The opportunities and risks of cloud computing services

By Ron Condon, U.K. Bureau Chief 23 Feb 2009 | SearchSecurity.co.uk

Security UK News Digg This!     StumbleUpon     Del.icio.us

The only trouble was that the researcher would need 25 servers to crunch the huge volume of data, and he knew it could take up to three months to get approval for the investment. In an industry where the cost of delaying a product is very high, $150 per second according to Eli Lilly's global head of security Adrian Seccombe, that three months' wait would be very expensive indeed.

Seccombe takes up the story:

"[The researcher] went to a tame IT guy who'd been playing around in this thing called 'the cloud'. The guy got out his credit card, plugged it into Amazon Web Services, and had 25 servers up and running in the cloud within an hour."

For more information Virtualisation success requires security preparation A database vendor that is building virtualisation into its product line says consolidating IT assets can pay dividends, but securing virtualised environments is a complicated new challenge.

The two realised they'd built the servers wrongly so they had to take them down and start again. The second time, it took them 40 minutes to get the servers up and running.

"Within two hours, they were crunching the data. The research time had suddenly collapsed from three months to two hours," Seccombe said.

And there is more. When they realised the analysis would not be complete by the time they wanted to go home, they were able to crank up the power and bring on more servers to speed things up. "They wanted to get the data back from the cloud as they felt a little uncomfortable leaving it out there overnight."

They completed the task and were given a bill from Amazon for $89. At $150 per second, a three-month wait would have cost more than $1 billion.

Cloud computing services: Balancing risk and convenience
The cost comparison is mind-boggling and demonstrates the sheer power of the cloud computing concept. But for Seccombe, the example also underlines some problems with the model.

"They repatriated the data results, and did it securely over a secure line that goes end-to-end into the Amazon cloud. It was secure and quick."

Or was it? How could they prove there was no trace of their data left in the Amazon cloud? They had to take Amazon's word for it.

It is just one of many questions being raised with the advent of cloud computing, Software-as-a-Service (SaaS) and the new collaborative model that relies on companies sharing their digital assets.

And it is why Seccombe, wearing his other hat as a member of the Jericho Forum, a security think-tank, has been working recently with others in the group to come up with some kind of framework to chart how it can be done effectively and securely.

The result of this work, due to be unveiled officially in March, is a three-dimensional cube that attempts to map out in graphic form the key decisions that companies will have to make when deciding which tasks can be safely consigned to the cloud, which should be kept under lock and key, and how to tie all the various ways of working together.

For the last five years the Jericho Forum has been challenging conventional thought about information security and mapping out the requirements of a "deperimeterised" world where solid boundaries are replaced by mobility and collaboration between organisations.

Last year, Jericho laid out its Collaboration Oriented Architecture (COA) guidelines, which defined how systems could work together without jeopardising security. Now it is going further to map out the security requirements of cloud computing. The results of this latest exercise raise some challenges for the security industry, but outline some interesting opportunities for those with the vision to seize them.

The cloud collaboration model
The main message of the group is that the cloud can incorporate a variety of approaches, according to the level of control needed over a process.

The cloud collaboration model looks like a Rubik's Cube with four faces on each side -- thereby creating eight separate sub-cubes that represent different types of working.

The three dimensions of the cube are:

• Open/ proprietary
• Perimeterised/ deperimeterised
• Internal/external

Source: Jericho Forum

The model is intended to help companies categorise their business processes and ultimately plan the kind of systems architecture they are going to need going forward.

"It's a mistake to see the cloud as one thing," Seccombe said. "You can have internal proprietary perimeterised clouds, and you can have external, open, deperimeterised clouds.

"Inside Eli Lilly, we are trying to decide where we want to do what business processes. For example, bringing together the ingredients for a pill -- we probably wouldn't do that with an open, external deperimeterised cloud. That is more likely to be proprietary, perimeterised and internal, still using cloud technologies possibly, but I need more control over it."

The key going forward is to build efficient and secure interfaces between the various sub-clouds so that business in the cloud can work in a seamless way, and create the necessary services to make it happen.

One of these, for example, could be an independent service to check the repatriation of data from the cloud once a task is finished. "It's not that we don't trust Amazon, but it is a question of separation of duties," he said. "You don't want the auditor to be the one who's providing the service."

Working up Jericho's 'cloud layers'
Given the huge advantages of working in the cloud, the goal now is to see how much work you can safely entrust to the cloud as a whole.

Jericho envisages this potential as a series of layers as follows:

• Value/Outcomes
• Process
• Software
• Platform
• Infrastructure

As companies move up the stack and entrust their infrastructure, platform, software, and so on, to a cloud-based service, they can achieve what Seccombe describes as 'abstraction': "Abstraction means that you don't really care what's going on beneath, because somebody else is looking after it for you, and will deal with it in a responsive manner."

He admits that most cloud activity is down at the infrastructure and platform level (as with Amazon Web Services) or with software (as with Salesforce.com or NetSuite Inc.). But he cites one example of Value-as-a-Service, which came from personal experience.

When looking for a new BlackBerry battery, he clicked on the Amazon website, which brought up five shops. He chose a shop and ordered, and the battery quickly arrived in an Amazon box. "Amazon brought to me the value experience of getting that battery, but I can't remember which shop I bought it from. This was my first experience of Value-as-a-Service. I did one click and got the battery delivered the next day."

The example underlines the move towards customer-centric computing supported by increased collaboration in the cloud. And it is not just about shopping.

Seccombe cites the website where people with various complaints can compare notes. For a drugs company, a resource like that would present huge opportunities to get patient feedback, but only if the right controls are in place.

And there's the rub. The cloud is very appealing, but diving in without the right level of security in place is a recipe for disaster. As Seccombe says, you can't bolt on security after the fact. "If you enter the cloud naively, then you lose sight of your data. You lose control," he said. "That's why we are trying to get this done up-front."

The future of cloud computing services
Cloud computing could have a huge bearing on how we do IT. Even if companies continue to run their own systems in-house, they might develop and test applications in the cloud rather than buy their own systems for the purpose.

Off-site disaster recovery centres will start to look like a waste of money when cloud-based services offer the necessary backup without the up-front cost.

But the services need to be easier to use. The Eli Lilly researchers had to configure their own servers manually, but in the future, that kind of service could be automated with new servers coming on stream automatically to cope with the demand.

Identity and access management will also take on a new importance as more collaboration takes place in the cloud, and where collaborative activities may be very short, lasting minutes rather than years.

"The old model, which assumes that everyone inside your silo is trustworthy and where you build an Active Directory for those players to use resources inside your organisation, is dead or dying. We have to find ways to change it," Seccombe said.

Politics and regulation will also play a part in how we use the cloud. Personal information is governed by local jurisdictions, and in many cases cannot be legally stored in another part of the world. As Seccombe found when looking at sites like patientslikeus.com, he could not deal with them and be compliant unless they could guarantee that European patient information stayed in Europe.

The answer, he says, may be to give data a metatag that defines where it can reside, and which forces it to self-destruct if it goes outside the prescribed area.

Tags: Data Protection Solutions and Strategy,  Data Breach Incident Management and Recovery,  Security for Cloud Computing and Hosted Services,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope Data Breach Incident Management and Recovery Make PCI DSS compliance easier by reducing scope, outsourcing data Full disk encryption: Safer and easier than file and folder encryption PCI DSS requirements: Get ready for stricter enforcement, fines Data breach costs continue to rise in 2009, Ponemon study finds Data Protection Act breach could cost companies 500,000 pounds Jericho Forum to provide customers with good security questions to ask Verizon report goes deep inside data breach investigations Insider threat detection still a challenge for employers Layoffs prompt insider threat fears, cybersecurity survey finds ArcSight boosts system log management capabilities Security for Cloud Computing and Hosted Services Social networking risks, benefits for enterprises weighed by RSA panel Microsoft's Charney details new botnet protection, IdM technology at RSA Cloud-based services require stalwart business continuity plans Cloud security issues, targeted attacks to be hot-button topics at RSA Cloud Security Alliance releases top cloud computing security threats Cloud computing compliance: Exploring data security in the cloud Maintaining security after a cloud computing implementation Preparing the network for a cloud computing implementation Cloud Security Alliance releases updated guidance Cloud computing data security starts with internal strategy, experts say

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary