Cloud computing — certainly a hot topic at the RSA conference held earlier this month in San Francisco — is in some ways being eclipsed by security and accountability concerns.
Who owns the data? Who is answerable if the cloud fails? Who is responsible if a virtual machine holding data from a company under strict governance is parked next to one that is unregulated on the same physical server? Why does it seem so easy for hackers to attack data that’s online, and if a corporation’s data is in a cloud that’s hacked, who has to stand up and take the licking?
Further, because cloud computing is a new field, it raises some questions that just didn’t crop up before. Questions such as, if the data from a U.S. corporation is stored on servers in some other part of the world, where it costs less, which legal system has jurisdiction? When data goes missing, what redress do enterprises have? Can you really trust some third party to handle your data with as much love and care as you do?
The Rose-Tinted View of the Cloud
“Cloud computing will complete the transformation of IT infrastructures unleashed by the Internet,” Art Coviello, president of RSA, said in his keynote speech at RSA 2010. “Organizations will demand it because they absolutely must get faster and better returns on their IT investments.”
Cloud computing is based on the concept of virtualization, which lets IT store several virtual machines on one physical server. This lets IT limit the number of servers it needs to buy and treat existing servers as a resource pool. During off-peak times, for example, some servers will be powered down, saving electricity and maintenance. At peak times, they will be powered up again to handle the increased workload.
All this can be done automatically by applying policies that dictate, for example, if the workload falls below level X, consolidate all the virtual machines onto servers A, B and C and switch off servers D through O. At peak times, turn on servers D through H and, during the off-peak hours, perform maintenance on serves I through O.
All very nice, sweet and flexible.
Looking at the Downside
However, it’s this flexibility of the cloud that could create problems. What happens if servers D and E run virtual machines with data that’s under strict governance, such as medical data? If you consolidate these onto servers running virtual machines holding less-strictly regulated data during off-peak times, you could be in breach of compliance.
Who is responsible when that happens? The cloud computing provider? Or the CIO of the enterprise whose data was moved around? Or both? What happens if a server is hacked through a less-secure virtual machine and the hacker then gains access to the more secure virtual machines, or gets to download them to his own servers, to break into at his leisure?
Coviello advocated a strict approach. Safety has to be designed and built into the cloud right down to the chip level so that all data in the cloud is safe, he said. Cloud service provides must pay more attention to governance and control, and must be able to tell compliance officers and auditors “just about anything they need to know,” with verifiable metrics.
Security Issues in the Cloud
Part of the problem with the cloud is that it’s not just one monolithic entity, Phil Dunkelberger, president and CEO of PGP Corp., said in his keynote speech at RSA 2010.
“People look at the cloud as a ubiquitous mass,” he pointed out. “In reality, it’s a whole bunch of other clouds linked together.”
The technology has opened up new problems that did not exist before. These include compliance, complexity, the proliferation of new threats and regulation. “You have Sarbanes Oxley, HIPAA, HiTech, state breach laws, and you can add laws in Europe,” Dunkelberger said. “All these regulatory issues are going to press on the ability to move data securely and freely in the cloud.”
HIPAA is the Health Insurance Portability and Accountability Act. It governs health data. HiTech is the Health Information Technology for Economy and Clinical Health Act; it encourages the use of electronic health records.
Who Owns the Data?
The question of who owns the data in the cloud is a thorny one that has yet to be resolved.
It’s one of the major concerns being raised by the state of Nevada as it contemplates putting its residents’ medical records online.
“We’re still struggling with the question of handing over peoples’ health records to cloud service providers,” Chris Ipsen, director of the Nevada Dept. of Information Technology, told TechNewsWorld at RSA 2010. “Once you give them the data, you’ll never get it back.”
Things get more complicated when cloud service providers have offshore data centers. “Your cloud provider may move your data to an offshore site where the government may not be as friendly to business,” PGP’s Dunkelberger explained. “This is the issue you have to spend the most time on because you have no control over your data once you’ve given it to the cloud.”
Is Security Just a Bogeyman?
It’s not necessarily true that cloud computing users lose control of their data, Steve Riley, senior technical evangelist at Amazon Web Services, said at a panel on the promise of the cloud at RSA 2010.
“I think that much of what we’ve all learned as security practitioners over time applies to the cloud as well,” Riley pointed out. “Giving up ownership of your infrastructure doesn’t mean you have to give up the security of the data.”
Still, more needs to be done to secure data in the cloud. “We vendors haven’t done a good enough job for you,” PGP’s Dunkelberger said. “We’ve hyped our technology and not delivered. If we’re going to build security solutions, they must be more usable. We’ve got to drive them very deep into the stack and automate them.”