Cloud Insecurity: Not Enough Tools, Experience or Transparency
IT executives remain unsure of hoisting critical IT services into the cloud, and their worries all center on security. They are fueled, for the most part, by three factors: the slow uptick of security tools and expertise specific to cloud computing; inexperience in outsourcing; and a lack of transparency by cloud providers concerning their multitenant environments.
Apr 18, 2012 5:00 AM PT
It may be that the hype around cloud computing has settled, but security concerns continue to make headlines and are often cited by CIOs as top priorities. The IT industry association CompTIA, which earlier this year released its ninth annual Information Security Trends Study, found that while many U.S. companies trust the cloud enough to use it, only 13 percent trust it enough for heavy lifting.
For example, 58 percent won't put confidential company data in the cloud, and 56 percent won't put credit card data in the cloud. When asked to assess the current risks in cloud security, nearly all had moderate or serious concerns, and 55 percent said those concerns were greater now than ever.
If you dialed back two years, however, you likely would have seen the same level -- and type -- of cloud security concerns. In many respects, the story hasn't changed much.
The ongoing worries around cloud security are fueled, for the most part, by three factors: the slow uptick of security tools and expertise specific to cloud computing; inexperience in outsourcing; and a lack of transparency by cloud providers concerning their multitenant environments.
First, regarding tools, as it relates to external network threats, cloud security today isn't fundamentally different from traditional, unvirtualized data center security. There's still a persistent application security challenge based on known and newly discovered exploits that must be addressed regardless of how the application is deployed.
For many cloud users, though, it hasn't been easy to replicate in cloud environments the security solutions deployed in traditional data center environments. There has been a lack of cloud-specific tools, controls, automated audit reporting, and even a lack of deep understanding of the service provider's cloud architecture. Hence, companies are forced to limit the applications they deploy in the cloud.
Cloud users can transport their best practices from physical to virtual deployments to help the situation, but best practices alone won't suffice. IT organizations need to know the types of security solutions they need -- firewall management, intrusion prevention and detection, Web application firewall (WAF) management, audit services, etc. -- and determine whether they can get them from their service provider or if they already exist in their current arsenal and can be adapted to their cloud implementations.
Security processes also need reviewing and refreshing. If an IT team runs audits and scours firewall logs every week in its traditional data center environment, will that be enough for a cloud environment? And will the service provider share those logs and audits, in detail, once a week or as often as needed?
Making sure the service provider's security best practices, solutions and policies are up to snuff also has confounded cloud security. That's because for many companies, investing in the cloud is really the first occasion of handing over their IT operations to an outsourcer. Many are used to running IT internally and aren't adept at assessing and comparing the security of cloud providers, negotiating contracts, or establishing and enforcing service levels.
The lack of expertise extends from the IT department to purchasing departments. There's a lot of ground to cover:
- Are the right security measures in place?
- Do you have written agreements regarding the application of patches, etc.?
- Is there agreement on the definitions of service availability, incident response, technical compliance and vulnerability management, and how is reporting on these conducted?
- How are service levels measured?
- What data is available, related to availability and security, and how often is it provided?
When working with an outsourcer, know how to ask for specific requirements, and document the solutions and services you are expecting from the provider. Keep in mind that the contract isn't nearly as important as being successful. Penalties are a small price to pay; after all, nobody really wants SLA money -- they want protection. Negotiations are very difficult because of this.
In Search of Transparency
Finally, many of the concerns around cloud security are aimed squarely at public cloud services, where threat vectors are compounded by multitenancy and shared environments.
Much of the concern is due to a lack of transparency among some service providers regarding those multitenant environments. That transparency, however, is critical. It is important to know how individual virtual machines, sharing a physical server, are segregated. How is the data protected, and how are the networks secured?
Most importantly, how is the management network that the service provider uses protected? If the management layer is vulnerable, then everyone in that cloud is vulnerable as well.
There's no question companies are adopting cloud computing. Even public cloud services are making headway. IT market research firm IDC, for example, estimates that worldwide revenue from public IT clouds will reach US$55.5 billion in 2014. But security concerns do need to be addressed.
With increased availability of cloud security tools and services, experience, and more adept outsourcing tactics, as well as more proactive and transparent public cloud services, they can.