Take the case of Cloud Compliance Inc., which provides access-control monitoring services for private cloud environments. The company entrusted its infrastructure to Amazon because it's the most proven service provider, according to founder Robbie Forkish. However, he acknowledges that the arrangement introduces potential security problems. "There are certain areas where we, as a consumer of their services, need to fill in security capabilities they lack" in order to meet Cloud Compliance's internal security requirements and to reassure its customers.
For example, Cloud Compliance encrypts data in transit and gives customers the option of either encrypting data at rest -- on Cloud Compliance's Amazon-hosted servers -- or not putting any data in the cloud. The latter option involves a performance hit, since customers have to re-upload data into the cloud every time an application is run, but some customers accept that trade-off in return for a higher level of security, Forkish notes.
Cloud Compliance's external customers do ask about Amazon's security, Forkish says. The concerns they raise change from month to month, depending on what vulnerabilities the press has been writing about, he adds. Cloud Computing will either address their concerns or, if it can't, pass them on to Amazon.
"In some cases, we don't get a response, and we figure this is a real issue, but they're working on it," Forkish says. But the recent Zeus botnet incident on Amazon, he says, "as far as we can tell, was not a threat over and above what we would expect for an Internet service, cloud-based or not."
Compliance in the cloud
Public clouds add a whole new set of issues to regulatory compliance -- issues that providers, users and regulators themselves are just starting to look at. HIPAA and Sarbanes-Oxley privacy and data-retention requirements weren't designed with cloud-based services in mind. "IT staffs have to figure out new ways to analyze and assess risk, and how to meet compliance requirements," Forkish notes. "Many compliance standards require being able to point where data is, which is impossible with a cloud. And there's legal discovery, getting access to data when required. Can discovery be done by a third party without your knowledge because it resides on cloud storage? These are examples of things I think will be worked out over course of next couple years."
In the meantime, Forkish suggests, many businesses, especially those in highly regulated industries, will entrust their sensitive data to private clouds or traditional managed services "and maintain the status quo."
And then there are the pioneers like Logiq³'s Westgate, who says he sees cloud computing as "a natural evolution of how we are managing systems in this industry" and adds that the key question about this evolution "is not why, but why not?"
Elisabeth Horwitt, a freelance reporter and former Computerworld senior editor, has been reporting on information technology for over 25 years. She is based in Waban, Mass. and can be reached at ehorwitt@verizon.net.
This story, "Cloud security: Try these techniques now" was originally published by Computerworld.