Cloud: Security the priority

Data breaches and loss a fear for  firms – but is it justified?

Security

Security is still a major worry for companies looking to adopt cloud technology into their IT strategy, and major firms are reluctant to use it for highly sensitive business-critical information. But companies are not alienating the cloud altogether – rather, they are adopting a hybrid approach to using it, and it remains popular for less business-critical services.

Industry specialists are saying the risks associated with moving services to the cloud are no more than what they may already have within their own network.

Recent news that cloud storage solutions provider Nirvanix voluntarily sought Chapter 11 bankruptcy protection, and that customers had until October 15 to seek an alternative solution, has provoked reactions by many concerned about the potential for businesses to lose valuable data by using this type of service.

Research reports have equally shown security is a worry in the cloud industry. A survey called The Notorious Nine: Cloud Computing Security Top Threats in 2013 by not-for-profit firm Cloud Security Alliance (CSA), which provides best practices and education for people in the industry, found that the worry of data breaches was the top threat, followed by data loss and account hijacking.

In May 2013, the CSA set up the Cloud Vulnerabilities Working Group, a global working group chartered to conduct research in the area of cloud-computing vulnerabilities.

The group released a white paper examining news articles on cloud computing-related outages between January 2008 and February 2012. It showed the top three vulnerabilities were “insecure interfaces and application programming interfaces (API)”, “data loss and leakage” and “hardware failure”.  These accounted for 64 per cent of all incidents.

Zahl Limbuwala, CEO at software company Romonet, says: “In the last 18 months, we have seen the issues to adoption have primarily been security. How secure is my data going to be within the cloud? Is it going to be in the right protection jurisdiction? Those types of adoption issues have not fallen away so much.”

But Limbuwala says that, although security issues are still on the mind of chief investment officers, firms are adopting a different approach to using the cloud. “We are seeing a move towards taking the less essential services the CIO looks after for a business, and outsourcing them to a cloud provider,” Limbuwala says. “If a CIO or a business looks to outsource things to the cloud, it is not a case of saying, I have to put all my data in the cloud, business-critical or otherwise.

“They are saying, why don’t we move just the things for which we are not so worried about data security, either because it is not sensitive or not competition-critical and is not going to cause the business to fail?”

Studies by the Cloud Industry Forum have also shown firms do not wish to move all their systems to the cloud, and are adopting a hybrid approach. When asked if participants had any plans to move all services to the cloud, around 50 per cent said they would, but with caveats as to when, while the other half had no intention to move everything online.

The things companies normally move to the cloud, says Andy Burton, founder of the Cloud Industry Forum, include: “Desktop email, instant messaging and video – the technologies which are born for cloud. That type of technology is first adopted for the cloud service. Then, once they are confident about those brand-new technologies and low-risk projects, based on their experience and comfort zone with the service provider, they start moving more business-critical applications.”

Companies are taking steps to mitigate worries about security. Gavan Egan, vice president of sales at Verizon Terremark, which provides enterprises with IT infrastructure and security solutions, says: “If you look at giving someone else a job to do,
there are security issues that come with that. You have to look at your cloud provider and say, do they increase my security or decrease my security? How do I know what I want to trust a provider with?”

Egan says Verizon Terremark works with companies from “their own business perspective” and what supports their business strategy. “The key thing is transparency. Companies want to see what level of security controls are around their data,” says Egan. “How they can map it back to what they are used too, how they can report it in their risk or security compliance reports. We work very heavily with customers to help them map the controls we have in place to what they need.

“Different companies have their own core competencies in what they want to do. A lot of companies are looking at hybrid cloud – they are going to put some data in the cloud and some they are going to keep.”

Although security risks are a concern, industry specialists say the threat should not be perceived as bigger than the normal worries firms face. “There will always be security risks for the cloud,” Limbuwala says. “To be honest I don’t think it will be any more of an issue than the security risks that exist within their own networks today. The internet has a much bigger issue in terms of security in general – these are fundamental issues, not a cloud-specific or privately hosted issue.”

  • http://www.cloudways.com/ Eddie Mayan

    CloudWays offer consultation service regarding cloud security. it will be very useful to get touch with it.

  • Ulf Mattsson

    I agree that “The key thing is transparency. Companies want to see what level of security controls are around their data”. I like the advice from the PCI Security Standards Council for all sensitive data:

    If you outsource to a public-cloud provider, they often have multiple data storage systems located in multiple data centers, which may often be in multiple countries or regions. Consequently, the client may not know the location of their data, or the data may exist in one or more of several locations at any particular time.

    Additionally, a client may have little or no visibility into the controls protecting their stored data. This can make validation of data security and access controls for a specific data set particularly challenging. In a public-cloud environment, one client’s data is typically stored with data belonging to multiple other clients. This makes a public cloud an attractive target for attackers, as the potential gain may be greater than that to be attained from attacking a number of organizations individually.

    I think that the good news here is that strong data-level security can be enforced on all sensitive or potentially sensitive data before it is sent to the cloud. I recently read an interesting report from the Aberdeen Group that revealed that “Over the last 12 months, tokenization users had 50% fewer security-related incidents (e.g., unauthorized access, data loss or data exposure than tokenization non-users”. The name of the study, is “Tokenization Gets Traction”.

    Ulf Mattsson, CTO Protegrity

  • Pingback: Cloud: Security the priority – Business Technology | cloudguys.net

  • Pingback: What parts of your IT to outsource to the cloud | Romonet