Cloud Computing: The Calm Before the Storm

Advice 2010-11-25 14:06
Cloud

In the first part of this article, Leon Ward, senior security engineer for Sourcefire looks at cloud considerations from an end user perspective. Anthony Perridge, EMEA channel director for Sourcefire goes on to review the impact that cloud computing will have on the channel.

Introduction
Enterprises across the world are hunting down the best way to scale their computing capability.  Finding ways to work smarter has become increasingly important in today’s cost controlled market. IT departments searching for a solution often demand that the infrastructure has to be quick, cheap and dynamic and this is one of the reasons that Cloud Computing is being touted as a potential corporate game changer. Cloud Computing has been described as arguably the third revolution of IT, following the Personal Computer and Internet revolutions. But like most revolutions, progress towards widespread acceptance of the new regime is likely to take some time, amid suspicion, a lack of confidence, wise skepticism, and some false starts.

Many CIOs are in the process of moving applications and services into the Cloud. Some are considering Cloud-based computing due to economic reasons, while others are looking to create new dynamic IT services.

Regardless of the reasons, with organisations contemplating moving to a Cloud environment many are forgetting a potentially fatal element, security. Before an organisation can make a clear sensible decision about a future Cloud strategy, let’s investigate where some risks lie, and work out where responsibility and accountability falls.

Ensuring a security evaluation is undertaken is a ‘must do’. Never simply assume that a service provider’s security is up to scratch. It must be checked. Matt Watchiniski, Sourcefire’s Director of Vulnerability Research Team, endorses this view.  He says that as more and more enterprises and organisations move their applications to SaaS platforms, some providers are bound to fail miserably. We haven't seen the major compromise, but this risk has to be on the horizon. So with storm clouds ahead, who is going to be in the dock when there is a failure?  An understanding of accountability needs to be clear. Businesses using these types of services need to make sure they understand who is responsible for fixing these problems when they crop up, and who is legally accountable for the data loss. 

Outsourcing your data to the Cloud does not equate to outsourcing the risk, if your Cloud provider was responsible for the loss of your customer’s data, you could still find yourself accountable.

Is Your Data Safe?
So why does all this matter?  Using a public cloud for all or part of your IT infrastructure means trusting a third party to store your confidential records, and provide services that are likely to be essential to your business. Critical information is the modern enterprise’s equivalent to the crown jewels. It has immense value to that organisation, and you don’t want to be the individual to lose any of it.  When a large amount of data comes together, its value and therefore the risk to loss increases substantially. In many ways this can be easily compared to currency. We are generally happy to walk around with £100 in our wallet, but carrying £10,000 would make us a little more nervous.

Instead we keep our personal savings somewhere “safe” and make informed decisions about where we select that safe place to be. No matter how good a lock I place on my front door, like most of the world I choose to outsource this protection and keep my savings in a bank rather than trying to do a better job securing it myself, say in an old mattress in the loft. We need to adopt the same instinct with our data, because there is a big difference between 100 and 10,000 customer records.

Society understands that money is safer being stored in a bank than at home primarily due to the economies of scale involved in its protection. Banks  are not only looking after my life savings, they are doing the same for many other people and therefore need to invest wisely to ensure huge quantities of cash is kept safe.  This safety and protection is core to their operation in the market. A similar argument is made by Cloud Computing vendors about the safety of your information stored off-site in a shared Cloud. However just like in a bank, the aggregation of vast quantities of data in their environment makes it a far more attractive target to those with nefarious goals. So should you trust your company’s data in a shared Cloud the same way as you likely trust your valuables in a bank? Well, let’s look at the general reasons why society puts faith in bank security over trying to protect things ourselves.

•    Accountability for loss: If my bank is robbed or burgled, my investment with them is still safe because of the bank’s insurance.
•    Survived the test of history: Banks have been around for a very long time, and so have experienced all manner of attempts to steal from them. Overall the majority have done a good job of keeping things safe and secure.
•    Heavy Regulation: All banking organisations must follow strict codes of conduct when it comes to adequate protection of my deposits from theft.

These points are not necessarily true for the protection of our critical information in an external shared Cloud infrastructure. This therefore raises some open questions about the guarantees to the safety of that data, and potentially your own crown jewels.

Pages

Tags:
Cloud computing
Cloud Computing
Sourcefire

Related Articles

Adam Jarvis appointed Intrinsic CEO
Exec to lead unified communication specialist into cloud
EMC ramps up cloud services and support
Storage giant helping partners to embrace cloud with new products, services and programmes
NetSuite takes aim at rivals
NetSuite outlines plans to grab established competitors’ business in UK