Corporate execs and IT managers may soon get clearer answers to fuzzy questions regarding how secure or insecure cloud computing really is.
In an effort to solve that lingering mystery, the non-profit Open Security Foundation (OSF) late last month launched its cloutage.org website. The new website is aimed at empowering organizations by providing cloud security knowledge and resources.
OSF officials hope that business and security users will be able to apply the independent data provided to better assess security risks related to the cloud. The goal is to bring enhanced visibility and transparency to cloud security.
A recent survey by LogLogic showed that companies in the financial industry are slow to adopt cloud services out of worries about increasing government security regulations that cloud providers may not be able to handle.
“Our survey revealed that 60 percent of respondents had concerns about security and transparency issues related to the cloud,” Dimitri McKay, security architect for LogLogic, told TechNewsWorld.
A Gray Area
Cloud technology right now is prompting many emotional concerns that only grow in the face of FUD (fear, uncertainty, and doubt), noted Jake Kouns, chairman and CEO of the Open Security Foundation.
“I can’t say either way that the cloud is any more or less secure than traditional network storage. Those who say otherwise don’t have all the facts,” Kouns told TechNewsWorld.
In some respects, the cloud is like a no-man’s land where no law and order is in place. No one entity is in charge, he mused.
“Not all providers agree on security requirements and do it the same way. There is no one standard,” he said.
No Argument There
Ultimately, it is up to cloud customers to know about cloud security. But that is a costly research task that cloud vendors are better able to handle, suggested Michael Sutton, vice president of security research for Zscaler.
“There is no straight answer to the cloud security question. The cloud can be and should be more secure than it is,” Sutton told TechNewsWorld.
The key lies in the hands of customers. It comes down to transparency. This is less available on the cloud, he added.
In July, cloud security firm Zscaler announced the availability of a fully integrated email and Web security service that adds email security to its existing Web and cloud security portfolios.
Security Sore Spot
Data security on a network is different than securing the data stored on the cloud. It is harder to do, Sutton offered.
Having a security firm to handle it requires a company’s IT department to have a unique mindset about security, said Sutton.
“The same threats exist. The difference is in the controls used. A company using the cloud cannot risk having inferior security. But there are no guarantees,” he said.
It is easier to understand the unique nature of cloud security issues when you view them in the context of a housing environment. The difference between traditional network and cloud storage security is much like the differences in securing a single-family home and a condo.
For instance, the same controls that we use to lock down a single house are not going to work as well in the condo environment, suggested Kouns. You can protect the perimeter with firewalls and intrusion protection, and anything else you want to do.
“But once you get inside, it’s kind of wide open. You have to apply differently the same controls and security. There is a balance there. How to apply the security is what needs a review. Some groups and vendors have better controls than others,” said Kouns.
Perhaps the most complicating factor in figuring out how to better lock down cloud storage is what security experts call the cloud’s multi-tenant environment. Essentially, more than one user inhabits storage space in the clouds.
So secure walls are needed within to keep “non-family” members out of somebody else’s apartment. Just like living in a hotel, that lock on the front door now impacts every other tenant in there, explained Kouns.
This multi-tenant nature of the cloud results in the potential for shared data among all users of that cloud. The cloud needs adequate controls to block others from getting at that data, Sutton warned.
“It boils down to people having to change their perspective with cloud security. Using the housing analogy, you want to protect your house, so you put locks on all the doors. But that basic premise changes with multi-tenant cloud dwellers,” said Kouns.
Another big concern with cloud security is the availability of stored data, added Manoj Apte, vice president of product management for Zscaler. Backing up data and getting it back online is sometimes an imprecise science.
A related issue is specifying the data to retrieve. This process can take up to 12 hours, he said.
“Not all providers manage storage and data retrieval the same way. The perception and the reality of the cloud are not always the same,” Apte told TechNewsWorld.
No Place Like Home
One of the most disconcerting aspects of managing cloud storage and security is the residency factor. For instance, the exact location where your data lives is often unknown.
“Most providers are world-based. So users are never sure where their data lives. That affects laws at the stored location rather than where the data’s owner is located,” McKay explained.
Related to this data residency concern are issues involved with migrating your data to another cloud. The task is much more complicated than when burning data to disks and taking them elsewhere.
Cloud-hopping is another issue. How do you move your data? There are no standards on how clouds interact, noted Kouns.
LogLogic’s survey showed that, at least in the banking and financial industries, the game plan is to keep systems up and running and compliant with industry and government regulations. Few are exploring new technologies or seeking competitive market advantages through major investments in new IT projects. That means that cloud strategies may be a bad fit right now.
Survey highlights conclude:
- More than 60 percent of respondents were concerned about more government regulation;
- Some 34 percent said cloud computing is not yet strategic to their company;
- 24 percent faced daily attacks on their IT systems from outsiders;
- Sarbanes-Oxley (SOX) and Payment Card Industry Data Security Standards (PCI-DSS) are the top two compliance challenges in financial services today.
“Regulatory compliance agencies need to see virtualization and cloud platforms as more than a new toy,” said LogLogic’s McKay about their security issues.
Bringing Clout to the Cloud
OSF’s new Cloutage Project seeks to foster a solution to the cloud security question. The Cloutage name comes from a play on two words, Cloud and Outage. He designed the Cloutage Project to get real data to determine what is happening in the clouds.
Those terms combine to describe the two things the new website offers. First is a destination for organizations to learn about cloud-security issues. Second is a complete list of any problems around the globe among cloud service providers, said Kouns.
“I don’t know how the project is taking off, but I believe it will work. We have a pretty good framework,” he said.
The project will sift through data that supports five performance areas associated with cloud computing.
So far, the research has garnered over 100 incidents. Cloutage is tracking cloud vulnerability, cloud outages, and hacks/breaches in the cloud.
The last two categories involve data loss from retrieval failure of data stored in the cloud and what Kouns termed “cloud auto fail.” This occurs when cloud vendors send updates that are not fully tested and kill customers’ computers.