Cloud // Cloud Storage
Commentary
11/11/2009
03:23 PM
Alexander Wolfe
Alexander Wolfe
Commentary
Connect Directly
Twitter
Facebook
RSS
E-Mail
50%
50%

Cloud Security In Focus Amid Data Theft Fears

Yeah, I know, this is another one of those "everything changes" moments where we're prodded into frenzied activity--as opposed to effective action--because an emerging technology has surged ahead of our ability to properly manage it. I'm talking about cloud computing, and the attendant fears not just of data theft, but of breaches of SaaS computing resources themselves. Fortunately, there are a bunch of below-the-radar efforts attempting to address these worries.

Yeah, I know, this is another one of those "everything changes" moments where we're prodded into frenzied activity--as opposed to effective action--because an emerging technology has surged ahead of our ability to properly manage it. I'm talking about cloud computing, and the attendant fears not just of data theft, but of breaches of SaaS computing resources themselves. Fortunately, there are a bunch of below-the-radar efforts attempting to address these worries.Cloud security reared its head most recently, with Trend Micro chief technology officer Dave Rand being quoted as saying: "Between now and widespread adoption [of cloud computing] we will see massive data theft occurring as people move into the cloud."

Since adoption is ramping up, one can infer that such thefts are already ongoing. (Or, more scarily, one can take a short intellectual leap from my post, Admiral Warns Cybersecurity Threat Looms For U.S., and assume that cloud data thefts are already rampant, we're just not hearing about them.)

It's interesting to note that cloud security holes result not from any inherent shortcomings of the technology itself, but rather from its inherently greater exposure. Namely, it's visible on the Internet. Also, as I mentioned up top, our processes have not yet caught up with our financially induced rush to shed more secure (because they're better, though not entirely, hidden) self-hosted apps, in favor of the promised capex savings of SaaS equivalents.

The most succinct summary of the problem comes via the document, "Security Guidance for Critical Areas of Focus in Cloud Computing," which I encourage you to download from the Cloud Security Alliance [pdf is here], which speaks of the erosion of the traditional security perimeter:

"It is clear that the impact of the re-perimeterization and the erosion of trust boundaries we have seen in the enterprise is amplified and accelerated due to Cloud."

Operationally, one can analogize purchasing cloud services to owning a car. The manufacturer (or, in this case, the vendor) is responsible for creating a safe product. However, practically speaking, the buck stops with you the user as far as ultimately ensuring safe operation.

[Another way of viewing this is, cloud users have service level agreements, most of which have fine print blowing off responsibility for security. So maybe if there's a breach, you can still have your legal department sue the crap out of someone, but as the computer person in your org, that buck to which I referred will still be stopping at your desk.]

This means that cloud users cannot cede security to their provider. Adding complexity on top of this admittedly simplistic advice is the nuance of different clouds presenting different challenges. Or, as the Cloud Security Alliance's paper puts it:

"The key takeaway from a security architecture perspective in comparing the [different SaaS] models is that the lower down the stack the Cloud service provider stops, the more security capabilities and management the consumer is responsible for implementing and managing themselves."

Where does these leave us? Process-wise, right now both users and providers are groping towards a solution. As the CSA doc summarizes it:

"The relative maturity of Cloud Services will lead to history repeating itself with respect to security issues. Consumers, Businesses, Cloud Service Providers, and Information Security and Assurance professionals need to collaborate to shine a light on the potential issues and solutions listed above and to discover those not yet identified."

Next time, I'll take a look at some of the technical solutions being floated to address security in the cloud.

See also:

Wolfe's Den Interview: Pacific Labs CIO Talks Cloud Computing Security, and

Wolfe's Den Podcast: Trend Micro Takes Security To The Cloud.

Follow me on Twitter: (@awolfe58)

What's your take? Let me know, by leaving a comment below or e-mailing me directly at alex@alexwolfe.net.

Alex Wolfe is editor-in-chief of InformationWeek.com.

Comment  | 
Print  | 
More Insights
Google in the Enterprise Survey
Google in the Enterprise Survey
There's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity ­products, and 69 percent cite Google Apps' good or excellent ­mobility. But progress could still stall: 59 percent of nonusers ­distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 20, 2014
CIOs need people who know the ins and outs of cloud software stacks and security, and, most of all, can break through cultural resistance.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.