and cloud computing is a topic worth raising here.

Identified in many surveys as the key hurdle for adoption of cloud computing, security is an interesting and important issue. Enisa (The European Network and Information Security Agency) doesn't dismiss Cloud Computing as a no go option, but does recommend that close attention needs to be paid to certain critical aspects. Buyers need to consider the governance implications of loss of control over data, difficulties proving compliance, and additional legal risks as data moves from one legal jurisdiction to another. Other areas of concern include failure of mechanisms separating the data of different companies, management interfaces that get accessed by hackers, data not deleted properly and malicious insiders.

However, it is also fair to point out that client-server computing hardly provides a fool-proof secure IT environment and it is possibly the case that we simply feel more comfortable with the computing model or devil we know. For example, it is equally plausible to reference the scale and flexibility of Cloud Computing as providing a security edge: in a cloud enviroment service providers can instantly call on extra defensive resources like filtering and re-routing. They can also roll out new security patches more efficiently and keep more comprehensive evidence for diagnostics. Misplaced or stolen thin client devices can be locked down and access denied, whereas proliferating PCs and memory sticks in the client-server world typically have data held on them.

At K2 Advisory we have conducted some research which suggests that the more familiar people are with using cloud solutions, the less concerned they are about its security risk, and that those who have not used cloud solutions are most concerned about its security implications.* For more information see our report: “Cloud Computing – A Step-Change for IT Services”.

Cloud computing is about gracefully losing control!

The main issue for those that have not yet achieved a level of comfort in using cloud computing is that while the model gives you access to the data, you may fear that you have no way of ensuring that no one else has access to the data. How can you protect your organisation from a security breach somewhere in the cloud?

There are sensible steps that can be taken to work out if cloud service providers can be trusted. For example, for high value assets you will need to know how data will be encrypted and stored, how e-discovery can be conducted if required and whether the cloud provider has passed a SAS-70 audit. For lower value assets this level of governance is not necessary, and the key to peace of mind is spending time up-front to decide how valuable different assets are and therefore which cloud deployment model makes most sense for them.

One organisation worth looking up on these issues is the Cloud Security Alliance,www.cloudsecurityalliance.org which has published a freely available good basic set of guidelines called, “Security Guidance for Critical Areas of Focus in Cloud Computing V.2.1.” As the CSA report puts it, “Cloud computing is about gracefully losing control while maintaining accountability even if the operational responsibility lies with one or more third parties.” It then provides you with guidance on deciding what, when and how to move to the Cloud.