Security is the bogeyman of cloud services. Nightmare scenarios about data leakage and access breaches scare many...
prospective customers away from adopting cloud services. These are the fears that cloud providers must be prepared to dispel.
It's not enough for cloud providers to mitigate cloud security risks. To earn customers' trust, cloud providers must also be direct and transparent with customers about how they're confronting those risks, according to Bryan Doerr, CTO of Savvis, who recently spoke with SearchCloudProvider.com to discuss the cloud computing security issues facing providers. And don't miss part two of our Q&A with Doerr, which focuses on building a secure cloud, from multi-tenancy to hybrid hosting.
When customers say they're worried about cloud computing security issues, what exactly are their concerns?
Bryan Doerr: When cloud solutions emerged, [customers weren't] fully understanding what the solutions were, and the language around cloud was [overused] and had not necessarily been indicative of anything specific. What we found was they just had this vague concern that, 'If it wasn't in my data center and it's in somebody else's solution, there's a security downgrade that's occurring.' It wasn't specific to anything because there wasn't, in many cases, a lot of understanding of what was meant by 'cloud.' I think the heart of the security concern was more, 'If it's not inside something I control, there's going to be a security angle I have to worry about.' But that was quite some time ago.
As the industry has gotten better at defining the services -- and as customers have gotten smarter about the [cloud computing] technologies and what they are and what they aren't -- two tracks of concern related to security have emerged. The first track [of cloud computing security issues] was based around this idea that the cloud technologies that were available oftentimes didn't allow a data center designer or operator to basically provide the same kind of security that they provided to themselves. And notably, if you didn't take great, great care and possibly even after [doing so], you could be running your application in the cloud in a manner less secure than when you were running it in your own data center. That's a very real concern: ‘If I don't have the same tools available, then I may not be able to deliver the same kind of security I had previously.’
The other track of concern was that this was the first time many people were thinking about multi-tenancy -- the idea of running their applications with other companies in the same physical infrastructure. That, of course, was for many a brand new concern in that they've never dealt with that before. They're trying to understand how the environments from one customer in the cloud to the other customer in the cloud were isolated and what risks or vulnerabilities existed. [The notion] that somebody who might have malicious intent could compromise the security of the cloud and gain access to other tenants of the cloud all became very much of a 'black box' of concern. To some extent, we still are in that mode.
So, what do cloud providers need to do to address these cloud computing security issues?
Doerr: Regarding the former concern [about having adequate security measures], customers are getting better about asking the right questions, and service providers are getting more advanced in the services they're providing, so the available cloud security is improving. I think we're converging on understanding [cloud computing security issues] and [developing] capabilities that will ultimately produce security capabilities that are on par with what's available in the private data center.
On the multi-tenant concern, the only way for that to really be mitigated is for service providers to: A) Go through the diligence necessary to ensure their environments are very much protected from another; and B) Be willing to share the designs for that separation with customers. In other words, a degree of transparency [is necessary] because without the transparency and a full explanation, [customers] will only have what you, as a service provider, are saying in defense of the security capabilities for the cloud.
As we go forward in time, security concerns and responses to those concerns are evolving in new directions. One of the prominent [cloud computing security issues] now is in the non-technological aspects of security -- processes, roles, scope. [It includes] the ability to constrain what a certain role in the business is capable of doing through the portal that is provided, and the degree to which the activities are accomplished within that portal can be integrated at a process level into the [IT] organization itself.
Just to give you an example: Once upon a time in the private data center, IT departments had very rigorous processes they followed for application and infrastructure deployment, [and] infrastructure troubleshooting and changes, and all these things were meant to be ensure security and high availability. Roles of their employees were designed -- assistant administrator, security engineer, network engineer -- and physical devices helped make sure those roles were respected. The security engineer may not have had a login to the network router. The system administrator couldn't make firewall changes and the like. So those processes and role-based access permissions were combined in a way that produced good security.
Now you go to the cloud and you've got a portal with a login that is shared amongst multiple employees who can do anything to the environment. Well, a lot of [those roles and processes] just kind of disappeared. So, the cloud providers and customers are expecting more in this area. This is evolving and certainly some providers have crafted capabilities, Savvis included.
What is Savvis doing to be transparent with customers who are concerned about cloud computing security issues?
Doerr: Savvis targets the enterprise marketplace, which is in many ways the most demanding on this side. They have the people who have as their job chief security officer responsibilities. They have a great deal of obligation to [ensure] compliance requirements are satisfied in the organization ... and we are getting very good at helping our customers understand [the cloud computing security issues] and at being transparent about what it is we've designed into our solution. [We] give them both the technical features they're looking for and the awareness of our design so that they can be confident their environments are protected in a multi-tenant configuration.
Doerr: The level of security practice across the large population of companies is pretty broad. It's very high in some and very low in others, and I think a lot of the concern is from folks who, on some level, may have not been as attentive to those kinds of concerns. We've been worrying and dealing with security concerns for a long time. Yes, we believe the threats are getting more and more advanced. We have to continue to find ways to defend against those, and there's definitely been marked uptick in the amount of threat that's in the world, from a network and security perspective. This job is never finished, but it didn't change tenor or become any more urgent as a result of recent events. It's just a very good reminder of why it is we do what we do and why we keep trying to get better.
Continue to part two of our Q&A with Savvis, which focuses on building a secure cloud, from multi-tenancy to hybrid hosting.
Let us know what you think about the story; email: Jessica Scarpati, Site Editor.