When it comes to adopting cloud services, enterprises have trust issues. Surveys consistently show that security risks, legitimate or perceived, remain a top reason why enterprises don't adopt public cloud
All application models pose a risk of data loss or contamination created by unauthorized access. IT specialists have long recognized that there are three types of security problems: access security breaches that give unauthorized people a way to run applications; intercept problems that allow snooping into communications; and data security issues that can expose repositories to theft or damage. But these issues apply to all applications, whether they reside in a company's own data center or are hosted on a public cloud. For cloud providers, what's important is to manage both the perception of risk and the real incremental risks of customers adopting their cloud services.
Cloud security is so widely discussed among enterprises today that a failure to be aggressive in addressing it will make a provider's offering look shallow and out of touch.
President, CIMI Corp.
Some cloud providers—particularly some of their sales representatives—are reluctant to discuss security and compliance proactively, fearing that cloud computing security issues will overshadow the sales process. The most current industry survey data shows that enterprises are more likely to be concerned by a provider that does not take the initiative in cloud computing security issues. Cloud security is so widely discussed among enterprises today that a failure to be aggressive in addressing it will make a provider's offering look shallow and out of touch.
Standards, certifications mitigate cloud computing security issues
The most significant difference between cloud-based and enterprise-based applications is that in the case of the latter, the enterprise has control over the physical security of the data center. As a result, a cloud provider must demonstrate that the physical security of its cloud is at least equal to the physical security of a customer's data center.
The best way for cloud providers to show their commitment to cloud computing security issues is to certify against stringent security and compliance standards, such as ISO certification (ISO 27001), Payment Card Industry Data Security Standard certification (PCI DSS) and auditable controls over data center access. Demonstrable compliance to these standards is mandatory for cloud providers that expect to host mission-critical applications or sensitive data. All of these certifications should be supported by periodic—at least annual—audits and recertifications, and preferably an audit conforming to the Statement on Auditing Standards number 70 (SAS 70). The American Institute of CPAs (AICPA) has a full report on cloud computing standards and audit practices that can serve as a guide.
Some of these industry standards are important for reasons other than compliance. They lend credibility to a cloud provider's overall security practices, even in the eyes of prospective customers that aren't required to adhere to such standards.
Cloud providers must also consider industry-specific regulations and standards. Government security standards are generally based on the Federal Information Security Management Act (FISMA). In healthcare, the Health Insurance Portability and Accountability Act (HIPAA) is a mandatory compliance standard.
To address cloud computing security issues within these more specialized certifications, the
provider must decide whether to apply the standard across its entire cloud infrastructure or to
create "zones," or segments, of its infrastructure dedicated to the industries where the
certification is explicitly required or valuable. The general industry practice seems to be
evolving toward supporting all compliance standards across the full infrastructure. This ensures
that the cloud provider will have the maximum benefit from supporting the standard and improve the
economy of scale for its overall infrastructure.
Cloud computing security: Combat access and intercept vulnerabilities
Access and intercept security are often as much a problem for applications hosted in the data center as they are for those hosted in the cloud. However, virtual private network (VPN) encryption key management is more problematic in cloud computing because application images often contain the keys, making the application image a source of security risk. For these situations, providers should offer customers public key management tools to enhance security. There is some anecdotal evidence and industry analysis that users may ignore this issue even when improved VPN security tools are offered, so it may be prudent for cloud providers to make an explicit recommendation to prospective customers regarding VPN security.
Some cloud application models generate additional access security risk by exposing elements that would normally be secured behind enterprise firewalls. In hybrid cloud applications that need access to resources behind the enterprise firewall, service-oriented architecture (SOA) interfaces and back-end interfaces between Web and application servers may become vulnerable to attack through an Internet VPN. For these cases, cloud providers will need to offer "provisioned" VPN service options to enterprises, such as a Virtual Private LAN Service (VPLS) or Virtual Local Area Network (VLAN) over VPN, as well as specific firewall security options, to create a hybrid cloud security picture that will pass both the provider's audit and enterprise audits.
One new and somewhat radical solution to cloud computing security issues is what might be called "cloud virtual machines." These are software elements that run both in the enterprise and in each public cloud service, cooperating to create harmonized configurations for application execution and security. As a result, this makes the public cloud more like an extension of the enterprise data center. Cloud virtual machines are likely a solution for many compliance issues because they could credibly extend enterprise application-level compliance into the cloud. They are less of a solution for the physical security risks, so providers should consider the approach to be a step toward an auditable and secure environment—but not a complete solution for all the application models.
Cloud security issues around management, federation
A final consideration for cloud computing security issues is the security of management interfaces. Most cloud providers want to log all management access events—particularly for larger enterprise accounts—and routinely provide the log to the enterprise for review. Some providers are considering deploying a policy-based alerting mechanism to enable customers to receive instant message (IM), Short Message Service (SMS) or email alerts of activity on the management interface under specific conditions. These mechanisms could also be used to temporarily suspend management access when the interface appears to be compromised.
Cloud providers who are "federating" access to other public cloud services on behalf of the customer—allowing their cloud services to be combined with those from another provider—must also secure the federated management interfaces. Additionally, cloud providers must ensure that the specific compliance and security standards promised to the customer are maintained in all elements in the public cloud federation.
This cloud computing security issue is of particular concern to cloud providers that accept hybridizing/federating their cloud services with ad hoc cloud partners, which is sometimes suggested by customers as a professional support service. Fuzzy guarantees from other providers in this situation can result in legal risks for the cloud provider that owns the responsibility at the customer level.
About the author: Tom Nolle is president of CIMI Corporation, a strategic consulting firm specializing in telecommunications and data communications since 1982. He is the publisher of Netwatcher, a journal addressing advanced telecommunications strategy issues. Check out his SearchCloudProvider.com networking blog, Uncommon Wisdom.
This was first published in September 2011