It's a Long Road to a Secure Cloud
When it comes to cloud computing, the security and compliance landscape is riddled with pitfalls and continues to shift. During the recent RSA Conference in San Francisco this viewpoint seemed to dominate the conversations between IT professionals, industry analysts and others who study the security industry. The RSA conference hosted more than 30 sessions and presentations dealing with cloud security - signaling a real hunger for reliable information on this topic.
My opinion is that cloud security, particularly public cloud security, is wholly inadequate.
Potential cloud customers who read the providers’ terms of service might be staying clear of off-the-shelf offerings – and for good reason. Study many of these offerings’ terms of service and you’ll see loopholes and ambiguity enough to scare any serious business manager. We are seeing adoption of private clouds hosted by the major cloud vendors but in these cases we hear of “special accommodations” to augment base security offerings if the deal is big enough.
Are the terms ‘secure’ and ‘cloud data center’ mutually exclusive? For example, many regulations presume that you know where your data physically resides. But to maximize cloud value, the providers must be free to move the data around. The data owner would need to prevent this as a matter of compliance – so the organization might as well just have a private cloud. Is this an example – possibly one of many – where cloud services and security/compliance are incompatible?
Even in private datacenter implementations, data replication and geographic distribution of data are normal, desirable activities. This is done as a precaution against data center disasters and to facilitate load balancing and routine maintenance. In essence, with the cloud the disaster and load balancing scenarios are carried out by the operator of the cloud infrastructure. It is possible to specify the geographic distribution of data as part of the contract with the cloud provider.
Regarding compliance, I'm often asked who is legally liable (cloud provider or data owner) and if data is in breach of regulatory mandates such as HIPAA, PCI-DSS, EU Data Protection and so on, the answer isn't always clear. Generally speaking, cloud service providers’ terms of service may seek to absolve the providers of legal responsibility in return for aggressive pricing. Too many customers don’t ask the hard questions and blindly sign the service agreements with little thought given to compliance and liability. On the other hand, for those companies (especially small and medium ones) where the quality of security is poor, even the middling safeguards offered by cloud providers can be a quantum leap in improvement.
In the case of many mainstream applications like email, CRM and collaboration (i.e. WebEx, LiveMeeting), cloud services promise to reduce the load on the customers’ IT infrastructure (software, hardware, network), delivering services that can evolve quickly at a reasonable cost. Every company is expected to do more with less, and cloud providers are in a strong position to off-load those applications that customers cannot otherwise afford to install or maintain.