Forrester advises cautious approach to cloud computing services

By Robert Westervelt, News Editor 14 May 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

A new report from Forrester Research Inc. is urging companies to be guarded when examining cloud-based services. Early adopters have run into a number of road blocks, including not knowing where their data resides, what happens to the data when a decision is made to change services and how the service provider guards customer privacy.

Companies considering using a cloud-based service need to gain a clear understanding of the security, privacy and legal consequences before contracting with a service provider, according to a report issued by Forrester called, "How secure is your cloud?" The report urges organizations to develop a checklist of data security and compliance priorities and compare organizational needs to the cloud service provider's policies and procedures.

"The rule of thumb is that when you outsource the requirements developed internally, the vendor has to be at least as secure as you are," said Chenxi Wang, a principal analyst at Forrester who authored the report.

Companies must also understand how compliance issues are affected, how the service provider handles data security and whether company intellectual property could be put at risk. In many cases, contracts should carefully outline disaster preparedness procedures, proper data handling and the role the provider will play in the event of a breach.

"Pay special attention to operational details that are often obscured by cloud services, such as location of data, events logged, replication method and infrastructure redundancy," Wang said.

Many firms are turning to cloud-based services such as Salesforce.com and project collaboration websites to cut costs and improve efficiencies, according to Wang. Forrester's recent survey of enterprise and small and midsize businesses found that 47% of software decision makers were either using or piloting Software as a Service or considering adopting SaaS in 2009.

Cloud computing can often complicate data security and privacy, according to Wang. The organization loses visibility and control since the company data would reside on another network. Some firms have employees using cloud-based services without the consent of IT security, Wang said.

"In many cases it's very easy to set up a service without going through IT or another centralized authority's involvement," Wang said. "In many cases the client piece can be on somebody's desktop, but the content is living outside the organization."

In a recent interview, Eastman Kodak Co. CISO Bruce Jones said his firm is considering using cloud-based service providers for certain processes, but he added that his company is being cautious out of fear of putting company data at risk.

"I'm getting asked all the time, 'can we move this into the cloud?'" Jones said. "I'm very reluctant at this point. I'm not seeing huge benefits."

Jones said there could be value in cloud computing with Kodak's high computational processes in its research and development division. The organization sometimes needs high capacity on-demand computing power to conduct large calculations, he said.

"The cloud may provide some benefit there, but I want to make sure we're doing it in a way that we're not putting our IP data in jeopardy or putting any personal information or other confidential data at jeopardy," Jones said.

A thorough assessment of the cloud service provider should include auditing it to gain some visibility into its internal operations, Wang said. A cloud provider may not allow internal audits, but they should offer "some form of external audits of their infrastructure and network." The goal is to understand how the service uses event logs and who actually has access to the data on the backend.

Compliance issues can also get in the way of cloud service adoption, according to Wang. The data handling and business continuity practices of the service provider should also be considered to address compliance issues. Also, firms should keep in mind their industry specific compliance initiatives.

Wang advises clients to carefully scrutinize the service level and contract agreements. While most are fairly standard, some firms may want to negotiate specific terms in the agreements to make it unique to the organization's business processes and data handling procedures. In many cases, unless you are a large organization, cloud service providers will devote little time to negotiating unique SLA or contract terms, Wang said.

"If you are a small client they may not pay attention, but if you're huge, they will bend over backwards for you," she said. "It's just the way it works."

The contract should cover what happens if the SLA is not met, how data is handled when the service contract ends, the type of data returned to the company and that the cloud service provider erases all data from its network within a given time period, Wang said.

"We're seeing some companies getting burned by vendor lock-in," she said. "It's often not easy to change services. If you're switching, good luck getting them to do things for you; if it's not required by contract to extend end-of-service support to you, then they won't do anything."

Tags: Data Protection Solutions and Strategy,  Compliance Regulation and Standard Requirements,  Enterprise Data Storage,  Security for Cloud Computing and Hosted Services,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope Compliance Regulation and Standard Requirements PCI DSS requirements still baffling as compliance deadline approaches Make PCI DSS compliance easier by reducing scope, outsourcing data Cloud computing compliance: Exploring data security in the cloud Encryption basics: How asymmetric and symmetric encryption works SIEM systems streamline compliance processes, offer security benefits No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny Tips to achieve PCI compliance PCI DSS requirements: Get ready for stricter enforcement, fines Data Protection Act breach could cost companies 500,000 pounds Enterprise Data Storage Safend expands data leakage prevention product to plug more gaps TrueCrypt: How to get started with open source disk encryption Report: Firms avoid encrypting backup tapes, databases Encryption tips: How to secure a laptop The real reason behind backup recovery disk failures Infosec pros wake up to Excel spreadsheet security risks How to enforce an enterprise data leak prevention policy 3ami allows employers to track use of USB storage devices How to create a data classification policy EMC adds configuration management with Configuresoft acquisition

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary