Cloud Security Growing Up
Whenever the subject of cloud computing comes up there are two facts
that seem to dominate the conversation. The first is that enterprises
and small business would desperately like to make greater use of the
explosion in new cloud services and offerings. However the discussion
will usually rapidly turn to the fact that the potential of the cloud
remains out of reach for many business uses. The reason? Security.
Concerns over the security of information in cloud infrastructures,
especially public cloud infrastructures, continues to stifle adoption of
cloud services and shackles many organizations to traditional
approaches to providing business IT services.
Fundamentally, the concerns over cloud security fall into two broad buckets: concerns over availability, and concerns over confidentiality. And it’s not hard to see why businesses are afraid to plunge into the cloud.
In March 2011 a prolonged period of interruption to Amazon’s Elastic Block Storage (part of the AWS offering) caused a large number of websites to go suddenly, and painfully, dark. While the problem was nothing more sinister than a simple administrator error, it did cause many to rethink the assumption that “cloud” implied “always on.”
While the need to protect against service interruption is worrying, the solution is at least reasonably well understood — not relying on a single service or service provider. Even during Amazon’s rather infamous March outage, those organizations that had planned ahead for such an eventuality suffered far less than those who had not.
Keeping information in the cloud confidential is a more difficult proposition. In June 2011, cloud storage provider Dropbox also suffered a simple administrative error. But rather than rendering systems unavailable, it had quite the opposite effect. For a period of four hours *everything* was available. Access to Dropbox storage accounts suddenly and unfortunately, no longer required the correct password. While Dropbox quickly remedied the problem, the fact that it happened at all underscored the concern that businesses already felt about storing information in the cloud. Specifically, who’s watching the security on this stuff and who has access to it?
So are these concerns justified? Well, probably. While service providers like Amazon and Dropbox clearly provide great value, and rarely make mistakes that cause problems, such mistakes are inevitable in the long run. And as more and more data moves out into the cloud, so the impact of mistakes, failed security controls, lax hiring procedures, or disgruntled insiders will continue to affect more and more customers.
Yet none of these are new to businesses, and with good planning, such problems can be overcome or, at least, minimized. And therein lies the rub, because it is the difficulty of planning for such events that causes such concern. The integration of cloud and traditional security practices is not a simple one. Technical, as well as process, hand-offs are often unclear to both provider and customer alike, and this complexity introduces opportunities for both accidental and malicious attack that are new to many organizations.
However, what if rather than being the source of security concerns, the cloud could also offer a solution too? In September the Cloud Security Alliance released their first whitepaper defining Security as a Service, offered through the cloud.
The idea behind the paper is to start to define the various security services that could be offered as cloud-hosted products, including such areas as encryption, security information and event management, email security and so on.
What we are seeing, then, is an emerging and maturing element to cloud security, and it opens up some interesting possibilities.
For example, by creating security services specifically hosted in the cloud, confusion over who has responsibility may be reduced, as new vendors emerge to essentially ‘own’ many of the cloud-specific problems. This approach of delivering security services through the cloud also offers up the prospect of broadening the types of security technologies available to small and medium businesses who may have been unable to afford them in the past, or to help larger organizations reduce their IT security spend without impacting overall security capabilities.
Finally, it may allow businesses to more clearly and cleanly ensure segregation of duties between the cloud service provider (for example, a storage provider) and the security functions, which could now be delivered through a specialized third party.
It’s now clear that the cloud computing is evolving and maturing fast. While the cloud definitely causes IT security and compliance organizations considerable headaches, the possibility exists that cloud-specific security services may actually benefit everyone in the long run. Most importantly, they may enable organizations of all kinds to safely, and securely, move more fully into the cloud.
By Kevin Steinhardt
Fundamentally, the concerns over cloud security fall into two broad buckets: concerns over availability, and concerns over confidentiality. And it’s not hard to see why businesses are afraid to plunge into the cloud.
In March 2011 a prolonged period of interruption to Amazon’s Elastic Block Storage (part of the AWS offering) caused a large number of websites to go suddenly, and painfully, dark. While the problem was nothing more sinister than a simple administrator error, it did cause many to rethink the assumption that “cloud” implied “always on.”
While the need to protect against service interruption is worrying, the solution is at least reasonably well understood — not relying on a single service or service provider. Even during Amazon’s rather infamous March outage, those organizations that had planned ahead for such an eventuality suffered far less than those who had not.
Keeping information in the cloud confidential is a more difficult proposition. In June 2011, cloud storage provider Dropbox also suffered a simple administrative error. But rather than rendering systems unavailable, it had quite the opposite effect. For a period of four hours *everything* was available. Access to Dropbox storage accounts suddenly and unfortunately, no longer required the correct password. While Dropbox quickly remedied the problem, the fact that it happened at all underscored the concern that businesses already felt about storing information in the cloud. Specifically, who’s watching the security on this stuff and who has access to it?
So are these concerns justified? Well, probably. While service providers like Amazon and Dropbox clearly provide great value, and rarely make mistakes that cause problems, such mistakes are inevitable in the long run. And as more and more data moves out into the cloud, so the impact of mistakes, failed security controls, lax hiring procedures, or disgruntled insiders will continue to affect more and more customers.
Yet none of these are new to businesses, and with good planning, such problems can be overcome or, at least, minimized. And therein lies the rub, because it is the difficulty of planning for such events that causes such concern. The integration of cloud and traditional security practices is not a simple one. Technical, as well as process, hand-offs are often unclear to both provider and customer alike, and this complexity introduces opportunities for both accidental and malicious attack that are new to many organizations.
However, what if rather than being the source of security concerns, the cloud could also offer a solution too? In September the Cloud Security Alliance released their first whitepaper defining Security as a Service, offered through the cloud.
The idea behind the paper is to start to define the various security services that could be offered as cloud-hosted products, including such areas as encryption, security information and event management, email security and so on.
What we are seeing, then, is an emerging and maturing element to cloud security, and it opens up some interesting possibilities.
For example, by creating security services specifically hosted in the cloud, confusion over who has responsibility may be reduced, as new vendors emerge to essentially ‘own’ many of the cloud-specific problems. This approach of delivering security services through the cloud also offers up the prospect of broadening the types of security technologies available to small and medium businesses who may have been unable to afford them in the past, or to help larger organizations reduce their IT security spend without impacting overall security capabilities.
Finally, it may allow businesses to more clearly and cleanly ensure segregation of duties between the cloud service provider (for example, a storage provider) and the security functions, which could now be delivered through a specialized third party.
It’s now clear that the cloud computing is evolving and maturing fast. While the cloud definitely causes IT security and compliance organizations considerable headaches, the possibility exists that cloud-specific security services may actually benefit everyone in the long run. Most importantly, they may enable organizations of all kinds to safely, and securely, move more fully into the cloud.
Categories:
CLOUD COMPUTING,
CLOUD SECURITY
0 comments:
Post a Comment