Adoption of Cloud Computing Hindered by Security and Operations Concerns
The biggest hurdle for cloud computing on Wall Street right now -- especially among large firms -- is a lack of visibility into cloud providers' operations and security. "At the moment, cloud providers seem to want customers to treat them like a black box," says Craig Balding, founder of blog Cloud Security and technical security lead for a Fortune 500 financial company.
Security is the biggest concern. "We just went through several years of legislation that basically says you have to know where your customer data is, you have to prove that you're protecting it and you have to know who's accessing it," points out Robert Richardson, director of the Computer Security Institute. "Now with cloud computing we're hearing, 'You can't know where your data is, you can't prove that it's being protected and you can't know who's accessing it.' "
Amazon Web Services has put out a security white paper that shows the provider is trying to address the visibility issue. But large companies will require more details and reassurance on the security front, according to Cloud Security's Balding. "Most serious discussions will happen under nondisclosure agreements," he says.
In its paper Amazon says physical access to its data centers is "strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state-of-the-art intrusion-detection systems and other electronic means." But Amazon won't tell you where its data centers are or let customers see their own servers, and the types of security being deployed are described in general terms without revealing specifics, Balding notes.
The white paper should be enough to satisfy small and midsize businesses but not large firms, which are used to standard outsourcing arrangements under which they can get a guided tour of the third-party data center, ask lots of questions of technical and security experts, and hand the provider an extensive questionnaire to fill out, he continues. "Firms are used to doing full due diligence on the provider, developing a custom contract with specific security clauses and obtaining a private network connection to that provider," Balding says.
Customers of cloud services from providers such as Amazon, Google and Yahoo! don't have the luxury of such in-depth explanations and customization. "There's a certain level of shyness from the security teams," Balding notes. As with any large organization, he adds, "It's natural to not explain to all your customers every last security detail and nuance of how the operation works."
Navigating Cloudy Skies
This lack of transparency, however, raises questions. For instance, how can companies obtain audit trails from cloud computing instances and add them to an enterprise logging system -- both to know what users are doing and to meet auditors' requirements?
"You can't ... drive over to your site in three hours and review the log file," Balding says. "First of all, you don't know where the data centers are." (In fact much speculation and many blogs and articles have been devoted to figuring out where Google's data centers are located.) He adds, "That's not necessarily a problem as long as you have a contract in place" that covers concerns such as audit trails.
Another question is what happens in the event of an outage. Some providers offer service credits, but this may be inadequate for firms that can lose business even during a short outage. "Service credits don't leave you with a good feeling," Balding comments.
To protect cloud providers' clients, he says, "I'd like to see digital contracts [i.e., contracts whose stipulations are automatically enforced by software] that specify requirements" such as the geographic location where data will be processed, security mechanisms the vendor will follow and legal recourse in the event of a problem.
Portability vs. Walled Gardens
On the wish list of potential cloud customers is the ability to switch from one provider to another. "Amazon and Google are walled gardens," Balding says. "You can't take an app from Google and bring it over to Amazon because they're architected differently." Ideally all the major cloud providers would connect and integrate with each other so that customers could easily transfer to a different provider.
Standards will help with this, but "the usual conundrum comes up," Balding says. "One group of people says we need standards; another group says if we put standards in now, we'll stifle innovation. We're at such early days with the cloud that having a set of standards everyone has to comply with now would be too early."
Despite the challenges, security practitioners cannot ignore the cloud or get caught up in all the hype, Balding suggests. "There's so much momentum behind it that the best thing to do is come up with practical solutions to concerns," he says. For instance, a good first step is to find out who in the organization is currently using a cloud provider, determine what they're using it for, and present this information to management as a reason to start understanding cloud security better and to start a dialogue with a cloud provider.
Inevitably CFOs will be drawn to cloud computing, Balding says. "The challenge for security people is to understand what the issues are and to get answers to the questions they have," he says.
Tweet This