The Over/Under on Cloud Security
Ever since the term "the cloud" came into use, security has been one of the subject's most hotly debated topics. Is it riskier from a security perspective to conduct operations and store data outside a business' own four walls? Or can security actually be better in the cloud, in the same way a safe deposit box may be a safer place to store valuables than one's own home?
For some, any move to the cloud -- at least the public cloud -- means a higher risk for security.
For others, relying more on a public cloud provider means better security. There's more of a concentrated and comprehensive focus on security best practices that are perhaps better implemented and monitored centrally in the major public clouds.
And so which is it? Is cloud a positive or negative when it comes to cybersecurity? And what of hybrid models that combine public and private cloud activities -- how is security impacted in those cases?
We posed these and other questions to a panel of security experts at last month's Open Group Conference in San Francisco to deeply examine how cloud and security come together -- for better or worse.
The panel: Jim Hietala, vice president of security for The Open Group; Stuart Boardman, senior business consultant at KPN, where he coleads the Enterprise Architecture Practice as well as the Cloud Computing Solutions Group; Dave Gilmour, an associate at Metaplexity Associates and a director at PreterLex; and Mary Ann Mezzapelle, strategist for enterprise services and chief technologist for security services at HP.
The discussion was moderated by Dana Gardner, principal analyst at Interarbor-Solutions.
Listen to the podcast (36:24 minutes).
Here are some excerpts:
Dana Gardner: Is this notion of going outside the firewall fundamentally a good or bad thing when it comes to security?
Jim Hietala: It can be either. Talking to security people in large companies, frequently what I hear is that with adoption of some of those services, their policy is either "let's try and block that until we get a grip on how to do it right," or "let's establish a policy that says we just don't use certain kinds of cloud services." Data I see says that that's really a failed strategy. Adoption is happening whether they embrace it or not.
The real issue is how you do that in a planned, strategic way, as opposed to letting services like Dropbox and other kinds of cloud collaboration services just happen. So it's really about getting some forethought around how do we do this the right way, picking the right services that meet your security objectives, and going from there.
Gardner: Is cloud computing good or bad for security purposes?
Stuart Boardman: It's simply a fact, and it's something that we need to learn to live with.
What I've noticed through my own work is a lot of enterprise security policies were written before we had cloud, but when we had private Web applications that you might call "cloud" these days, and the policies tend to be directed toward staff's private use of the cloud.
Then you run into problems, because you read something in policy -- and if you interpret that as meaning cloud, it means you can't do it. And if you say it's not cloud, then you haven't got any policy about it at all. Enterprises need to sit down and think, "What would it mean to us to make use of cloud services and to ask as well, what are we likely to do with cloud services?"
Gardner: Dave, is there an added impetus for cloud providers to be somewhat more secure than enterprises?
Dave Gilmour: It depends on the enterprise that they're actually supplying to. If you're in a heavily regulated industry, you have a different view of what levels of security you need and want, and therefore what you're going to impose contractually on your cloud supplier. That means that the different cloud suppliers are going to have to attack different industries with different levels of security arrangements.
The problem there is that the penalty regimes are always going to say, "Well, if the security lapses, you're going to get off with two months of not paying," or something like that. That kind of attitude isn't going to go in this kind of security.
What I don't understand is exactly how secure cloud provision is going to be enabled and governed under tight regimes like that.
Gardner: Jim, we've seen in the public sector that governments are recognizing that cloud models could be a benefit to them. They can reduce redundancy. They can control and standardize. They're putting in place some definitions, implementation standards, and so forth. Is the vanguard of correct cloud computing with security in mind being managed by governments at this point?
Hietala: I'd say that they're at the forefront. Some of these shared government services, where they stand up cloud and make it available to lots of different departments in a government, have the ability to do what they want from a security standpoint, not relying on a public provider, and get it right from their perspective and meet their requirements. They then take that consistent service out to lots of departments that may not have had the resources to get IT security right, when they were doing it themselves. So I think you can make a case for that.
Gardner: Stuart, being involved with standards activities yourself, does moving to the cloud provide a better environment for managing, maintaining, instilling, and improving on standards than enterprise by enterprise by enterprise? As I say, we're looking at a larger pool and therefore that strikes me as possibly being a better place to invoke and manage standards.
Boardman: Dana, that's a really good point, and I do agree. Also, in the security field, we have an advantage in the sense that there are quite a lot of standards out there to deal with interoperability, exchange of policy, exchange of credentials, which we can use. If we adopt those, then we've got a much better chance of getting those standards used widely in the cloud world than in an individual enterprise, with an individual supplier, where it's not negotiation, but "you use my API, and it looks like this."
Having said that, there are a lot of well-known cloud providers who do not currently support those standards and they need a strong commercial reason to do it. So it's going to be a question of the balance. Will we get enough specific weight of people who are using it to force the others to come on board? And I have no idea what the answer to that is.
Gardner: We've also seen that cooperation is an important aspect of security, knowing what's going on on other people's networks, being able to share information about what the threats are, remediation, working to move quickly and comprehensively when there are security issues across different networks.
Is that a case, Dave, where having a cloud environment is a benefit? That is to say more sharing about what's happening across networks for many companies that are clients or customers of a cloud provider rather than perhaps spotty sharing when it comes to company by company?
Gilmour: There is something to be said for that, Dana. Part of the issue, though, is that companies are individually responsible for their data. They're individually responsible to a regulator or to their clients for their data. The question then becomes that as soon as you start to share a certain aspect of the security, you're de facto sharing the weaknesses as well as the strengths.
So it's a two-edged sword. One of the problems we have is that until we mature a little bit more, we won't be able to actually see which side is the sharpest.
Gardner: So our premise that cloud is good and bad for security is holding up, but I'm wondering whether the same things that make you a risk in a private setting -- poor adhesion to standards, no good governance, too many technologies that are not being measured and controlled, not instilling good behavior in your employees and then enforcing that -- wouldn't this be the same either way? Is it really cloud or not cloud, or is it good security practices or not good security practices? Mary Ann?
Mary Ann Mezzapelle: You're right. It's a little bit of that "garbage in, garbage out," if you don't have the basic things in place in your enterprise, which means the policies, the governance cycle, the audit, and the tracking, because it doesn't matter if you don't measure it and track it, and if there is no business accountability.
David said it -- each individual company is responsible for its own security, but I would say that it's the business owner that's responsible for the security, because they're the ones that ultimately have to answer that question for themselves in their own business environment: "Is it enough for what I have to get done? Is the agility more important than the flexibility in getting to some systems or the accessibility for other people, as it is with some of the ubiquitous computing?"
So you're right. If it's an ugly situation within your enterprise, it's going to get worse when you do outsourcing, out-tasking, or anything else you want to call within the cloud environment. One of the things that we say is that organizations not only need to know their technology, but they have to get better at relationship management, understanding who their partners are, and being able to negotiate and manage that effectively through a series of relationships, not just transactions.