Security in the Cloud: Should Companies Put More Trust in Hosted Data?
Concerns about data security and privacy are among the biggest reasons corporations have hesitated to move applications and IT infrastructure components to the cloud. That appears to be easing off to some extent as companies become more confident in the ability of cloud service providers to ensure data protection.
That doesn’t mean organizations are reckless when it comes to jumping into the cloud. Enterprises know all too well they need to ensure that hosting providers are delivering services that are not only secure but also easy to monitor so they can satisfy regulatory and auditing requirements.
That’s especially true for heavily regulated industries, such as healthcare and financial services, where patient and customer privacy is extremely important.
“What we’re seeing is more organizations are becoming accepting of the concept of cloud computing and are no longer deeply concerned about security and privacy of the data in the cloud,” says John Howie, COO of the Cloud Security Alliance (CSA), a nonprofit organization that provides educational programs and promotes the use of best practices for providing security within cloud computing.
“They’re no longer worried about what cloud providers are going to do with the data,” Howie says. What companies are concerned with is how they can use the cloud and remain compliant with industry and government regulations as well as their own risk tolerance, he says.
A Campaign of Trust and Reassurance
For years, many organizations in a variety of industries have avoided cloud services, in particular public cloud offerings shared among many customers, because they did not like the idea of putting critical business data in the hands of outside providers that were offering shared hosted services. They could not accept the idea that some of their most sensitive and strategic data would be residing on servers owned and operated by other companies.
Cloud vendors initially did not do enough to quell these fears, Howie says. It wasn’t that vendors failed to provide secure services; it was that vendors were not transparent enough in showing customers exactly how secure their data would be.
“In the past, they did have very secure infrastructures,” Howie says. “But they might not have exposed the information companies needed in order to prove to regulators and auditors that they were compliant and what the state of their security was.”
However, that too is changing, and providers need to continue in that direction in order to win over new customers. “The providers have gotten much better about understanding the requirements of consumers of cloud services, a much deeper understanding of what their requirements are, especially around compliance,” Howie says.
Many cloud providers have launched “campaigns of transparency” in which they are revealing all types of information that, in the past, would not have been available, Howie says.
In fact, there is now an overabundance of information that companies can download and sift through to determine whether a cloud provider is doing all the right things with regard to security and privacy.
“That’s where we are today; many organizations want to move to the cloud, but they are still uncertain because there is too much information,” Howie says. In many cases, they are looking to organizations such as CSA for guidance and recommendations on service providers.
Configuring the Cloud for Your Industry
Some experts think hosted public-cloud services are still not secure enough for some industries.
“There are public clouds [such as Rackspace Cloud and Amazon’s EC2] that do not have additional security measures in place,” says Joshua Knapp, manager of engineering at Lunarpages Internet Solutions.
For businesses that require compliance with the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA), “we recommend private clouds or at the very least hybrid clouds,” Knapp says. “Public clouds have improved in the sense that the compute layer is completely isolated, but you are still limited to how much security you can put in place for network communication and storage.”
While the compute layer is better secured, Knapp says, “your network and storage layer still have potential for compromise. If a customer needs to meet compliance levels, a private cloud is still the best solution possible.”
The hypervisors that public cloud providers use have been updated to isolate customers better, Knapp says. “Xen, KVM and VMware all use hardware technologies to allow each customer access to the hardware without compromising security.”
Two-factor authentication is becoming more commonplace and easier to implement, Knapp says. “This will again lock down the computer and the running [virtual machine] but does not protect the data that is transferred over the network or storage at the host level.”
Public cloud providers are continuing to try to strengthen the security of their services through the latest technology, but in many cases they are not doing it alone.
“All the major providers are doing research in this area,” Howie says. “But rather than building new services, we’re seeing them partner with organizations that have very mature, workable security solutions.”
For example, providers are working with encryption technology and vulnerability-scanning companies and with organizations that provide secure, dedicated access. “We’re seeing cloud providers reach out into their partner ecosystem to provide a suite of services to cloud consumers so they can decide what to use,” Howie says.
For companies that are using the cloud, or are planning to, it’s important to remember that security is a shared responsibility, Howie says. Depending on the type of cloud model, the customer has more responsibility in some cases than in others.
For example, with infrastructure cloud services, the customer is responsible for ensuring that firewalls are in place and that there are strong passwords and access controls. With software-as-a-service offerings, the cloud user has far less to do with security.
“It really is about ensuring a balance between the provider and the user to make sure everyone is doing exactly what they need to do,” Howie says.