The latest BriefingsDirect podcast focuses on exercising caution, overcoming fear, and the need for risk reduction on the road to successful cloud computing.
In order to ramp up cloud-computing use and practices, a number of potential security pitfalls need to be identified and mastered. Security, in general, takes on a different emphasis, as services are mixed and matched and come from a variety of internal and external sources.
will applying conventional security approaches and best practices be
enough for low risk, high-reward cloud computing adoption? Is there
such a significant cost and productivity benefit to cloud computing
that being late or being unable to manage the risk means being
overtaken by competitors that can do cloud successfully? More
importantly, how do companies know whether they are prepared to begin
adopting cloud practices without undo risks?
To help better
understand the perils and promises of adopting cloud approaches
securely, I recently moderated a panel of three security experts from Hewlett-Packard (HP), Archie Reed, HP Distinguished Technologist and Chief Technologist for Cloud Security; Tim Van Ash, director of software-as-a-service (SaaS) products at HP Software and Solutions, and David Spinks, security support expert at HP IT Outsourcing.
Here are some excerpts:
Van Ash: Anything associated with the Internet today tends to
be described as cloud in an interchangeable way. There's huge confusion
in the marketplace, in general, as to what cloud computing is, what
benefits it represents, and how to unlock those benefits.
The [cloud] provider is committing to providing a compute fabric, but
they're not committing, for the most part, to provide security,
although there are infrastructure as a service (IaaS) offerings emerging today that do wrap aspects of security in there.
You see more responsibility put on the provider in the [platform as a service (PaaS)]
environment, but all the classic application security vulnerabilities,
very much lie in the hands of the consumer or the customer who is
building applications on the cloud platform.
With software-as-a-service (SaaS),
more of the responsibility lies with the provider, because SaaS is
really delivering capabilities or business processes from the cloud.
But, there are a number of areas that the user is still responsible
for, i.e., user management in ensuring that there are perfect security
models in place, and that you're managing entry and exit of users, as
they may enter a business or leave a business.
responsible for all the integration points that could introduce
security vulnerabilities, and you're also responsible for the actual
testing of those business processes to ensure that the configurations
that you're using don't introduce potential vulnerabilities as well.
...Typically, what we see is that organizations often have concerns. They go through the fear, uncertainty, and doubt.
They'll often put data out there in the cloud in a small department or
team. The comfort level grows, and they start to put more information
Reed: If you take the traditional IT department perspective
of whether it's appropriate and valuable to use the cloud, and then you
take the cloud security's perspective -- which is, "Are we trusting our
provider as much as we need to? Are they able to provide within the
scope of whatever service they're providing enough security?" -- then
we start to see the comparisons between what a traditional IT
department puts in play and what the provider offers.
small company, you generally find that the service providers who offer
cloud services can generally offer -- not always, but generally -- a
much more secure platform for small companies, because they staff up on
IT security and they staff up on being able to respond to the customer
requirements. They also stay ahead, because they see the trends on a
much broader scale than a single company. So there are huge benefits
for a small company.
But, if you're a large company, where
you've got a very large IT department and a very large security
practice inside, then you start to think about whether you can enforce firewalls
and get down into very specific security implementations that perhaps
the provider, the cloud provider, isn't able to do or won't be able to
do, because of the model that they've chosen.
That's part of the
decision process as to whether it's appropriate to put things into the
cloud. Can the provider meet enough or the level of security that
you're expecting from them?
Spinks: We've just been reviewing a large energy client's policies and procedures.
... As you move out into an outsourcing model, where we're managing
their technology for them, there are some changes required in the
policies and procedures. When you get to a cloud services model, some
of those policies, procedures, and controls need to change quite
Areas such as audit compliance, security assurance, forensic investigations, the whole concept of service-level agreements (SLAs)
in terms of specifying how long things take have to change. Companies
have to understand that they're buying a very standard service with
standard terms and conditions.
Pressure to adopt
Obviously, the current economic environment
is putting a lot of pressure on budgets, and people are looking at ways
in which they can continue to move their projects forward on
investments that are substantially reduced from what they were
But, the other reason that people are looking at cloud computing is just agility,
and both these aspects – cost and agility -- are being driven by the
business. These two factors coming from the business are forcing IT to
rethink how they look at security and how they approach security when
it comes to cloud, because you're now in a position where many of your
intellectual property and your physical data and information assets are
no longer within your direct control.
So what are the
capabilities that you need to mature in terms of governance,
visibility, and audit controls that we were talking about, how do you
ramp those up? How do you assess partners in those situations to be
able to sit down and say that you can actually put trust into the
cloud, so that you've got confidence that the assets you're putting in
the cloud are safeguarded, and that you're not potentially threatening
the overall organization to achieve quick wins?
The challenge is
that the quick wins that the business is driving for could put the
business at much longer-term risk, until we work out how to evolve our
security practices across the board.
... The business units are pushing internally to get to use some cloud
service that they've seen out there. A lot of companies are finding
that their IT organizations are not responding fast enough such that
business units are just going out there directly to a cloud services
They're in a situation where the advice is, either
ride the wave or get dumped. The business wants to utilize these
environments -- the fast development testing and launch of new
services, new software-related solutions, whatever they may be -- and
cloud offers them an opportunity to do that quickly, at low cost,
unlike the traditional IT processes.
... What we need to do is take some of that traditional
security-analysis approach, which ultimately we describe as just a
basic risk analysis. We need to identify the value of this data -- what
are the implications if it gets out and what's the value of the service
-- and come back with a very simple risk equation that says, "Okay,
this makes sense to go outside."
... There are certain things
where you may say, "This data, in and of itself, is not important,
should a breach occur. Therefore, I'm quite happy for it to go out into
the cloud." ... Generally, when we talk to people, we come back to the
risk equation, which includes, how much is that data worth ... and what
is the value of the services being provided. That helps you understand
what the security risk will be.
Next big areas
The big areas that I believe will be developed over the next few years,
in terms of ensuring we take advantage of these cloud services, are
twofold. First, more sophisticated means in data classification. That's
not just the conventional, restricted, confidential-type markings, but
really understanding, as Archie said, the value of assets.
we need to be more dynamic about that, because, if we take a simple
piece of data associated with the company's annual accounts and annual
performance, prior to release of those figures, that data is some of
the most sensitive data in an organization. However, once that report
is published, that data is moved into the public domain and then should
We need not just management processes and
data-classification processes, but these need to be much more
responsive and proactive, rather than simply reacting to the latest
security breach. As we move this forward, there will be an increased
tension to more sophisticated risk management tools and risk-management
methodologies and processes, in order to make sure that we take maximum
advantage of cloud services.
Efforts under way
Reed: There are efforts under way. There are things, such as the Jericho Forum, which is now part of The Open Group.
A group of CIOs and the like got together and said, "We need to deal
with this and we need to have a way of understanding, communicating,
and describing this to our constituents."
They created their
definition of what cloud is and what some of the best practices are,
but they didn't provide full guidelines on how, why, and when to use
the cloud, that I would really call a standard.
There are other efforts that are put out by or are being worked on today by The National Institute of Standards and Technology, primarily focused on the U.S. public sector, but are generally available once they publish. But, again, that's something that's in progress.
The closest thing we've got, if we want to think about the security aspects of the cloud, are coming from the Cloud Security Alliance,
a group that was formed by interested parties. HP supported founding
this, and actually contributed to their initial guidelines.
... If we're looking for standards, they're still in the early days, they're still being worked on,
and there are no, what I would call, formal standards that specifically
address the cloud. So, my suggestion for companies is to take a look at
the things that are under way and start to draw out what works for
them, but also get involved in these sorts of things.
... We [at HP] also have a number of tools and processes based on standards initiatives, such as Information Security Service Management (ISSM) modeling tools, which incorporate inputs from standards such as the ISO 27001 and SAS 70 audit requirements -- things like the payment card industry (PCI), Sarbanes-Oxley (SOX), European Data Privacy, or any national or international data privacy requirements.
put that into a model, which also takes inputs from the infrastructure
that's being used, as well as input based on interviews with
stakeholders to produce a current state and a desired or required state
model. That will help our customers decide, from a security perspective
at least, what do I need to move in what order, or what do I need to
have in place?
That is all based on models, standards, and
things that are out there, regardless of the fact that cloud security
itself and the standards around it are still evolving as we speak.
Van Ash: We do provide a comprehensive set of consulting services to help organizations assess and model where they are, and build out roadmaps and plans to get them to where they want to be.
One of the offerings that we've launched recently is Cloud Assure. Cloud Assure is really designed to deal with the top three concerns the enterprise has in moving into the cloud.
View the transcript of this podcast, or download it from iTunes