In for stormy weather

Highly publicised incidents involving cloud services threaten to undermine one of IT’s most hyped innovations. But is there a sure-fire way of securing the cloud?

  • E-Mail
In for stormy weather
By Staff Writer Published  October 10, 2011

Highly publicised incidents involving cloud services threaten to undermine one of IT’s most hyped innovations. But is there a sure-fire way of securing the cloud?

Cloud computing has undoubtedly been one of the most trumpeted developments in enterprise IT over the last few years. This assessment is not without qualification though, as the benefits the cloud pledges include reduced capital spending costs, greater organisational agility, and simpler management of applications and IT infrastructure.

However, the question of cloud computing’s security, or perceived lack of, has become a major point of contention. Cloud critics and cloud sceptics will therefore have felt somewhat vindicated in recent weeks as two highly-publicised incidents concerning popular cloud services.

The first of these involved US e-commerce giant Amazon’s Elastic Compute Cloud (EC2), arguably the best-known of all cloud service. In the early hours of April 21, the infrastructure-as-a-service (IaaS) platform began experiencing technical problems, impacting the accessibility of popular social networking sites running on the service, such as Foursquare and Quora.

The glitch, which Amazon claimed was triggered by a “networking event” at its Virginia data centre, continued to detrimentally affect users of EC2 several days after the problems began. A small amount of volumes stored on the service were said to be lost permanent. Before the dust had even settled on the incident, another cloud catastrophe hit the headlines, when electronics behemoth Sony reported that security of its online video game platform PlayStation Network had been breached by hackers. In the fallout of this event, Tokyo-based Sony admitted that up to 100 million players’ personal data had been stolen, a not insignificant volume of it related to users’ credit cards.

Despite these incidents, and several other prominent examples in the recent past, cloud computing is gaining traction among enterprises. A report published by IT analyst firm Ovum in May 2011 showed that 45% of multinational businesses around the world had adopted cloud services to some extent, compared to 28% when a similar investigation was conducted last year.

Further research shows that rising cloud deployments have not coincided with more stringent security measures. A separate investigation, by the Ponemon Institute in association with CA Technologies, found that 79% of surveyed cloud providers allocated less than 10% of their resources towards security. Perhaps more tellingly, 69% of these vendors claimed that security was entirely the responsibility of the end user.

It is no wonder then that IT industry security experts continue to warn and advise businesses on how to ensure a safe passage to the cloud.

James Lyne, senior technologist at Oxford, UK-based IT security firm Sophos, believes that at least some of the complexities around cloud security stem from the muddy definition of the concept itself. “One of the biggest challenges with cloud is that it’s a vague term that gathers together a huge collection of similar technologies and products, and as a result it’s hard for people to understand the security threats and how to deal with them,” he claims. “The expectation is often that you just type in your credit card details and the provider will act in your interests.”

This is certainly not the case though, Lyne believes. Before signing a contract with any cloud vendor, he continues, it is essential to ascertain where responsibilities lie with each party in the provider/customer relationship. “It’s critical that you create a contract with the provider that outlines what security controls they will run, how they will notify you if there is a breach, how they will monitor developing compliance regulations and your exit strategy in the event they do not perform,” he remarks.

Maher Jadallah, MEA regional manager at Sourcefire, a developer of network security products, advises that businesses thoroughly audit any potential cloud vendor before agreeing to procure any service. “You should have a clear picture of their security infrastructure and policies; the level of security training their personnel receive; their physical access controls; their patch management, vulnerability assessment, and logging policies; and their firewall and intrusion detection and prevention systems,” he explains. “If the cloud provider outsources security to another vendor you need to understand their contractual obligations.”

The security considerations do not end after selecting a cloud provider. There are several IT infrastructure surfaces that require intrusion protection, reckons Mashood Ahmad, regional MD, Ciena Networks, with one of the most obvious of these being the network.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code