Rack Pack Blog

Give the cloud a break. Are the fears surrounding cloud computing security justified?

You couldn’t have escaped cloud stories this past week (quite literally if you’ve attempted to travel across European airspace). Volcanic ash aside, the computing topic that appears to have grabbed the attention concerns the physical security of the cloud, or rather the storing of data on a server somewhere in cyberspace.

Several vendors have stepped forward and launched cloud security products and several respected and authoritative sites such as the BBC and CIO have issued stories on the subject.

“Securing cloud computing is a shared responsibility requiring the active participation of cloud providers,” stated Jim Reavis, Executive Director, Cloud Security Alliance in one release. Adam Gross, senior vice president of marketing for Dropbox said the cloud needs the trust of users, a theme mirrored by Mike Elgan from Computerworld.com who warned users against being too trusting of their cloud provider.

And the BBC revealed that with so many students becoming ever reliant on free collaborative online tools, some colleges have gone as far as banning cloud computing completely. This is not entirely new information. Back in December 2009, a survey revealed that as many as three quarters of UK CIOs viewed security issues as a major barrier to adopting cloud computing.

So are there real issues with the cloud and security, will cloud providers have to up their game to gain trust or are we witnessing, as in the case of the colleges, a knee jerk reaction? (or a convenient excuse to get homework in on time!)

The answer is a probable combination of all these scenarios to varying degrees but to imply that the ‘cloud’ is insecure per see sets a dangerous precedent. Data protection is the responsibility of the data owner, simple as. The rules and policies for data protection don’t change because a company opts for using the cloud over other methods.

Way back in June 2008, Gartner issued a report “Assessing the Security Risks of Cloud Computing.”, and stated Cloud computing has “unique attributes that require risk assessment in areas such as data integrity, recovery, and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance, and auditing”. But are these not issues that any business will face when securing their data, cloud or otherwise?

James Staten, a Principal Analyst at Forrester Research, makes this point in his piece for CIO “Security ultimately rests with you, the business - not the cloud provider”.

Indeed, there are some specifics that need addressing with cloud, such as determining the physical location of the servers to ensure that certain data does not reside outside of certain geographic boundaries, but overall the approach to using cloud should be the same as using your own infrastructure. And even this is not an insurmountable barrier. Perhaps it is inevitable that the hype surrounding cloud computing has left many with the impression that the cloud is some vaporous computing magic that hovers above the globe. It’s not.

The cloud is physically hosted in data centres and these data centres are in known locations. The fears raised around cloud security appear to be driven by a lack of distinction, or understanding, about the differences between public and private clouds. If you are seeking cast iron guarantees over the security and location of your data assets then you simply ensure that your cloud provider meets your requirements via the SLA and contract.

Sydney Water CIO Tim Catley made this point in an article with the Australian when stating that his organisation did use cloud services, and that the agreement with the provider involved knowing where information was stored. “We do have a major enterprise component that we run (in the cloud) and we know where that data sits, and we’ve been assured that the data sits there and it’s contractually written into the agreement. It’s in Australia and it has to be in New South Wales for us. So we know where that system is.”

And this example debunks another myth surrounding cloud. You can chose to use a provider that offers full SLA’s including high availability and uptime guarantees etc with cloud computing.

Another argument suggests that the real, and key, fear factor for a CIO when considering cloud appears to be loss of direct control. When the company’s assets are safe in his or her own datacentre, managed by the company’s own employees, on systems that are directly managed then the creation of an audit trail and accountability is far simpler. The control remains with the CIO. In the cloud environment it is perceived that much of this control is outsourced, but none of the accountability.

But this argument is hardly armour plated. As this latest example of a major security breach illustrates, you can have the best systems in place but you can’t legislate for human error.

Last week a journalist with the Register (major influential UK IT news portal) received a Microsoft Excel spreadsheet, which was not encrypted or password protected, containing the full names and dates of birth of 10,006 people in jobs or applying for jobs where a UK Criminal Records Bureau (CRB) disclosure is required. The journalist received this file in error from a member of Gwent Police Force’s CID Data Management Unit who had used his/her email client’s auto complete function when sending the file by email to five colleagues (one colleague having a similar name to the journalist, whose address had been auto stored after two previous pieces of correspondence).

Amongst the many questions this example raises are: Why was the file not encrypted? Why was the file emailed? Why so many recipients in the cc field? The fallout from this latest high profile security breach is only just beginning and is set to run and run, but it clearly highlights that it is not the technology at fault but poor security practise.

In fact deploying cloud architecture in this case, could have prevented this situation from arising. The data files could have been held centrally, accessed via a secure dedicated connection, only accessible to authorised individuals, and only certain data sets visible and all fully monitored for audit purposes.

Rather than scare mongering about security in the cloud, perhaps we would do better to remind businesses of their responsibilities and obligations in this area generally, after all keeping managing and maintaining data locally is fraught with hazards and risk.

Adopting a workable and failsafe data and security policy must be the starting point for any business. What data do you need, how do you collect it, how do you store it, who has access rights, how do your retrieve it, how do you protect it and what do you do should disaster strike? Once an organisation has determined its policy it can then consider its execution, and cloud can play an important role in this strategy.

Today’s cloud technology allows us to encrypt, back up and store critical data securely, relatively easily and cost effectively delivering significant opex and capex cost savings (an important factor given that data growth rates are doubling every two years with IDC estimating that 45GB of data currently exists for each person on the planet: a staggering 281 billion gigabytes in total.)

No one should claim that moving to the cloud suits everyone or that it is easy, the concept of successfully implementing a tiered infrastructure has baffled organisations for years, but this shouldn’t mean it’s benefits are dismissed out of hand for the sake of eye catching headlines. The arguments for cloud computing are too compelling to ignore but we need to ensure that the hype - both good and bad - doesn’t saddle it with too many misconceptions that prevent businesses from making informed choices.

Security is a major concern but it should be a major concern for any organisation no matter what it’s IT infrastructure, policies and practises.