Don’t Cloud Over – But Be Cloud Aware

Dividing up ‘cloud security’ into different categories will help to make things a lot clearer at InfoSecurity 2011, says Bob Tarzey

One thing is guaranteed at InfoSecurity  this year – there will be plenty of people talking about the cloud. However, they will not all be talking about the same thing. When it comes to IT security they will be taking one of three angles; securing the cloud, using the cloud securely and using the cloud to deliver security. If you can establish early on which of these any given discussion alludes to you then you may proceed with a little more clarity.

Having said that, many discussions involving the cloud tend be a bit vague. So you would also be well advised to establish what sort of cloud is being alluded to, as Quocirca will in this article. If it is a public cloud service, is it regarding the provision of infrastructure or applications? – i.e. infrastructure as a service/IaaS or software as a service/SaaS. If it is not a discussion about public cloud services then it must about the private cloud, which is just an efficient way of configuring and using private data centre resources using technology that has been developed to build a public cloud infrastructure.

Securing the cloud

Let’s take the first of those security issues mentioned above – securing the cloud, or to be precise helping IaaS and PaaS providers secure their services. These service providers need firewalls, intrusion protection, content security etc. just as those configuring private IT infrastructure do.

There are some differences, mainly around scalability, the fast growing number of users of public cloud services means providers need highly scalable and reliable products to be able to keep growing and maintain service levels. There are also some specific issues with regard to virtualised infrastructure and multi-tenancy platforms that they need to address. However, on the whole, one should expect, given the stakes and the effort put in, that public cloud services will in many cases be more secure than privately owned and run IT infrastructure.

Secure use of the cloud

The second issue is secure use of the cloud. This involves making sure the communication between an organisation’s users and the cloud services they are expected to use is secure. This is really no different to making sure remote users can safely access privately owned IT applications and infrastructure.

Cloud service providers know what they are doing here too; for them everyone is an outsider, so the default is to authenticate access and communicate securely. It also involves making sure the use of cloud-based services employees invoke themselves is secure (social networks, web mail, collaboration tools etc.) Much of this is about content filtering, preventing bad stuff coming in and good stuff getting into the wrong hands.

Using the cloud to deliver security

The final issue is using the cloud to deliver security. This is an established and growing practice. One of the first use cases was to deliver anti-virus updates over the Internet rather than distributing them on diskettes. Perhaps the largest cloud-based service is Microsoft update, delivering patches to hundreds of millions of PCs on a regular basis to try and keep them secure from the latest exploits.

Email filtering, web content filtering, security management and a range of other requirements are being delivered as on-demand services by security vendors and the managed security service providers (MSSP) they partner with. They also rely on the cloud to gather most of the information they have on known threats through their protection networks.

Enjoy InfoSec; you won’t be able to avoid discussions about the cloud, but you can get more out of them if you establish the angle a given vendor is taking. Don’t cloud over – but be cloud aware.

Bob Tarzey, analyst and director of Quocirca, is speaking on “Securing the Cloud Shining A Light Through The Fog”, in the keynote programme at Infosecurity Europe. Held from 19th – 21st April at Earl’s Court, London, the event provides a free education programme, with exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk