During the course of 2010, most people would have heard the term ‘Cloud Computing’ at one stage or another. Some of us have a clear understanding of what this term means, whereas others are still grappling with this meteorological metaphor which refers to a class of technology destined to change lives forever.
Perhaps that last sentence was laying it on a little thick, but there is no doubt that benefits exist if you look for them. Below is a brief summary of the pertinent ‘cloud’ concepts before we delve into some of the security concerns still inherent when engaging with this technology paradigm. In ‘Cloud Computing’, users rely on another party to provide access to remote machines and software, whose whereabouts are neither known nor controllable by the user.
Cloud Storage – is the scenario where a business stores and retrieves data from a data storage facility via the internet.
Software as a Service (SaaS) – is the scenario where applications are run on a SaaS provider’s system and accessed by a customer, usually through a web browser.
Cloud Infrastructure/Platform – is the scenario where the provider operates the whole computing platform or operating system for the customer which is accessed via the internet. Applications can then be run on the cloud platform/operating system in conjunction with utilising cloud storage.
Although this technology provides great opportunities to introduce efficiencies and reduce costs, its success has always been hampered by lingering security concerns. The three issues most often raised by SMEs include concerns around data protection, data location and access to data.
Whenever data protection is raised as a concern, cloud vendors will refer SMEs to the service level agreements (SLAs) and provide assurance that best practices are being adhered to. The real test of a vendor’s confidence, however, is their willingness to take responsibility for any losses experienced by the SME as a result of a breach.
The location of your data is a valid concern due to the fact that cloud vendors often outsource data storage or use distributed, global data centres. How comfortable can a user be that they are complying with the data protection laws in their own country and the country where the data resides?
Who has access to your data? How does the cloud application handle user account creation, deletion and management? How does it manage the access and permissions granted to user accounts? These are valid concerns, as cloud services place a surfeit of valuable data from thousands of users in a single place, and access controls should be stringently applied. The level of rigour afforded to check employment history and individual integrity may result in your data being accessed by less-than-savoury individuals who do not have an allegiance to your organisation’s well-being. Any privacy discussion related to cloud computing acknowledges that most forms of cloud computing are in their infancy, and that immature technological structures are the order of the day.
Whether an SME outsources basic data storage services or utilises the entire platform offering, the consequences of a breach cannot be outsourced and therefore the responsibility for securing the data in question remains an obligation the SME has to address. Businesses interested in utilising cloud computing products must ensure they are aware of the privacy and security risks associated with using the product and take those risks into account when deciding whether to use it, especially if other individuals’ personal information is contained within the data. These security concerns are, however, no different from those that businesses have been facing for many years. The only change is in the delivery model of the services. It’s arguable that if a business takes its security seriously, the data may be just as safe in the cloud as if it were handled in-house; possibly more secure. The difference, however, is in the level of control that a business can exert to guarantee that security is maintained.
So if the migration of services to the cloud is a topic of conversation in your business, ensure that the requisite due diligence is performed, levels of service and assurance are defined, expectations clarified, and that security measures appropriate for your data are presented in a transparent manner throughout the vendor-client interaction. Ask to see software development procedures and policies, security testing policies, vulnerability disclosure policies and update schedules.
Hopefully this year’s mantra will be "2011 – Year of the Secure Cloud”.