Making sense of Cloud and Cloud security

Arif Mohamed

Security and compliance top the list of concerns for potential Cloud service adopters. But service providers are quickly addressing the situation and more and more businesses are becoming convinced of the integrity of Cloud-based computing.

According to Eric Domage, research manager, European security products and services at IDC, "Security was a long-term inhibitor to cloud adoption. Organisations have adopted cloud, despite the security questions. New technologies released in 2011 will help better manage this complex, flexible, and always changing IT resource."

David Bradshaw, research manager, European SaaS and Cloud Services, IDC adds that a recent study by IDC found that Cloud computing issues of security, data compliance, data location and service level assurances (SLAs) are in the process of being ‘solved’ though it may take until next year to satisfy the most conservative of users. However, security is increasingly becoming “a red herring” as service providers improve things in this area, says Bradshaw.

Current compliance and data security standards are still applicable, with the onus still being on the user organisation, says Bradshaw. Cloud users have to ensure they are secure and compliant, and work closely with their providers to ensure this is the case.

So, if a cloud provider allows sensitive customer data to be compromised, the responsibility for the breach still lies with the small business that has the relationship with the customers. But this is also the case for businesses that favour on-premise computing, or operate their own data-centres.

“Fortunately, the Cloud vendors are doing rather well in securing the Cloud, perhaps better than many organisations. Remember that a security lapse in a Cloud service provider could ruin their whole business, so they have to be a good deal more secure than most businesses,” says Bradshaw.

Some of the larger vendors are offering their customers a virtual private network (VPN), which encrypts traffic at both ends of the connection, and requires user authentication, he says.

In terms of data compliance requirements and legislation, the issues are the same, though what has changed is the way organisations access their IT resources. Consequently, the Cloud model requires greater trust between the user and their supplier.

Cloud service providers have been tracking user access and usage information for a long time, for their own purposes, says Bradshaw. But they are now starting to offer data compliance as an additional feature of their services, offering to store the data to meet the requirements of compliance legislation, for example for Data Protection purposes.

One of the key groups working together to develop security harmonisation in the Cloud is the Cloud Security Alliance’s Trusted Cloud Initiative, which is supported by Google, HP, Oracle, CA Technologies, VMWare and a huge number of other vendors. Besides security, they are also working on governance, risk management and compliance, among other things.

There are also several emerging Federated Single Sign-On industry standards, such as SAML, OAUTH and OpenID, which enable users to login securely and simply to multiple cloud-based services.

One indication of where Cloud security infrastructure is heading is a security platform that was recently announced by RSA, EMC’s security division. RSA Cloud Trust Authority is a set of cloud-based services designed to facilitate secure and compliant relationships between organisations and multiple cloud service providers.

Art Coviello, executive chairman, RSA, explains, “Forcing enterprises to develop trusted relationships individually with each cloud service provider they wish to use is cumbersome and will not scale. New thinking in security and compliance is required to provide a future in which organisations can consume services from a wide variety of cloud service providers on-demand and for all their application needs."