By Sam Woodcock, Principal Solutions Architect, iland.
Last week, iland took part in techUK's "How to Build Trust in the Security of Cloud Computing" panel debate in London. The event ran in two parts, the first panel looked at the key concerns associated with cloud security and then a second panel examined what needs to be done to help businesses address these concerns.
The UK is incredibly successful both on the supply side with the expertise we have developed delivering products and services, as well as the adoption and exploitation side of cloud. That said, it was evident in techUK's Cloud 20/20 vision paper that there are still concerns around security and the resilience of cloud, especially as the market continues to mature. The paper cited that nine out of 10 security professionals worry about cloud security and 80% of budgets will be spent on cloud security, yet one third of data loss is put down to inadequate cloud security. So in effect, companies are still losing data.
To me, one of the clearest issues that came out of the conversation is that the broad scope of 'the cloud' continues to be a great source of confusion. Companies cannot adequately combat security threats if they do not dig into the details of the specific types of services they plan to use cloud for, whether that be Software as a Service, Infrastructure-as-a-Service, Disaster-Recovery-as-a-Service, Backup-as-a-Service, as examples.
Against this backdrop here are the top five concerns raised by the panel about cloud in general:
- Cloud computing is about commodity compute and a one size fits all approach. However, whether you are a large or small corporation seeking the benefits of cloud, you want to partner with providers that offer a tailored service that addresses your specific security and compliance requirements.
- Location matters. Organisations are less concerned about multi-tenancy but more concerned about where the data centre is located, where their data resides, who has access to it and the free flow of that data.
- Unauthorised access, especially by service provider themselves. Cybercrime will target cloud and data centres and there is concern not only about unauthorised access but law enforcement access to cloud data. For example, under what circumstances will your cloud provider disclose data to a law enforcement company?
- Transparency, audits, the sheer volume of data. Keeping an auditable track of that data was high on the list.
- Lock-in, data portability and the smooth and easy movement of data. In other words, how easy it is to exit those outsourcing arrangements.
Other points that came up were the unclear segregation of duties and where the responsibility lies. Whose duty and responsibility is it to secure the platform? Are the skills, experience and resources available to undertake these tasks? And finally, if you if don't lock down your data, are you raising the risk profile for the organisation and creating opportunities for more vulnerabilities?
In terms of the key takeaways here are my top five:
- Where cloud service providers are concerned, having a technology platform is not enough. It is more about how that platform is managed, the resilience of the platform, the level of cloud security combined with your people, expertise and providing customers with full transparency. At iland not only do we have an advanced security platform that supports all of our cloud services, but we are a curator of security solutions. We bring best of breed technologies and embed these into our platform. Therefore not only do we deliver the expertise but we work hand-in-hand to help customers on their cloud security initiatives.
- New technologies will be added into the mix all the time. Organisations therefore need to think about their workloads and whether cloud is suitable. Will they be able to adapt to new security requirements and what level of support will they need to do so?
- Organisations must consider accessibility versus security and understand the details of various cloud platforms and services to mitigate risks. Don't overlook location, technology, support, access and transparency.
- Education from your cloud service provider around the risks that are prevalent is absolutely vital. Cloud providers need to give visibility and up-to-date information on these risks. For example, at iland we scan for known vulnerabilities and take that information and associated best practices to our customers.
- It happens more frequently than you think, therefore thinking about how you will recover from an attack is vital. For example, do you have the ability to recover quickly and can you recover to a point in time that minimises business impact?
I believe that more education is key to cloud. What type of cloud services are you using or thinking about using, and what are the associated security risks and solutions? Cloud providers need to talk in more specific terms about the solution rather than talk generally about 'the cloud,' as this is where there is a lot of misunderstanding and misinterpretations.
And finally, as cloud providers help combat security risks, they must also enable customers to easily consume relevant information about their environments, take action and satisfy compliance. Most organisations find there is so much raw data coming out of their cloud provider, they struggle to consolidate this on a daily, or even weekly basis, in order to prioritise the real and most severe risks. Whether customers are leveraging public cloud, private cloud, disaster recovery or backup services, ensuring and proving cloud security and compliance will only become more important and customers and cloud service providers must work together to achieve it.