It's still a long, hard climb to get to a high level of security in cloud computing, according to Gartner research vice president Jay Heiser, who said business and government organizations with sensitive data appear likely to hold back from cloud-based services until things improve.
"Finance tends to be more conservative about cloud computing than small business," said Heiser in his online presentation to Gartner clientele yesterday. In "Prepare for and Minimize the Security Risk of Cloud Computing," Heiser expressed the view that it's somewhat simpler to establish a security baseline when using infrastructure-as-service (IaaS) than it is for software-as-service (SaaS) if only because there's more flexibility and less dependence on the competence of the service provider. But overall, cloud service providers aren't as clear as they should be concerning matters such as their business continuity and disaster-recovery practices, making it hard to win customer confidence.
"Gartner clients are almost universally disappointed" by what they regard as the incompleteness in cloud-computing contracts where they still don't see the level of specificity related to security they expect, said Heiser. "Cloud contracts are incomplete," he emphasized.
The struggle to define both technologies and legal obligations between the cloud and the customer is a topic that has been taken up by both the federal government in its FedRAMP program that seeks to certify cloud-service providers for government use, and the organization Cloud Security Alliance (CSA), which has several working groups pouring enormous effort into defining industry standards.
Heiser also pointed out that the American Institute of Certified Public Accountants (AICPA) has replaced its SAS70 certification with what's service provider certification called with SOC 1, and there's now a SOC 2 and SOC 3 as well to indicate service provider systems trust and security.
But while applauding all of these standardization efforts for security in cloud computing as significant, Heiser said FedRAMP, which is supposed to be operational next year, and the CSA standards are still early projects and their impact may be years away. Heiser had similar sentiments about the ISO/IEC 27017 cloud security standard and the 27018 cloud privacy standard. All of these cloud-computing security efforts are worthwhile but they will take somewhere between a year to five years to be considered mature, he says.
In the meantime, businesses and government have to pin down their requirements and evaluate potential cloud services and their security options as well as they can. The starting point should be looking at the sensitivity of the data going into the service, Heiser says. Companies have to ask questions such as what kind of impact would be the loss of it be, is it of critical competitive value, and is the data subject to regulatory concerns. "It comes down to determining the appropriateness of the service," he says.
The most mature and readily available security controls today in cloud computing are associated with identity and access management mechanisms and server-based encryption, he said. But cloud customers have to ask how encryption keys are managed and stored and if the risk is acceptable, he noted. Gateway-based encryption, or what's sometimes called a broker gateway or proxy, is another option, and it's changing quickly, he added. Forensics investigations are not really viable today, he noted, and in terms of overall security controls, it will probably take five to 10 years to really see a "solid set of technologies" for cloud computing.
The economic appeal of cloud computing is strong and sometimes it does appear economic benefits outweigh potential risks. Gartner is advising clients in general to allow low-sensitivity data to be considered for cloud services; but if it falls in the "medium" range of sensitivity, there's a strong need to conduct a risk assessment. And if the data is of high sensitivity, it should not be considered feasible or permissible for cloud services.
This process also means making sure that the business managers are engaged and realize they "own" the data, and are up to speed on the risks associated with cloud computing, says Heiser.
Nonetheless, cloud services providers rarely offer any indemnification against hacking, Heiser says. And SaaS remains more "mysterious" than IaaS in terms of making it clear how they really operate even as customers basically enter into a kind of supply chain cloud. Since one risk is that a cloud provider might go out of business, there needs to be assurance that the provider can return data or has a contingency plan for back-up. When the Mumboe SaaS went out of business two years ago, they gave customers two weeks to go get their data back, mentioned Heiser. That was a wake-up call of sorts that clouds sometimes do evaporate, and plans need to be made for these kind of downpours.
Even at some of the household names in cloud-computing today — Amazon, Google, Microsoft — there have been instances where data has disappeared, at least for a time, or never returned, says Heiser. "Restoration is not an easy process," he adds. "Put loss of service and availability at the top of your list." Live upgrades of services can lead to widespread data corruption, he pointed out.
IT managers have become accustomed to the idea they have control over what they can do in-house in terms of the application, services, servers, storage and network, and security. He says they need to fully realize that this accustomed level of flexibility isn't going to be there in cloud computing by its very nature.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org.