Article

Cloud computing data security starts with internal strategy, experts say

Robert Westervelt, News Director

EMC Corp. wants you to trust them when it comes to cloud computing data security. The data storage vendor recently released a paper via its RSA security division substantiating that enterprises give up some control over data when systems are outsourced to the cloud.

EMC's Eric Baize, who was part of the team overseeing the company's security strategy that led to the acquisition of RSA in 2006, acknowledges that security has consistently played catch up to disruptive technologies. But not this time, Baize said. Whether it's EMC, Cisco Systems Inc. or Oracle Corp., cloud infrastructure providers want enterprises to build in security early, he said.

"There's a certain amount of disruption with cloud [computing], but we also believe we need to create a disruption on security thinking and make security a feature of the cloud," Baize said.

Experts have boiled down cloud computing to essentially three areas: Infrastructure as a Service, in which an enterprise's data center or certain servers could be hosted outside the company walls, Platform as a Service, in which a company hosts certain business applications beyond its boundaries, and Software as a Service, in which a software suite is contracted out for employee use, such as Salesforce.com's customer relationship management software. Each of the cloud computing use cases come with their own security challenges for enterprises. The EMC RSA paper, "Identity and Data Protection in the Cloud: Best Practices

    Requires Free Membership to View

for Establishing Environments of Trust," identifies some of the general issues slowing adoption of cloud computing.

The federal government is also getting involved to help companies better understand the cloud. The National Institute of Standards and Technology (NIST) has written a publication explaining how cloud computing security can be applied.

Perhaps the most important piece of advice from experts is: Be mindful of the terms and conditions of your cloud contract, said Robert Whiteley, vice president and research director at Forrester Research Inc. Not all cloud providers guarantee security controls, he said. Many are happy to add security controls at additional cost.

"Some companies are making the mistake in assuming there's a certain amount of security," Whiteley said. "Many [cloud providers] say security is still up to you and most have data retention policies that are not very friendly."

Enterprises need to demand more from their infrastructure provider, said EMC's Baize, because boundaries within the cloud are much more fluid. In some cases, companies may share the same hosted space in a data center. This loss of control over infrastructure and processes can be made up if enterprises make their provider aware of their security policies and the level of control it expects, Baize said.

Many of the same physical assets in the company's internal data center can be applied to the cloud infrastructure. Firewalls and data leakage prevention appliances can be applied in a virtual environment to monitor and maintain the same level of security. The threat landscape remains the same. The standard defense-in-depth approach of deploying multiple technologies to detect and defend against attacks on sensitive data is essential, said EMC's Baize.

While cloud computing prompts some security concerns, infrastructure providers apply a virtualization layer, which provides additional visibility into how company data is being accessed and used. Compliance is another major challenge for many enterprises. Monitoring capabilities can greatly improve reporting processes for auditing and compliance within the cloud, but companies need to address how the data is reported when selecting a cloud computing vendor, Baize said.

"Enterprises need to communicate where they stand in some critical security issues," he said. "Our goal is to provide some direction for customers to consider and [start] the conversation about security early on in the process."

Forrester's Whiteley said most companies are choosing a hybrid approach, maintaining an internal cloud using virtual infrastructure while outsourcing certain processes, such as testing and development. It's a three-tiered process that begins with building enough virtualization and storage provisioning in-house to develop an internal cloud. Then companies begin to outsource certain processes followed by moving more business-critical workloads into the cloud.

"A lot of CIOs are in that second tier, trying to figure out how to begin to truly augment the economics of IT by relying on more cloud services," Whiteley said.

Earlier this year, a Forrester report urged companies to take a cautious approach to cloud computing. In some cases, employees may already be using cloud-based services without the consent of IT, according to Chenxi Wang, a principal analyst at Forrester. Wang said companies need to conduct a thorough assessment of their cloud provider, which includes a review of the provider's network and security policies.

The goal is to understand who actually has access to the data on the backend. Establishing security into service-level and contract agreements is essential, Wang said.